Earlier this week (15/06/2015), LastPass, a popular password manager company which offers a cloud based way to store your credentials with a single master password, disclosed that they had observed unauthorised traffic and that intruders had broken into its systems and stolen user email addresses, password reminders and other related information.
The good news is that LastPass said that they had found no evidence that the encrypted data vault which stores all the user information was taken, or that any user accounts were accessed.
During their investigation, LastPass has discovered that account email addresses, reminders, user salts and authentication hashes have been compromised. The company said “We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
So what does this mean to us? The end users? All the passwords which are stored in LastPass’ vault were stored using a method called Hashing. This process takes a plan test password value such as: Password and runs it through a algorithm that converts it into a value of non-readable text.
However this doesn’t stop here, using hashing simply stops anyone reading the test in plain sight, once you have decoded the hash for one word, you can then decode every other word that has the same value. Using a computer would be able to decode potentially millions of passwords in no time at all, especially if they are found in the dictionary.
To get around this, company use an additional layer of security called sating.
What is salt? Salt when used with passwords, adds a lot of random data to every password that is stored. When done correctly it makes the decoding of passwords a lot more difficult to achieve. This is because every person’s password will have a unique value and requires brute force guessing for every single password. This process will take a considerable amount of time compared to not salting a password where predefined hashes are available.
As an example if everyone had the password of: Password, and was using a salt the hash value would be different for everyone. However if there was no salt used, the hash would be the same for that password, allowing people to guess the same password quicker over time.
During the breach, password reminders were also obtained, although not too serious in the overall scheme of things, it could give malicious users an extra level of detail to go and try and recover password information.
If you are using LastPass for all of your passwords, follow LastPass’ advice and change your master password today. If you use the same password for any other websites change this as well, remember you should use a different password for every site you visit. Even if it’s only a temporary site.
Check and verify your password reminder information, consider updating them and using new ones if possible.