pixel_dreams - Fotolia

Password management firm LastPass admits hack – but says password vault safe

LastPass admits system breach, but says it is confident its encryption measures are sufficient to protect users of its online password management service

Password management service LastPass has issued a security notice that its network has been breached – but claims no encrypted user vault data was taken, nor accounts accessed.

However, the notice said LastPass account email addresses, password reminders, server per user salts (see below) and authentication hashes were compromised.

“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Joe Siegrist said in a blog post.

Passwords salted, hashed and stretched

According to security expert Paul Ducklin, LastPass does a good job of storing its password representations because passwords are salted, hashed and stretched, and only ever stored in that scrambled, irreversible form.

“Salting is where you add some random nonsense to the actual password text. So even if two users pick the same password, their password representations end up different. Hashing is where you scramble the salted password cryptographically and store the one-way scrambled version only. Stretching is where you deliberately re-run the hashing part over and over again before storing the representation, to slow an attacker down,” he wrote in a blog post.

According to the security notice, LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.

“This additional strengthening makes it difficult to attack the stolen hashes with any significant speed,” the security notice said.

LastPass prompt to notify users

However, LastPass said all users who log in from a new device or IP address will be required to verify their account by email if they do not have multifactor authentication enabled.

The company also plans to send all users an email about the breach, prompting them to change their master passwords.

“You do not need to update your master password until you see our prompt. However, if you have re-used your master password on any other website, you should replace the passwords on those other websites,” the security notice said.

LastPass said there is no need to change any passwords stored in the LastPass vault because encrypted user data was not taken, but the company recommends enabling multifactor authentication for added protection.

LastPass enables users to choose from a variety of second-factor authentication methods, including USB keys like YubiKey and Sesame as well as biometric authentication methods.

The company said it is working with the authorities and security forensic experts.

Independent security consultant Graham Cluley said LastPass users should be careful with any email they receive from LastPass.

He points out that the compromise of account email addresses presents an opportunity for phishers and identity thieves to commit email-based attacks posing as LastPass.

Security in depth with password managers

“As always, don't panic. The sky is not falling. Take sensible steps to better secure your account - LastPass's advice is good,” he wrote in a blog post.

Cluley said he hoped LastPass will eventually be able share more information about precisely what happened and reassure customers that it will not happen again.

Read more about two-factor authentication

He noted that LastPass had been hacked before. “In 2011, I was impressed with how LastPass responded when it noticed that hackers had managed to access data on its servers,” he said.

Other commentators have praised LastPass for not covering up the latest breach and instead alerting customers so they can keep an eye on their accounts for any unusual activity.

Security experts generally recommend the use of password managers like LastPass because they help address the fact that passwords tend to be weak.

Password managers enable users to create strong, complex and unique passwords for every online account, while only needing to remember one master password.

Read more on Privacy and data protection