The Schwartz Report

Blog archive

LastPass Breach Again Underscores Weakness of Passwords

The popular password management service LastPass disclosed yesterday that it discovered "suspicious activity" on its network in which e-mail addresses, password reminders and authentication hashes were breached, though the company said it doesn't believe encrypted user vault data was seized.

LastPass is among numerous cloud-based password management services that allow individuals and enterprise users to store their encrypted passwords in an online vault to provide single sign-on to Web sites and mobile application services. I have used the LastPass service for several years and have found it useful in an age where we have scores of passwords to remember. The inherent risk of using a password vault service such as LastPass is if your master password is compromised, every site you have registered is at risk as well.  The LastPass breach is the latest evidence that passwords are indeed hard to protect, even by experts

Founder and CEO Joe Siegrist said he has confidence in the encryption methods LastPass uses to protect passwords. "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side," he wrote a blog post announcing the breach yesterday. "This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."

If you're willing to accept that your passwords are still safe, the fact that password reminders were stolen, they could be used in targeted attacks, Columbia University computer science professor Steve Bellovin told Brian Krebs in his KrebsonSecurity news site. The bottom line is that users should change their master passwords.

The breach hasn't made me decide to stop using LastPass but it does make me look forward to a day when biometric or the common use of two-factor authentication replaces the use of passwords, even though that comes with its own baggage.

 

Posted by Jeffrey Schwartz on 06/16/2015 at 11:09 AM


Featured

  • What Money in Excel Means for the Future of Microsoft 365 Apps

    Microsoft's new personal finance tool hints at what's in store for next-generation Office applications, from more third-party integrations to subscription requirements.

  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.