Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

LastPass was hacked: Here's what you have to do

Glenn Fleishman | June 18, 2015
The password-storage maker LastPass announced the worst possible news for a company in its business on Monday: its password database was breached and user account information stolen. Because LastPass allows central storage and synchronization of your data store--the "vault" of passwords and other information you use with its app and website--someone being able to suss out your master password would seemingly have access to all your secrets.

First, LastPass uses a "salt," which is text that's combined with a password so that when it's hashed, all of the identical passwords for user accounts have different hashes. "aa" + "Apple1!" is very different when hashed than even "aA" + "Apple1!".

Second, the company uses an algorithm that doesn't just hash once, but many times. The default for LastPass on the client side--in a native or Web app--is 5,000 rounds.

Third, when you log into LastPass on the website or via a sync client, the password still isn't sent. Instead, your locally hashed password is sent in that form to the server, where it's run through another 100,000 rounds.

This isn't just for show. The estimate I can come up with for all of that combined cracking with about $10,000 of graphical processor units (GPUs) about 30 passwords per second instead of billions. An Ars Technica expert thinks it's even lower: about 10 passwords per second.

Now, we have to factor in the fact that some people's password hints may allow specific accounts to be targeted ("my password is my first name plus a one"), and that determined crackers might gain access to or have bought (or stolen) 1,000 times the power of the rig I'm using for rough estimation.

But the odds of mass decryption are very low, and if you're a LastPass user, you can make them even lower.

What you can do

LastPass says in its blog entry, "Encrypted user vaults were not compromised." This is a critical fact because changing your master password will immediately make the stolen password information useless. If crackers had stolen vaults, they would be able to churn on them forever or return to them to the future and crack them with more advanced or powerful technology. Since people often don't change passwords for years at a time or forever, that could have still been a risk.

LastPass also advises changing your password at any other account for which you use the identical password. Because email addresses and password hints were stolen, crackers who compromise one account will try for others. However, unlikely, it's good to make these changes. (Also, if you use LastPass or similar software, you can easily avoid using the same password twice or more.)

The benefit of second-factor authentication also remains in effect. The information stolen from LastPass doesn't let a cracker who recovered your password gain access without the token you need to generate on a device or in an app to which you have access. (LastPass conceivably has kept secure the seeding information used for second factors.)

When setting a new master password, you can avoid the often bad advice about selection that advises something that's hard to remember and type. The notion is that coming up with something short and complex is better than something long and simple. This is incorrect.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.