The popular cloud-based password management service LasPass has been compromised, exposing user account email addresses, password reminders, server per use salts, and authenication hashes. It seems that encrypted user vault data haven’t been accessed.
“We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed,” is the official statement from LastPass published on its website.
That’s great, but now the evil is done, and I would say that they lost credibility and they are risking losing many clients, since no one knowing this will risk keeping their passwords in LastPass.
Users having a weak master password are at risk, so it’s better to update their password.
LastPass customers who are not using multi factor authentication must verify their accounts via email when logging in from a new device or IP address.
“You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites“.
“what this means is that attackers seem to have all they need to start brute forcing master passwords”, “So far, the attackers do not seem to have access to the passwords encrypted with that master password. They incidentally have a list of LastPass users by e-mail address.” said Tod Beardsley, Rapid7’s security engineering manager.
OK, so it seems that maybe they will be able to brute force the password since they have all the information to do it, but it’s not the only problem, because criminals have user’s email addresses that they can use to run phishing campaigns, tricking users with emails such “Update your LastPass master password”, or “Update LastPass to the new version”, etc.
Another consideration to do is that maybe the way people are storing their passwords are not ideal, which is the better choice?
Keeping passwords in the cloud, or keep or passwords locally?
“Password vaults in the cloud are potentially dangerous as a breach like this could expose every password to every site for a wide range of users,” “As LastPass themselves recommend, users need to enable additional factors of authentication on these systems as protecting this data with a password alone is not secure. Unlike a site that stores passwords one-way hashed, a password manager encrypts the users’ passwords with a way to decrypt them so they can be used later. Thus, LastPass’s breached hashes and salts will be under attack and any successful crack could lead to a specific user without additional factors of authentication open to further data breaches.” explained Devin Egan, co-founder and CTO of LaunchKey, at Infosecurity magazine.
Again, in my opinion, this entire situation proves that we need to re-think the way we store our passwords, and maybe we should change the approach in a near future.
About the Author Elsio Pinto
(Security Affairs – LastPass, data breach)