LastPass Password Manager Web Site Suffers A Breach
Forbes (and the rest of the media) is reporting that LastPass has put out a press release saying that they suffered a breach. The good news is that LastPass claims that they never have your master password. They also say that they don’t have any evidence that password files were downloaded. That doesn’t mean that they weren’t, just that they don’t see evidence of that.
The press release and the Forbes article can be found here and here, respectively.
What was taken was customer email addresses (so now the hackers know who uses that software), password reminders, user salts (a random string that makes their encryption stronger), and authentication hashes. While this does not spell doom and gloom, it certainly is not good news.
Obviously, the emails help hackers know who is using the software. They say that the password reminders were taken. Is that just the questions or the questions and answers? If both, then, hopefully, you did not use those reminder questions at any other web sites. If you did, you should change them. I assume that those password reminders were not encrypted or if they were, the hackers got the encryption keys also since they would have said if they were encrypted.
If they did get the password files and downloaded them, then all the fancy encryption stuff that they say in the press release really doesn’t matter much. All the hackers need to do is brute force random strings against the data. For a few bucks, in the Amazon or Microsoft cloud, they can guess tens of millions of passwords a second without setting off any alarm bells.
From what they did say, it appears that their encryption methodology was strong. That is a good thing.
However, there is a downside to using software like LastPass that stores a copy of your password file in their data center. For the user, it is convenient since it will copy that file to any computer that you log in with (or any computer that a hacker logs in using your credentials).
LastPass has said that they have now added an extra security step of requiring some sort of verification if your account is accessed from a new computer. This is a good precaution. Again, that won’t help if the hackers did, in fact, access the password files.
LastPass also suggested that users enable two factor authentication. LastPass offers a very wide variety of two factor authentication methods (see their web site here). Actually, they deserve brownie points for this. For many web sites, they offer exactly ONE form of two factor authentication, usually a one time password sent to your phone. LastPass offers a dozen different ones – some free and some that require that you upgrade to their premium version.
One more time people get to choose between security and convenience. There are many good password managers that store the data locally. For some, they have a mechanism for you to copy the file between computers. For others, since the password file is just that – a file – you have to copy it manually from computer to computer. One thing that you should never do is email it from computer to computer.
The LastPass breach is a reminder that if you don’t store information in the cloud, you will not be affected by cloud breaches.
Also note that LastPass is not offering anything to compensate you for the breach. Partly, I am sure, that is because they don’t think that your passwords were compromised. Partly, it is likely financial – as weak as credit monitoring is, it still costs money.
This is a good opportunity to inventory what you have stored in the cloud and decide if you are comfortable with the protections provided. You should examine the likelihood of that data being breached times the consequences of it being breached to come up with a measure of the risk you are taking. If you are comfortable with that, keep doing what you are doing. If you are not comfortable, then you need to make changes.
From the information that is publicly available, I would say that the risk of your password data being exposed is low – assuming they are telling us everything. Still, if the data is not there, it would not be a problem. Just saying.