On June 15, LastPass, the freemium cloud-based password manager site announced in a blog post that its servers had been breached and passwords, e-mail addresses and password-reminders were leaked.
Users were urged to quickly change their master-passwords. Moreover, the site staff failed to retrieve files containing passwords called “vaults.”
But users should not panic, experts claim, at least if the company stays true to its promises of retaining and securing password data.
Unlike other password managers such as AgileBits’s 1Password app, LastPass does not only store passwords on its customers’ devices. It also retains a central database of the passwords for synchronization purposes. So, users but also hackers can access the password stored on the company’s website.
Yet, the data breach will not have the consequences other companies such as LinkedIn had to put up with several years ago since there isn’t a single key to access all accounts regardless of them sharing the same password.
Common password management services use an encryption algorithm dubbed a “hash,” which is a message compressed through various operations into a nearly-impossible to decipher code.
Hashes’ main role is to make sure that the initial message is not modified and they cannot be used to reproduce the original message. A password manager site only stores the hash of the message.
But because all hashes from the same message are identical, a hacker needs to only look up for the most common passwords to crack the accounts. For instance, if 10,000 users have as password “1234,” 10,000 accounts are compromised. That’s how the 2012 data breach at LinkedIn occurred.
But cyber security experts claim that LastPass uses methods that can make any hacker’s life a living nightmare.
First, every password has a unique signature called a “salt” that goes into the hash every time the password is compressed. This signature forces two identical passwords to generate very distinct hashes.
So, if the site has a million accounts, a hacker needs to perform millions of tests just to crack the accounts that use the same password.
Second, LastPass performs thousands of hashing operations when storing a password. So, each operation translates into additional calculations for the hacker.
According to the company’s blog site, the data breach occurred Friday afternoon. It is the second major security issue the company faces since the 2011 cyber attack. LastPass announced Monday that “encrypted user vault data” was not compromised, while no account was breached.
“The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,”
the company added in their blog post.
As a consequence, the firm requests from users that try to log into their accounts from a different device or new IP address should first pass a two-factor authentication process.
Image Source: LastPass (blog)