Password site ​LastPass warns of data breach

LastPass was successfully attacked last Friday. The company claims that your passwords should be safe. Nevertheless, they are requesting you to update your master passwords.
Written by Steven Vaughan-Nichols, Senior Contributing Editor
Adding insult to injury, after the LastPass site was hacked, it's proving almost impossible to update LastPass master passwords.
(Image: ZDNet)

Even LastPass, a cloud-based password security site, isn't immune to data breaches.

The company's chief executive Joe Siegrist said in a blog post that account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

But, he said, the company has "found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed."

As for the stolen data, Siegrist wrote:

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side Password-Based Key Derivation Function-Secure Hash Algorithm] PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

PBKDF2-SHA256, a password-strengthening algorithm, effectively makes your LastPass master password harder to break with a brute-force attack. It's also used on your PC or other device to turn your master password into your encryption key.

That sounds good, but it's not good enough. With a weak master password, you're still in danger. LastPass recommends users update weak master passwords immediately, and replace passwords on those other sites.

So what is a "weak password?" In the discussion section on the breach announcement, one LastPass employee explained that it's typically "single word passwords," like a name or anything that you would find in an English dictionary.

"If it's a password you ever used on another website, even a slight variation, it's also important to update it," the staffer said.

I'd go further. Reset your LastPass master password now -- no matter how strong you think it is. With LastPass, or any other password management system, once someone has your master password, all your other passwords -- social networks, work, banks, you name it -- are ripe for the taking.

To further protect your passwords, LastPass is "requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multi-factor authentication enabled," the blog post read.

"As an added precaution, we will also be prompting users to update their master password," Siegrist added.

LastPass doesn't think you'll need to change your site passwords. That's because your encrypted user data was not taken. Therefore, unless your master password was cracked, "you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account."

Many LastPass users are ticked off that this attack happened on Friday, but they weren't told about it until Monday. (This wasn't the first time that LastPass has been successfully attacked. In 2011, LastPass went into lockdown mode rather than take a chance of losing data.)

Indeed, numerous LassPass users still haven't received e-mail notices. Many users have only found out about the hack from online sites instead of from the company.

In addition, LastPass servers are over-loaded. Some people aren't getting past the "reset your password" page. Others made it a bit farther and are getting messages such as: "Oops! Our servers are a bit overloaded right now. Please try your password change again shortly, we will catch up soon."

That's not good enough, and it's worth trying again. Yes, breaking a PBKDF2-SHA256 protected password isn't easy, but with a weak password and enough time and computing power it can be done.

LastPass' reputation has taken a battering. I hope it's just its reputation, and not its users' accounts, that end up being hurt.

Related stories:

Editorial standards