Hack Brief: Password Manager LastPass Got Breached Hard

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.wired.com/2015/06/hack-brief-password-manager-lastpass-got-breached-hard

Experts recommend password managers like LastPass as the easiest way to
generate unique, strong security codes for every one of your online
accounts—which sounds great, until that password manager itself is cracked,
potentially offering attackers access to all the accounts it was designed
to protect.

The Hack

On Monday password manager service LastPass admitted it had been the target
of a hack that accessed its users’ email addresses, encrypted master
passwords, and the reminder words and phrases that the service asks users
to create for those master passwords.

Who’s Affected

The company says the cryptographic protections it has in place on those
master passwords—which include “hashing” and “salting” functions designed
to make cracking the underlying passwords nearly impossible—are enough to
protect almost all of its users. But those with simple passwords or ones
reused from other sites could still be vulnerable. “We are confident that
our encryption measures are sufficient to protect the vast majority of
users,” LastPass CEO Joe Siegrist wrote in a note to customers.
“Nonetheless, we are taking additional measures to ensure that your data
remains secure, and users will be notified via email.”

Those additional measures include resetting master passwords and requiring
people to verify themselves by email when they log in from a new device,
unless they use two-factor authentication. If you don’t already use
two-factor authentication on your password manager, you probably should.

How Serious Is This?

That depends. The severity of this latest LastPass’s hack—the first it’s
experienced since it admitted to an earlier possible breach in 2011—is
contingent on both the strength of a person’s master passwords and how long
the breach went undetected. Given the encryption that LastPass describes, a
strong, truly random master password is likely safe, says Joseph Bonneau, a
Stanford cryptography researcher who’s focused on password security.

But “this is still pretty bad,” says Bonneau, particularly for users with
weak passwords that are vulnerable to guessing. “If they can brute force
any master passwords, the attackers could extract password vaults and
decrypt them for lots of users or some high value targets.”

LastPass says it detected the attack on Friday, just days before it reset
users’ passwords, required email verification, and alerted law enforcement
and security forensics experts. But if the attack had persisted for any
period of time undetected before that, it’s possible that even stronger
master passwords could have been compromised, Bonneau says. Right now, we
just don’t know how long the hack lasted. “It really depends on how quickly
[Lastpass] discovered this, and we don’t have any information on that,”
Bonneau says.

The incident, says Bonneau, should serve as a reminder that anyone who
relies on a password manager for their online security should make that
master password as long and random as possible. “It’s really important when
you use a master password that password be really strong,” says Bonneau.
“At the end of the day, that’s the only safe way to use this kind of
password vault.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!