LastPass Breach: Avoiding Data Compromise
Password service manager, LastPass, was hacked. On a Monday, the company acknowledged in a post that they have been a target of a recent security breach where attackers accessed user email addresses, master passwords, and password reminder phrases.
LastPass Data Breach
The LastPass team had disovered and blocked suspicious network activity and have assured that no information was taken from their user vault.
“We are confident that our encryption measures are sufficient to protect the vast majority of users.” LastPass assures. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256… This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
Steps were taken to ensure the security of the data such as having to verify the account via email when a user logs in from a new device/IP address. They advice users to update the Master Password especially when they send the email prompt.
We asked Andrea Tarquini, software analyst/developer, for his thoughts about security in Password service Managers.
Do you trust/use password service managers?
Personally I use client side only (and open-source) password managers like KeePass because as a geek and IT Security Researcher I’m a bit paranoid. I trust the common algorithms used by password managers, but the weakness about them is the complexity of the master password you choose. I suggest to use a strong passphrase.
After hearing about this data breach, are you still going to use password service managers?
Yes I will continue to use client side Password Managers. Personally I don’t use LastPass but as reported by them, they use strong cryptographic algorithms and client side strategies (such as encryption/decryption) to protect their user data. We use similar algorithms and strategies to implement client side encryption on IzzieDocs, our service to create and share secure documents on the google drive platform.
The issue with LastPass is more on the users who use Weak Master Passwords. To fix this, you need to update it (and use a strong passphrase); and don’t use weak password reminder hints that may suggest a way to discover the master password to an attacker. As suggested by the LastPass team you should also enable multifactor authentication.
What advice would you give to companies how to keep passwords secure?
Always the best thing to do is to train employees about basic security concepts. Password manager cannot protect from weak master passwords, services like LastPass can audit and monitor suspicious activities and offer policies to avoid data breach, but they cannot protect at all from password guessing.
Andrea Tarquini is an IT Security researcher and software analyst/developer at eLearnSecurity. He is the main developer of JustCryptIt and IzzieCloud. He is also the author of ‘Ruby for Penetration testing and Metasploit’ section of Penetration Testing Course Professional.