Monday, June 15, 2015

LastPass password vault hacked: what you need to know

Password vault maker LastPass informed customers today that their servers had been compromised. Don't panic. Do change your master password.

LastPass informed its customers Monday that on Friday, the company detected and blocked suspicious activity on its network. In investigating the incident, they discovered that email addresses, password reminders, user salts, and authentication hashes were compromised. As of this writing they do not believe actual encrypted password vaults were accessed.

What does this mean for you?

LastPass makes what is known as a password vault, or password manager. This is a program designed to safely store all your passwords, so you only have to remember one master password.

In this case, hackers managed to break into the LastPass network and steal some information. It does not appear that they obtained the password vaults, but they obtained information that could be used to try to discover the master passwords.

I have long recommended LastPass and similar password managers. Passwords are a hassle, but they are generally the first line of defense against someone accessing your accounts without your permission. With perhaps dozens if not hundreds of online accounts, it is tempting to either use the same password for them all, or use a simple (weak) password. In the former case, if a hacker steals the password from one site, they now have access to all your accounts. In the latter case, weak passwords can be easily guessed or cracked.

Password managers help in two ways. First, most password managers can create truly random passwords for every website - random passwords that cannot be guessed by an attacker, and that have nothing to do with things an attacker might discover about you (pets' names, special dates, or any other personal items we tend to use in our passwords). Second, the password manager stores every password for you, making it easy to use unique (and long) passwords for every website. If the manager is storing the password for you, it is just as easy to use "Hv^4Yv8ecN5OYxUm&Y^BULia!0&1aJ" as it is to use "password123."

The risk in a password vault is, now an attacker can target that vault instead of trying to break into every account individually. Why do criminals rob banks? Because that's where the money is. The same idea applies to information stored online.

LastPass has an excellent track record with regard to security. The company never has access to your actual passwords - instead, your password is encrypted into a "vault" on your computer, and only the encrypted vault is uploaded to the company's servers. Without your master password, the vault is useless both to LastPass and to an attacker.

The important thing to note is, while this is a serious breach of security, it is not a reason to panic, nor a reason to abandon password managers - even cloud-based ones such as LastPass. Yes, a password manager is a target, but for most people the far greater risk comes from poor password practices. As a security professional, given the choice between remembering a hundred passwords, writing them down in a paper notebook, re-using a weak password, or trusting a product such as LastPass, despite today's breach I will still choose to use a password manager.


What to do now?

  1. Change your LastPass master password. LastPass does not believe your password vault was compromised. Nonetheless, changing the password now will re-encrypt the vault. More importantly, changing the master password will render the authentication hashes the hackers did take useless. Go directly to the vendor's website (https://lastpass.com) - don't click links in email or even in blog posts.
  2. If you have not done so already, enable two-factor authentication. With this, you must have both your master password as well as a device that you control (for instance, a phone with Google Authenticator installed, or a USB device called a "YubiKey").
  3. Be alert for any email scams making use of this news. A "hacked" security tool would be great fodder for a phishing campaign asking you to click a link. Don't click any emailed links claiming to be related to this. Go directly to the lastpass website (https://lastpass.com).
  4. Keep an eye on the LastPass blog for any additional information. This is a very new situation and the company is still investigating what happened.
Updated 16-June: Here is the email notification LastPass sent to customers.

Notification from LastPass to its customers