LastPass was hacked: Here's what you have to do

LastPass put enough layers of security on your password vault that this breach isn't the end of the world. (But you should still change your master password.)

LastPass put enough layers of security on your password vault that this breach isn't the end of the world. (But you should still change your master password.)

The password-storage maker LastPass announced the worst possible news for a company in its business on Monday: its password database was breached and user account information stolen. Because LastPass allows central storage and synchronization of your data store--the "vault" of passwords and other information you use with its app and website--someone being able to suss out your master password would seemingly have access to all your secrets.

Fortunately, LastPass seems to have employed enough layers of security in the right way that even this scale of failure shouldn't rebound on you. Let's review what risk you're exposed to if you're a LastPass user, and what steps you should take to reduce those.

Round and round we go

Early password-storage software on desktops and smartphones was hampered by both the low computational power available and implementation issues. In a report in 2012, digital forensic software firm Elcomsoft found flaws in 17 smartphone password-management apps, some severe. (Some of those problems were mirrored in desktop versions, too.) That report spurred fixes and development, and companies became smarter or more thorough. That paid off in this breach.

Passwords have to be stored in a manner in which they can't easily be recovered, whether in an operating system, for a website, or protection an app's data storage. Every kind of system that uses a password for authentication or access employs a one-way process--unless the outfit running it is negligent.

Many websites almost certainly still use a simple method. They take your password, run it through what's called a hashing algorithm that performs intensive mathematical operations on it, and produces a result (a "hash") that can't be reversed: knowing the hash doesn't reveal the original password.

Whenever you login, your password isn't checked against a stored password. Rather, the site or service runs whatever you entered through the same hashing process and tests the result against the stored has. If your freshly entered text when hashed matches the previously calculated one, you're legit.

When ne'er-do-wells steal password files, they don't immediately get access to passwords. They need to perform cracking operations, working their way through common passwords (based on many large previous public thefts) and into common words and combinations. Crackers don't go through every possible combination; they pick the most likely ones first. For instance, if asked to enter a word with mixed case, a number, and punctuation, people are more likely to enter Apple1! than ec7*JH43(k; crackers now follow these sorts of paths to harvest more results.

A well equipped desktop PC with a high-end graphics card (or several) can churn through billions of password tests per second--yes, per second. Companies like LastPass build in layers of protection to slow them down.

First, LastPass uses a "salt," which is text that's combined with a password so that when it's hashed, all of the identical passwords for user accounts have different hashes. "aa" + "Apple1!" is very different when hashed than even "aA" + "Apple1!".

Second, the company uses an algorithm that doesn't just hash once, but many times. The default for LastPass on the client side--in a native or Web app--is 5,000 rounds.

Third, when you log into LastPass on the website or via a sync client, the password still isn't sent. Instead, your locally hashed password is sent in that form to the server, where it's run through another 100,000 rounds.

This isn't just for show. The estimate I can come up with for all of that combined cracking with about $10,000 of graphical processor units (GPUs) about 30 passwords per second instead of billions. An Ars Technica expert thinks it's even lower: about 10 passwords per second.

Now, we have to factor in the fact that some people's password hints may allow specific accounts to be targeted ("my password is my first name plus a one"), and that determined crackers might gain access to or have bought (or stolen) 1,000 times the power of the rig I'm using for rough estimation.

But the odds of mass decryption are very low, and if you're a LastPass user, you can make them even lower.

What you can do

LastPass says in its blog entry, "Encrypted user vaults were not compromised." This is a critical fact because changing your master password will immediately make the stolen password information useless. If crackers had stolen vaults, they would be able to churn on them forever or return to them to the future and crack them with more advanced or powerful technology. Since people often don't change passwords for years at a time or forever, that could have still been a risk.

LastPass also advises changing your password at any other account for which you use the identical password. Because email addresses and password hints were stolen, crackers who compromise one account will try for others. However, unlikely, it's good to make these changes. (Also, if you use LastPass or similar software, you can easily avoid using the same password twice or more.)

The benefit of second-factor authentication also remains in effect. The information stolen from LastPass doesn't let a cracker who recovered your password gain access without the token you need to generate on a device or in an app to which you have access. (LastPass conceivably has kept secure the seeding information used for second factors.)

When setting a new master password, you can avoid the often bad advice about selection that advises something that's hard to remember and type. The notion is that coming up with something short and complex is better than something long and simple. This is incorrect.

A set of three or more words that are unusual together is more secure than a short complex password that you invented yourself. Because you can't store LastPass's master password in LastPass, you should think of a way to make a memorable result. Some experts suggest phrases or unlikely conjunctions: you were running in the woods and stubbed your toe when you saw a unicorn becomes "runs stubbed unicorn". It would take on the order of a quintillion password checks to get to that result.

LastPass wasn't just lucky. Their preparations paid off. I'm looking forward to learning more about just how their systems were penetrated, and I hope in the interests of transparency, the company will provide more details. But it's nice for once to see that an ounce of prevention was worth a million tons of cure.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags breachhackpasswordsElcomsoftLastPassbeca

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Glenn Fleishman

Macworld.com
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?