For the second time in just over four years LastPass CEO and co-founder Joe Siegrist has had to write the sort of data breach email to customers every company head must dread.
The tone of the explanation of what befell LastPass last week is calm and rational and scores well in terms of honesty over an attack that compromised some elements of the data users store inside the LastPass system. There is an unfortunate fashion for CEO who patronise their users by explaining away serious breaches. Siegrist isn’t one of these.
It does leave a few issues in a slightly hazy state, however, so let’s attempt to tackle them.
What was breached and does it matter?
On its website LastPass mentions compromised data as being, “account email addresses, password reminders, server per user salts, and authentication hashes.” That’s a hell of a lot for attackers to have grabbed. For any firm to be breached is serious – for a security company (and LastPass is very much a security company these days) it ranks as a near existential threat.
Time to be worried?
The fact that attackers have some or all of the email addresses is a major problem and means that users might be spammed or phished in all sorts of ways in future that have nothing to do with LastPass. Email addresses have a price on crime forums.
Password reminders are an even bigger issue still because they could be used to guess the master password. In most cases that won’t be possible, but in a few cases it might be. It depends how explicit the reminder is and that is impossible to estimate, even for LastPass. This is the main reason why the LastPass master password (and reminder) should be changed as soon as possible.
What about the ‘server per user salt hashes’ and authentication hashes? The former is random data used to make passwords (both master passwords but also website passwords) much harder or even impossible to compute from their encrypted state using dictionary and rainbow lookups. LastPass claims to make a point of being careful about salting so we can probably assume that the encrypted data the attackers might have is safe (with the exception of the above reminder issue).
However: “We are confident that our encryption measures are sufficient to protect the vast majority of users.” That sentence from the breach alert is slightly ambiguous. When the company says the “vast majority of users” it is implying a smaller percentage might be at risk, possibly because their reminders or master passwords are weak. Or is there some other weakness?
How was LastPass breached?
As in the attack in 2011, we will probably never be told. This is understandable. LastPass doesn’t want to advertise a weakness to other attackers, even if it has fixed that weakness. As with rival online password databases, LastPass talks a lot of about security but the precise design and its inner complexities is kept suitably mysterious.
How easy is it to change the master password?
The setting is under Account Settings but we noticed the server was unusually slow to respond when we tried on Tuesday. User should also check that logging in from anonymity networks such as Tor or from countries other than the user's home geography are also disallowed.
And two-factor authentication?
One of the attractions of LastPass is that is goes out of its way to support a wide range of platforms other than Windows and offer a very wide range of authentication options to pair with them. This why the platform has become first choice for techies.
There is a debate about what constitutes two-factor authentication in relation to LastPass and some of its rivals (the way the master password is stored locally and verified via a server with certainty is often a compromise), but we’ll set that aside for now.
The fact is that using an online password store cannot be secure without some form of 2FA as a bare minimum and LastPass offers enough options for people to find one that will work. Our recommended option is the cheap (about $12 for the basic version) YubiKey although this does mean buying a $12 annual LastPass subscription too. Anyone who queries the cost needs to have their head examined. If you put dozens or even hundreds of logins inside a database $25 is a miniscule sum for the extra insurance it brings.
In the end what alternatives are there to using these systems? Users could migrate to a second database, or use one in parallel, but who is to say they can’t be hacked as well? As for storing passwords in a browser cache, this isn’t even vaguely secure. Frankly, it would be better to write passwords down on paper and keep them in a drawer than do this.
For now, despite the inherent vulnerabilities of mere user credentials stored in any system, platforms such as LastPass are still forces for better security despite last week’s unpleasant reminder of their vulnerability.