Security News > 2023 > January > Serious Security: Unravelling the LifeLock “hacked passwords” story
As opening paragraphs go, this one is pretty straightforward, and contains uncomplicated if potentially time-consuming advice: someone other than you probably knows your Norton account password; they may have been able to peek into your password manager as well; please change all passwords as soon as you can.
In LastPass's case the stolen passwords weren't of direct and immediate use to the attackers, because each user's password vault was protected by a master password, which wasn't stored by LastPass and therefore wasn't stolen at the same time.
The crooks still need to crack those master passwords first, a task that might take weeks, years, decades or even longer, for every user, depending on how wisely those passwords had been chosen.
If LifeLock just suffered a breach, and the company is warning that someone else already knew some users' account passwords, and perhaps also the master password for all their other passwords.
Some critics have suggested that LifeLock could have spotted these bulk password-stuffing attacks more quickly than it did, perhaps by detectig the unusual pattern of attempted logins, presumably including many that failed because at least some compromised users weren't re-using passwords, or because the password database was imprecise or out-of-date.
We may yet end up in a digital world without any passwords at all - many online services are trying to move in that direction already, looking at switching exclusively to other ways of checking your online identity, such as using special hardware tokens or taking biometric measurements instead. But passwords have been with us for more than half a century already, so we suspect they will be with us for many years yet, for some or many, if no longer all, of our online accounts.