LastPass has notified its users that it experienced some “suspicious behavior” on their servers and they believe that “email addresses, password reminders, server per user salts, and authentication hashes were compromised”. They also made clear that “we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed”.
I encourage you to read the full blog post, along with the updates. They do a very good job of answering the burning questions, so I won’t repeat that all here. You can also get another view from this Sophos post and even deeper info from this Krebs On Security post, if you’re interested.
For those of you who are not cryptographers, when they say “server per user salts” and “authentication hashes”, what they’re talking about is the munged version of your master password that they save. It’s important to realize that they don’t store your actual master password – they save a unique, irreversible version of your password – because saving the actual password is horribly insecure. This is covered in my book, but basically you enter your password and it’s “salted” and “hashed” to arrive at some other, completely different and unique value. This is compared to the version that they salted and hashed before, and they should match. But the key is that given the salt (which is a fancy name for a random number) and the hash, you can’t work backwords to get the actual password. Okay, you can, but if you have a strong password, it would literally take years on a supercomputer. So if you change your master password anytime soon, you’re safe. The best they could do is figure out your old password, which no longer works (because you changed it).
This is why it’s absolutely crucial that you have unique, strong passwords for everything. If you reused your LastPass master password on any other site (which you should never do), then you need to change the password there, too. The whole point of using a password manager is to generate ridiculously strong and completely unique passwords for everything – you don’t have to remember them, so why not? The only password you need to know is your master password. If you need help with this, you can watch my short YouTube video on how to choose a good master password.
So what do we take away from this? First of all, we should just all assume that this is going to happen repeatedly. Every one of these sites is a prime target for hackers, and they will eventually get in and steal passwords (hopefully salted and hashed). If you have a strong, unique password for every site, then it will take the bad guys a long time to crack it. And if and when they do, it won’t give them access to any other account – because you have different passwords for every site.
The other thing this underscores is the importance and utility of two-factor authentication. If someone steals and cracks your password, they’re still screwed – because they don’t have the second factor. This gives you time to change the password once the breach is announced. Unfortunately, not all sites have two-factor authentication yet, but incidents like this are prompting many sites and services to adopt it. When they do, sign up.
And finally, it proves once again that passwords suck. But it’s still the best option we have today. Various efforts are under way to come up with new authentication schemes, but beware of anything that uses biometrics (that is, “something you are”). Biometrics are really more like a user name than a password. You don’t want your password to be something you can’t change, from a privacy perspective if nothing else. The most interesting technology I’ve seen so far is called SQRL (pronounced “squirrel”), which has the advantage of never needing to store your credentials on a web server somewhere – that is, there’s nothing for hackers to steal.
Many people will now be asking: should I abandon LastPass? In short, I would say no. LastPass appears to have done everything right here, and I still think it’s the best option out there for most people. There are other password managers that don’t store your password database in “the cloud”. This means that if you want to access your passwords from multiple devices and places, that it’s up to you to copy and/or synchronize the password database yourself (using something like DropBox or iCloud Drive). I find that to be too cumbersome for most people, but it’s doable. If you would like to look at this option, check out 1Password. It’s more expensive, but it’s probably the best alternative to LastPass that doesn’t have your password database stored on the provider’s servers.
The more incidents like this that we have, the more attention the topic will receive and the more people will realize that they need to take charge of their own security.