The password-storage maker LastPass announced the worst possible news for a company in its business on Monday: its password database was breached and user account information stolen. Because LastPass allows central storage and synchronization of your data store--the "vault" of passwords and other information you use with its app and website--someone being able to suss out your master password would seemingly have access to all your secrets.
Fortunately, LastPass seems to have employed enough layers of security in the right way that even this scale of failure shouldn't rebound on you. Let's review what risk you're exposed to if you're a LastPass user, and what steps you should take to reduce those.
Round and round we go
Early password-storage software on desktops and smartphones was hampered by both the low computational power available and implementation issues. In a report in 2012, digital forensic software firm Elcomsoft found flaws in 17 smartphone password-management apps, some severe. (Some of those problems were mirrored in desktop versions, too.) That report spurred fixes and development, and companies became smarter or more thorough. That paid off in this breach.
Passwords have to be stored in a manner in which they can't easily be recovered, whether in an operating system, for a website, or protection an app's data storage. Every kind of system that uses a password for authentication or access employs a one-way process--unless the outfit running it is negligent.
Many websites almost certainly still use a simple method. They take your password, run it through what's called a hashing algorithm that performs intensive mathematical operations on it, and produces a result (a "hash") that can't be reversed: knowing the hash doesn't reveal the original password.
Whenever you login, your password isn't checked against a stored password. Rather, the site or service runs whatever you entered through the same hashing process and tests the result against the stored has. If your freshly entered text when hashed matches the previously calculated one, you're legit.
When ne'er-do-wells steal password files, they don't immediately get access to passwords. They need to perform cracking operations, working their way through common passwords (based on many large previous public thefts) and into common words and combinations. Crackers don't go through every possible combination; they pick the most likely ones first. For instance, if asked to enter a word with mixed case, a number, and punctuation, people are more likely to enter Apple1! than ec7*JH43(k; crackers now follow these sorts of paths to harvest more results.
A well equipped desktop PC with a high-end graphics card (or several) can churn through billions of password tests per second--yes, per second. Companies like LastPass build in layers of protection to slow them down.
Sign up for CIO Asia eNewsletters.