Bad news for security-minded users who decided to create a single master password with LastPass. According to an announcement on the company’s blog, hackers have managed to breach the system and make off with an unknown number of user email addresses and password reminder questions (along with other yet to be disclosed data).
The good news – such as there is any in a data breach – is that so far LastPass has not found any evidence that its encrypted vault data has been jailbroken, nor is there any information that indicates that LastPass user accounts were accessed.
“The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,” the company said. “We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
LastPass’ service essentially rests on “hashing” passwords – or taking plain text English and running it through a supposedly one-way mathematical algorithm that transforms said password into a string of gibberish that is hard to crack. And while that sounds good, the problem is that the hashes are static – meaning a hypothetical password of “password” will always spit out of the algorithm the same way. A dedicated thief could map hashes against common dictionary words and by doing so “crack” the hashed code and make them about as effective as any other guessable password.
LastPass also uses a unique element, a “salt” to each password – which slows down the process quite a bit as each password now requires a specific guess.
“What a salt does it makes it hard to go after a lot of passwords at once as opposed to one users’ password, because every user requires a separate guess and that separate guess is going to take a considerable amount of time,” Steve Bellovin, a professor in computer science at Columbia University told security blogger Brian Krebs. “With a salt, even if a bunch of users have the same password, like ‘123456,’ everyone would have a different hash.”
“Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account,” the newly breached firm noted on its website.
However, given that password reminders were stolen, some security experts are recommending that users go ahead and change those passwords anyway.
To check out what else is HOT in the world of payments, click here.