Password management firm LastPass admits hack – but says password vault safe

Password management service LastPass has issued a security notice that its network has been breached – but claims no encrypted user vault data was taken, nor accounts accessed.

However, the notice said LastPass account email addresses, password reminders, server per user salts (see below) and authentication hashes were compromised.

“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Joe Siegrist said in a blog post.
Passwords salted, hashed and stretched

According to security expert Paul Ducklin, LastPass does a good job of storing its password representations because passwords are salted, hashed and stretched, and only ever stored in that scrambled, irreversible form.

“Salting is where you add some random nonsense to the actual password text. So even if two users pick the same password, their password representations end up different. Hashing is where you scramble the salted password cryptographically and store the one-way scrambled version only. Stretching is where you deliberately re-run the hashing part over and over again before storing the representation, to slow an attacker down,” he wrote in a blog post.

According to the security notice, LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.

“This additional strengthening makes it difficult to attack the stolen hashes with any significant speed,” the security notice said.
LastPass prompt to notify users

However, LastPass said all users who log in from a new device or IP address will be required to verify their account by email if they do not have multifactor authentication enabled.

The company also plans to send all users an email about the breach, prompting them to change their master passwords.

“You do not need to update your master password until you see our prompt. However, if you have re-used your master password on any other website, you should replace the passwords on those other websites,” the security notice said.

LastPass said there is no need to change any passwords stored in the LastPass vault because encrypted user data was not taken, but the company recommends enabling multifactor authentication for added protection.

LastPass enables users to choose from a variety of second-factor authentication methods, including USB keys like YubiKey and Sesame as well as biometric authentication methods.

The company said it is working with the authorities and security forensic experts.

Independent security consultant Graham Cluley said LastPass users should be careful with any email they receive from LastPass.

He points out that the compromise of account email addresses presents an opportunity for phishers and identity thieves to commit email-based attacks posing as LastPass.

Security in depth with password managers

“As always, don’t panic. The sky is not falling. Take sensible steps to better secure your account – LastPass’s advice is good,” he wrote in a blog post.

Cluley said he hoped LastPass will eventually be able share more information about precisely what happened and reassure customers that it will not happen again.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: