The Schwartz Report

Blog archive

LastPass Breach Again Underscores Weakness of Passwords

The popular password management service LastPass disclosed yesterday that it discovered "suspicious activity" on its network in which e-mail addresses, password reminders and authentication hashes were breached, though the company said it doesn't believe encrypted user vault data was seized.

LastPass is among numerous cloud-based password management services that allow individuals and enterprise users to store their encrypted passwords in an online vault to provide single sign-on to Web sites and mobile application services. I have used the LastPass service for several years and have found it useful in an age where we have scores of passwords to remember. The inherent risk of using a password vault service such as LastPass is if your master password is compromised, every site you have registered is at risk as well.  The LastPass breach is the latest evidence that passwords are indeed hard to protect, even by experts

Founder and CEO Joe Siegrist said he has confidence in the encryption methods LastPass uses to protect passwords. "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side," he wrote a blog post announcing the breach yesterday. "This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."

If you're willing to accept that your passwords are still safe, the fact that password reminders were stolen, they could be used in targeted attacks, Columbia University computer science professor Steve Bellovin told Brian Krebs in his KrebsonSecurity news site. The bottom line is that users should change their master passwords.

The breach hasn't made me decide to stop using LastPass but it does make me look forward to a day when biometric or the common use of two-factor authentication replaces the use of passwords, even though that comes with its own baggage.

 

Posted by Jeffrey Schwartz on 06/16/2015 at 11:09 AM


Featured

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.