The Schwartz Report

Blog archive

LastPass Breach Again Underscores Weakness of Passwords

The popular password management service LastPass disclosed yesterday that it discovered "suspicious activity" on its network in which e-mail addresses, password reminders and authentication hashes were breached, though the company said it doesn't believe encrypted user vault data was seized.

LastPass is among numerous cloud-based password management services that allow individuals and enterprise users to store their encrypted passwords in an online vault to provide single sign-on to Web sites and mobile application services. I have used the LastPass service for several years and have found it useful in an age where we have scores of passwords to remember. The inherent risk of using a password vault service such as LastPass is if your master password is compromised, every site you have registered is at risk as well.  The LastPass breach is the latest evidence that passwords are indeed hard to protect, even by experts

Founder and CEO Joe Siegrist said he has confidence in the encryption methods LastPass uses to protect passwords. "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side," he wrote a blog post announcing the breach yesterday. "This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."

If you're willing to accept that your passwords are still safe, the fact that password reminders were stolen, they could be used in targeted attacks, Columbia University computer science professor Steve Bellovin told Brian Krebs in his KrebsonSecurity news site. The bottom line is that users should change their master passwords.

The breach hasn't made me decide to stop using LastPass but it does make me look forward to a day when biometric or the common use of two-factor authentication replaces the use of passwords, even though that comes with its own baggage.

 

Posted by Jeffrey Schwartz on 06/16/2015 at 11:09 AM


Featured

  • How To Enable Guest Access for Office 365

    While it's possible to give outside users access to certain content in your organization's Office 365 environment, the process of setting them up requires a few extra steps.

  • Microsoft Now Supports OpenSSH in Windows Server 2019

    Microsoft announced on Tuesday that the OpenSSH solution used for remote management is now a supported "Features on Demand" addition in both Windows 10 version 1809 and Windows Server 2019.

  • Microsoft's December Security Patches Includes Fixes for Two Active Exploits

    Microsoft ended the patch year on Tuesday with a whimper of sorts, releasing an estimated 39 security fixes in its December bundle plus one security advisory, according to a count by Trend Micro's Zero Day Initiative.

  • Microsoft Edge Browser To Get New Rendering Engine but EdgeHTML Continues

    Microsoft isn't exactly killing off its EdgeHTML rendering engine, even after declaring plans to use Chromium open source technologies in its Edge browser.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.