Bank robber Willie Sutton was famous for a phrase he never uttered. When asked why he robbed banks, so goes the urban legend, he replied, "because that is where the money is."
That is one phrase that might define last week's revelation of a LastPass hack. Passwords are a valuable commodity these days given that their creators tend to use the same one across multiple sites. Reuse gives hackers the chance to replay stolen passwords at valuable sites like, well, banks.
Passwords, however, must be even more valuable to hackers when stored in plain text in a vault along with the URL of the corresponding site. LastPass, and other password managers, may indeed be the hacker's modern day place where the money is.
Last year, Dropbox reported six million user accounts were compromised and hackers were using login data collected during other breaches at other sites as one of their tools. A similar password reuse attack happened at Best Buy in 2012.
Stealing passwords is only the hacker's Step 1. It is Step 2, finding other sites and replaying those credentials, that is made easier when breaking into a password vault.
Perhaps that's what the LastPass hackers had in mind. It's the "two birds and one stone" approach.
The hacker advantage is timing. In the Best Buy example, company officials theorized the original hack had happened a year before Best Buy was attacked. In the LastPass incident, Step 2 could be almost instantaneous if password vaults were cracked.
Thankfully, experts are chiming in that LastPass has done its homework in protecting the valuable password assets it stores within its systems.
According to LastPass CEO and Founder, Joe Siegrist, "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side." That might not make sense to the casual LastPass user, but anything done 100,000 times implies it would be good for security.
What success would Willie Sutton have enjoyed if every bank had 100,000 locks or 100,000 doors or 100,000 walls he had to get past?
Passwords have become a commodity to be collected and traded in the dark corners of the Web. Without a zero-liability framework like credit cards employ, the risk matrix for stolen passwords typically is two words: user screwed.
And it appears that will continue for some time. The IBM X-Force Threat Intelligence Quarterly released in March said users with predictable or weak passwords, and passwords reused across the Internet and the enterprise, continue to be fertile ground for launching data breaches.
The report says the millions of email address and plain-text passwords collected by hackers over the years are the starting points for compromising new sites.