LastPass was hacked: Here's what you have to do

LastPass put enough layers of security on your password vault that this breach isn't the end of the world. (But you should still change your master password.)

LastPass put enough layers of security on your password vault that this breach isn't the end of the world. (But you should still change your master password.)

The password-storage maker LastPass announced the worst possible news for a company in its business on Monday: its password database was breached and user account information stolen. Because LastPass allows central storage and synchronization of your data store--the "vault" of passwords and other information you use with its app and website--someone being able to suss out your master password would seemingly have access to all your secrets.

Fortunately, LastPass seems to have employed enough layers of security in the right way that even this scale of failure shouldn't rebound on you. Let's review what risk you're exposed to if you're a LastPass user, and what steps you should take to reduce those.

Round and round we go

Early password-storage software on desktops and smartphones was hampered by both the low computational power available and implementation issues. In a report in 2012, digital forensic software firm Elcomsoft found flaws in 17 smartphone password-management apps, some severe. (Some of those problems were mirrored in desktop versions, too.) That report spurred fixes and development, and companies became smarter or more thorough. That paid off in this breach.

Passwords have to be stored in a manner in which they can't easily be recovered, whether in an operating system, for a website, or protection an app's data storage. Every kind of system that uses a password for authentication or access employs a one-way process--unless the outfit running it is negligent.

Many websites almost certainly still use a simple method. They take your password, run it through what's called a hashing algorithm that performs intensive mathematical operations on it, and produces a result (a "hash") that can't be reversed: knowing the hash doesn't reveal the original password.

Whenever you login, your password isn't checked against a stored password. Rather, the site or service runs whatever you entered through the same hashing process and tests the result against the stored has. If your freshly entered text when hashed matches the previously calculated one, you're legit.

When ne'er-do-wells steal password files, they don't immediately get access to passwords. They need to perform cracking operations, working their way through common passwords (based on many large previous public thefts) and into common words and combinations. Crackers don't go through every possible combination; they pick the most likely ones first. For instance, if asked to enter a word with mixed case, a number, and punctuation, people are more likely to enter Apple1! than ec7*JH43(k; crackers now follow these sorts of paths to harvest more results.

A well equipped desktop PC with a high-end graphics card (or several) can churn through billions of password tests per second--yes, per second. Companies like LastPass build in layers of protection to slow them down.

First, LastPass uses a "salt," which is text that's combined with a password so that when it's hashed, all of the identical passwords for user accounts have different hashes. "aa" + "Apple1!" is very different when hashed than even "aA" + "Apple1!".

Second, the company uses an algorithm that doesn't just hash once, but many times. The default for LastPass on the client side--in a native or Web app--is 5,000 rounds.

Third, when you log into LastPass on the website or via a sync client, the password still isn't sent. Instead, your locally hashed password is sent in that form to the server, where it's run through another 100,000 rounds.

This isn't just for show. The estimate I can come up with for all of that combined cracking with about $10,000 of graphical processor units (GPUs) about 30 passwords per second instead of billions. An Ars Technica expert thinks it's even lower: about 10 passwords per second.

Now, we have to factor in the fact that some people's password hints may allow specific accounts to be targeted ("my password is my first name plus a one"), and that determined crackers might gain access to or have bought (or stolen) 1,000 times the power of the rig I'm using for rough estimation.

But the odds of mass decryption are very low, and if you're a LastPass user, you can make them even lower.

What you can do

LastPass says in its blog entry, "Encrypted user vaults were not compromised." This is a critical fact because changing your master password will immediately make the stolen password information useless. If crackers had stolen vaults, they would be able to churn on them forever or return to them to the future and crack them with more advanced or powerful technology. Since people often don't change passwords for years at a time or forever, that could have still been a risk.

LastPass also advises changing your password at any other account for which you use the identical password. Because email addresses and password hints were stolen, crackers who compromise one account will try for others. However, unlikely, it's good to make these changes. (Also, if you use LastPass or similar software, you can easily avoid using the same password twice or more.)

The benefit of second-factor authentication also remains in effect. The information stolen from LastPass doesn't let a cracker who recovered your password gain access without the token you need to generate on a device or in an app to which you have access. (LastPass conceivably has kept secure the seeding information used for second factors.)

When setting a new master password, you can avoid the often bad advice about selection that advises something that's hard to remember and type. The notion is that coming up with something short and complex is better than something long and simple. This is incorrect.

A set of three or more words that are unusual together is more secure than a short complex password that you invented yourself. Because you can't store LastPass's master password in LastPass, you should think of a way to make a memorable result. Some experts suggest phrases or unlikely conjunctions: you were running in the woods and stubbed your toe when you saw a unicorn becomes "runs stubbed unicorn". It would take on the order of a quintillion password checks to get to that result.

LastPass wasn't just lucky. Their preparations paid off. I'm looking forward to learning more about just how their systems were penetrated, and I hope in the interests of transparency, the company will provide more details. But it's nice for once to see that an ounce of prevention was worth a million tons of cure.

Join the CSO newsletter!

Error: Please check your email address.

Tags breachLastPasshacksecuritypasswordsbecaElcomsoft

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts