Password Management Service LastPass Gets Hacked

After the data breach of LastPass (which claims no user data was stolen), security experts discuss the merits and the risks of using password managers.

LastPass hack

Password security vendor LastPass publicly admitted on June 16 that it was the victim of a data breach of its network. The company, however, claims it has robust encryption in place, reducing the risks associated with the breached data.

In a blog post, Joe Siegrist, the company's CEO and co-founder, wrote that LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised.

As a password management service, LastPass enables users to have one master password, which provides access to multiple sites. The basic idea behind LastPass is to have a more secure way to store and use passwords across the Internet.

While LastPass has admitted to being breached, it also claims the stolen information was encrypted in a very strong manner.

"LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256 [Password-Based Key Derivation Function 2], in addition to the rounds performed client-side," Siegrist said. "This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."

User data itself was not stolen, meaning that LastPass users don't necessarily have to change the specific site passwords that they have stored in the services. That said, Siegrist suggests that as a matter of best practice, users reset their master password and also use two-factor authentication.

This new incident isn't the first time that LastPass has noticed a potential data breach in its network. In 2011, LastPass also asked its users to reset their master passwords.

LastPass was also identified in a 2014 research paper as having some security risks, which were quickly corrected by the company. The paper from researchers at the University of California at Berkeley analyzed potential security risks across five popular Web-based password managers, including LastPass.

Security experts contacted by eWEEK provided mixed viewpoints on the severity and impact of the LastPass breach and the role the password managers should play in the security landscape.

Devin Egan, co-founder and CTO of LaunchKey, commented that LastPass does appear to be using a very strong hashing algorithm with a high iteration count with unique salts, so that will slow down cracking attempts considerably. "With that said, it is just buying additional time for their customers to change their master passwords at this point," Egan told eWEEK. "This must be done as the passwords have been stolen even if they are in a hashed/salted state."

Egan suggests that LastPass increase its already strong hashing method, as it has been shown that these master passwords are not immune from breach. More security and processes need to be put in place to ensure a breach of this magnitude does not occur again, he added.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.