LastPass is a very popular app designed to improve users’ online security by storing and managing their passwords for them. Freed from the need to remember a different memorable password for each important web site and service they use, password managers make a valuable contribution to users’ security when using the internet.
LastPass has now announced that its servers have been hacked,
‘We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.’
Unsurprisingly, LastPass is keen to downplay the issue, and notes that all passwords are securely encrypted,
‘We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.’
This last part is important, because with ‘account email addresses, password reminders, server per user salts, and authentication hashes,’ the hackers could quite easily guess users’ master passwords, although this would have to be done on a case by case basis (and would therefore be very slow).
As Chris Boyd from Malwarwbytes noted in an email to the press,
‘The biggest cause for concern in the immediate aftermath of the LastPass breach is ‘easy to guess’ password reset questions and password reuse across multiple websites.’
LastPass recommends that all users’ change their master password (not their individual passwords), and turn on two-factor authentication (2FA) for extra security.
It should be noted that this is not the first time LastPass has been hacked, as it suffered a similar incident four years ago.
Boyd notes that even despite the security breaches, using a password manager is still preferable to other insecure alternatives,
‘Many of those affected could say ‘Enough is enough’ and go back to storing passwords on the desktop. While that works for some people, too many would probably fail to consider the security risks brought on by such actions.’
While this is true, we will point out that users of KeePass are not vulnerable to any such attack, as their passwords and the clues needed to decrypt them (e.g. master password hints) are not stored on any central database that could be hacked (while still being very securely stored).
Source – https://www.bestvpn.com/blog/21062/lastpass-password-manager-gets-hacked/