In what must be the realisation of the biggest fear of any online password management service, LastPass has been the victim of a hack – or as the company puts it, “suspicious activity” on its network.
The company, which offers a service that takes care of all the user’s various online passwords, issued a security advisory to say that last Friday, the activity was detected and subsequently blocked.
LastPass stated that after having investigated the intrusion, it found no actual user accounts had been accessed, and no encrypted user data had been pilfered.
However, other data was compromised, namely account email addresses and password reminders, as well as authentication hashes.
The firm noted: “We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
LastPass users will need to change their master password (not the passwords stored in their LastPass vault), and the company will be sending out emails to this effect – it says you don’t need to update your master password until you receive the message (but we can’t see what harm that would do, of course).
The service will also be instigating a second line of protection, whereby access to an account from any new device or IP address will require verification by email, just in case an attacker does manage to crack an account.
As ever, if you’ve reused your master password for LastPass on any other online service (that you don’t have covered by the password management system itself, of course), then you should change that also.
This is obviously a worrying development for those who use LastPass, and we could possibly see some defection to rivals such as Dashlane. The truth is though, this is just a reminder that any online service, even a security one, can be hit by hackers.
UPDATE: Geoff Webb, vice president of solution strategy at NetIQ, commented: “While the breach at LastPass will probably not cause significant problems for their users (provided they change their master password as advised) it does underline the broader issue with authentication and the use of passwords as a single-point of identification.”
“However the system is implemented, using a password alone ultimately places the totality of our trust in the authentication method in a single factor - in one piece of information that is used to prove we are who we say we are. This is still, and will always be, the weakest link in the chain and so it's not surprising that attackers focus on it. Whether it's an attack aimed at a service like this, or simply working to identify users with weak, multi-use passwords, attackers know that successfully gaining access to an account is usually just one password away.”
“We are at the end of the useful lifespan of the password as the sole method of authenticating who we are - the more complex interactions we undertake online, and the sheer volume of services we work with, now mean we must use an approach that is more sophisticated if we want to stay secure and keep our information private.
"Whether the right answer is using tokens, smartphones, biometrics, behavioural indicators, or some mixture of them all, will depend greatly on the sensitivity of the information or service being secured, but whatever it is, simply relying on a user to think up, and remember a sufficiently secure password is not going to be enough anymore."
UPDATE: Jason Goode, managing director EMEA at Ping Identity, comments: "Yet again, we are increasingly seeing how passwords are simply no longer fit for purpose in the age of the mass hack. The safest place to store a password is in our heads, but this simply isn’t practical when we have to juggle multiple passwords for multiple websites.
"It is no wonder that many suffer from password amnesia. The future for secure and seamless authentication must be multi-factored and tailored to the user. Two-factor authentication that centres on a user’s identity is the key to bolstering online security- the industry is already making strides in harnessing this technology, whether its logging onto your smart phone or tablet with fingerprints, heartbeat sensors- even emojis.
"The key is remembering that identity must be at the heart of the login process to ensure the safety and security of personal and indeed corporate data."