LastPass Breach Again Underscores Weakness of Passwords
The popular password management service LastPass disclosed yesterday that it discovered "suspicious activity" on its network in which e-mail addresses, password reminders and authentication hashes were breached, though the company said it doesn't believe encrypted user vault data was seized.
LastPass is among numerous cloud-based password management services that allow individuals and enterprise users to store their encrypted passwords in an online vault to provide single sign-on to Web sites and mobile application services. I have used the LastPass service for several years and have found it useful in an age where we have scores of passwords to remember. The inherent risk of using a password vault service such as LastPass is if your master password is compromised, every site you have registered is at risk as well. The LastPass breach is the latest evidence that passwords are indeed hard to protect, even by experts
Founder and CEO Joe Siegrist said he has confidence in the encryption methods LastPass uses to protect passwords. "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side," he wrote a blog post announcing the breach yesterday. "This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."
If you're willing to accept that your passwords are still safe, the fact that password reminders were stolen, they could be used in targeted attacks, Columbia University computer science professor Steve Bellovin told Brian Krebs in his KrebsonSecurity news site. The bottom line is that users should change their master passwords.
The breach hasn't made me decide to stop using LastPass but it does make me look forward to a day when biometric or the common use of two-factor authentication replaces the use of passwords, even though that comes with its own baggage.
Posted by Jeffrey Schwartz on 06/16/2015 at 11:09 AM