Password security vendor LastPass publicly admitted on June 16 that it was the victim of a data breach of its network. The company, however, claims it has robust encryption in place, reducing the risks associated with the breached data.
In a blog post, Joe Siegrist, the company’s CEO and co-founder, wrote that LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised.
As a password management service, LastPass enables users to have one master password, which provides access to multiple sites. The basic idea behind LastPass is to have a more secure way to store and use passwords across the Internet.
While LastPass has admitted to being breached, it also claims the stolen information was encrypted in a very strong manner.
“LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256 [Password-Based Key Derivation Function 2], in addition to the rounds performed client-side,” Siegrist said. “This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
User data itself was not stolen, meaning that LastPass users don’t necessarily have to change the specific site passwords that they have stored in the services. That said, Siegrist suggests that as a matter of best practice, users reset their master password and also use two-factor authentication.
This new incident isn’t the first time that LastPass has noticed a potential data breach in its network. In 2011, LastPass also asked its users to reset their master passwords.
LastPass was also identified in a 2014 research paper as having some security risks, which were quickly corrected by the company. The paper from researchers at the University of California at Berkeley analyzed potential security risks across five popular Web-based password managers, including LastPass.
Security experts contacted by eWEEK provided mixed viewpoints on the severity and impact of the LastPass breach and the role the password managers should play in the security landscape.
Devin Egan, co-founder and CTO of LaunchKey, commented that LastPass does appear to be using a very strong hashing algorithm with a high iteration count with unique salts, so that will slow down cracking attempts considerably. “With that said, it is just buying additional time for their customers to change their master passwords at this point,” Egan told eWEEK. “This must be done as the passwords have been stolen even if they are in a hashed/salted state.”
Egan suggests that LastPass increase its already strong hashing method, as it has been shown that these master passwords are not immune from breach. More security and processes need to be put in place to ensure a breach of this magnitude does not occur again, he added.
Password Management Service LastPass Gets Hacked
Despite the fact that LastPass was breached, password managers such as LastPass in general do more good than harm, according to Matt Devost, CEO at cyber-security consultancy FusionX LLC.
“It is essential that users have strong and unique passwords for all of their online services, and it just isn’t reasonable to assume they will remember the passwords; thus these password managers fill a critical need,” Devost said. “To ensure that services like this are afforded the best protection possible, users should enable two-factor authentication.”
Also in favor of using two-factor authentication with password managers is Ben Tomhave, principal at Falcon’s View Consulting. While Tomhave is not surprised that a breach occurred at LastPass, he’s hopeful that the company will do a “lessons learned” exercise on this incident to fully understand not only the nature of the breach, but what LastPass can do to improve its defenses and optimize detection and response.
“Even better would be if they publicly disclosed more details on the incident so the rest of us can learn lessons with them,” Tomhave told eWEEK.
Egan suggests that, in light of the LastPass breach, users reconsider which services or software they use. In his view, password managers are unfortunately still a necessity, but keeping this sensitive information local, as opposed to in the cloud, would reduce the attacks.
“In this case, one breach potentially nets a huge amount of compromises and, much like commercial fishing, unsuspecting users are caught in the wide net,” he said.
Any password manager requires certain compromises, according to Roger Stratton, general partner at Mach37. The user is placing a great degree of trust both in the encrypted storage method used by the password manager and in the fact that the mobile app, desktop app or browser plug-in isn’t introducing additional security exposures, he said.
“It is an example of putting all of your eggs in one basket,” Stratton told eWEEK. “As with any other important life decision, there is a cost/risk/benefit judgment that the consumer has to make. The important thing is to protect that basket.”
Fundamentally though, there are always risks with passwords as soon as they are shared. Mike Murray, director of Cyber Security Assessment and Consulting at GE Healthcare, said he always abides by the old rule that “a secret is something only one person knows.”
“As soon as you write your password down, whether on a Post-it note or in a digital form, it is possible for someone else to get it,” Murray said. “This breach is only a reminder of that fact—if you want perfect security for your passwords, you need to keep them in your brain.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.