“According to this study on 70 million passwords, the strength of user passwords typically contains 10-20 bits of security. This means that it only takes the attacker 1024-1048576 guesses to find the correct one. Assuming the attacker makes login attempts to the vulnerable service 30 times per minute, it takes him half an hour to 24 days to guess a password, depending on the strength of the target password. This is a scary estimate. Attackers have no problem launching the attacks from multiple IP addresses on multiple user accounts in parallel and often can make guesses more than 30 times per minute. If today the attacker launches such an attack against most user accounts in parallel, he will be able to get most user passwords within 24 days.”
According to AppBugs, up to 600 million smartphone users could be affected by this security oversight. Despite the researchers responsibly disclosing the vulnerability and allowing 90 days, popular apps like CNN, Expedia, and Zillow still had not corrected the issue as of September 14th, according to the status listed on the AppBugs site. Until then, you can increase your own security by generating new passwords with LastPass. Run the LastPass Security Challenge (from the LastPass browser extension just open the Tools menu to launch the Security Check) and identify which sites have old, weak, or re-used passwords. Auto-Password Change will help you replace many passwords in one click, and any others can be replaced with the LastPass password generator. By using strong, different passwords for every app and web account, you’re taking a simple but very effective step in protecting yourself online.