LastPass hacked, users requested to change master passwords immediately

LastPass, widely used password manager officially disclosed on Monday that it was breached. The hackers were able to get their hands on LastPass users’ Email addresses, master passwords and other private data.

While the encrypted vaults on LastPass, cloud based password manager, don’t seem to be accessed by intruders – password reminders, email addresses, authentication hashes, server per user salts and master passwords were compromised the attackers.

“The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,” the company said. “We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”

It’s very important to get to know the basics of how passwords are stored in general, in order to comprehend the statement given by LastPass. The plain text gets to run against a one-way theoretical algorithm of mathematics making it hashed, via which user’s password is turned into a gibberish letters and numbers’ string that is tend to be difficult to reverse.

Now the weak point of this approach is the fact that hashes are always static, meaning for example, “12345” being a password will always be computed as a same password-hash in every case. As the cracking techniques have advanced, there are a decent number of tools that are able to quickly map these hashes and turn them into names, phrases and words making the effectiveness of password hashing next to nothing and things even worse. Millions of possible password hashes can be computed per second by attackers for each corresponding email address and username by the attackers, because of the fact that computer hardware has gotten very cheap and hence machines capable of achieving such tasks can be built with ease.

But database administrators can make things realistically difficult for the hackers who might have stolen the user database successfully and depend on some sort of tools to automate password cracking process, just by implementing “salt” – a unique element.

A professor at Columbia University in computer science department, Steve Bellovin said, “What a salt does it makes it hard to go after a lot of passwords at once as opposed to one users’ password, because every user requires a separate guess and that separate guess is going to take a considerable amount of time”. Adding further, “With a salt, even if a bunch of users have the same password, like ‘123456,’ everyone would have a different hash.”

Bellovin said, more concerning thing in regards to this breach is that even the password reminders of users also have been stolen.

He said, “I suspect that for a significant number of people, the password reminder — in addition to the user’s email address — is going to be useful for an attacker”. Adding further, “But password reminders are useful for targeted attacks, not massive attacks. That means that if your password reminder or hint is not particularly revealing to someone who doesn’t know you, it probably doesn’t matter much. Except in the case of targeted phishing attacks,” which might try to leverage data known about a specific target (such as a password hint) to trick the user into giving up the answer to their password reminder.

A good news is that, LastPass is using a password reinforcement algorithm named “PBKDF2-SHA256”. So, it is difficult to break the LastPass master password with a brute force attack. This algorithm can also be utilized on your computer or other gadget to make your master password way more strong and secure.

Now as a user what’s the takeaway for you here? If you’ve been using LastPass to store all of your passwords on cloud, it’s high time now to change master password immediately and make it difficult to break (not like these). Investigating into the breach in detail, we at Security Gladiators concluded, users don’t necessarily need to go and update the passwords of all of the sites on their LastPass vault but if anyone has used their master password on multiple sites or has a weak master password – they must go ahead and do change it without wasting a second.

Ali Qamar

Ali is an Internet security research enthusiast who enjoys "deep" research to dig out modern discoveries in the security industry. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best.



LastPass hacked, users requested to change master passwords immediatel…

by Ali Qamar time to read: 3 min