Blog Post

LastPass Possibly Hacked, Users Forced to Change Master Passwords

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

LastPass, a password management app that stores passwords in the cloud and automates form filling via browser add-ons, could have been hacked, with user data — including email addresses, salted passwords and the server salt — potentially compromised, according to a post on the company’s blog. As a precaution, the company is forcing all its users to change their master passwords.

The post notes that anomalies in server traffic led the company to suspect its database has been accessed and take appropriate precautions, although it cannot be sure at this point in time. It also points out that the data accessed alone should not be enough to expose an affected user’s stored passwords. To get those, an attacker would also need the user’s master password, which is only really a risk if that password is easy  to guess using a brute force attack. Users with strong, non-dictionary-based master passwords should be relatively safe, although as some users don’t use particularly strong mater passwords, the company has elected to force all of its users to change their master passwords. In addition, the company will be validating users changing their passwords by either checking that the user is visiting from a previously-used IP block, or by validating against their email address.

As a result of the potential breach, LastPass is also beefing up the encryption it uses:

We’re also taking this as an opportunity to roll out something we’ve been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We’ll be rolling out a second implementation of it with the client too.

This potential breach is a reminder that storing your passwords with a third party like LastPass or competitor 1Password is risky. Their data is obviously a very attractive target for hackers, despite their encryption and robust security arrangements. But you have to weigh that risk against the convenience they offer: Using a password management tool makes it much easier to have a strong, unique password on every service you use. That’s much more secure than using the same password everywhere, which makes large security breaches, such as the recent PlayStation Network hack (s sne) or last year’s Gawker hack, so damaging, as attackers can gain access to wide range of different services with a single password. However, if you’re concerned about storing your passwords in a cloud service, you could always elect use a desktop password management tool like that stores your passwords in a local database like KeePassX instead; the downside is not being able to retrieve passwords everywhere. Whatever password management tool you choose, ensure you pick out a strong master password that’s not going to be easy to crack via a brute force attack.

Photo courtesy Flickr user subcircle

12 Responses to “LastPass Possibly Hacked, Users Forced to Change Master Passwords”

  1. George

    I never trusted that program even after all the good reviews of it. Storing stuff on some server somewhere forever just isn’t cool anymore at all. These guys need to understand that and change it up completely. I as a business or a person could never risk customer information like that, not to mention it is an all in one file, geez. Keep that shit off network or something.

  2. Philip

    I just started using KeePass and to sync between computers, I’ve used Pogoplug sharing an external HD (not the cloud based one). I also use the iPhone app. It’s not the best, but functional.

  3. LastPass for better security?

    I dont know about you, but using a strong, unique, DIFFERENT, long arsed password for every site, well there’s no way I can remember those passwords. So what good does storing them only on my desktop do? What good is it if I have to install an app on every other desktop to open a safe online? I cant do that. Nothing else worked as well as Lastpass’s solution.

    I do use unique passwords for everything I care about. I do use a strong master password. I use the lastpass phone app on my BB as well. I still think that it’s the best option if you want password convenience, high security, AND the ability to use truly strong unique passwords on every account.

    That said, there’s no way I’d ever get my parents to use that level of security sucessfully. It was a bit difficult for me to get used to at first too (setting everything unique). But as long as I don’t do something stupid like store my master password on the computer somewhere, I think the Lastpass solution is the best way to go.

    • It’s not possible to remember very strong unique passwords for every service you use. Sure you could use some kind of phrase based mnemonic based on the domain/name of the site, but solutions like LastPass are certainly more convenient

    • DougS

      Wouldn’t storing your passwords on something like Dropbox be more risky? I don’t know, I am just asking.

      I am currently using LastPass.The way I understand how it works, the master password is never passed to the server, so it seems quite secure. I guess I am about to find out.

      • As long as the passwords were encrypted on Dropbox using a master password (as I believe they would be if you used Keepass), it should be reasonably secure. I certainly wouldn’t store them unencrypted on Dropbox though.

        Doug- as long as your master password is not an easily guessed word or phrase, it sounds like you should be OK with LastPass, even with this (potential) breach.

      • DougS

        Simon – I hope you do a follow up on this story. I have a secure master password, but I was going to change it just to be extra sure, but I still can’t log on to their server to do that. Seems like they are overwhelmed. I guess people are freaking out on a situation though I am not sure it warrants that, but maybe a follow up piece could provide insight into how they are dealing with the situation.

  4. I agree with Judi. The reason I use 1Password over LastPass is because that data is stored locally, not in the cloud.

    I’m a big fan of cloud storage, but storing all your passwords in the cloud just seems to risky for me.

  5. Scary stuff. But to be fair, 1Password isn’t quite as vulnerable. There’s no online database on their servers filled with encrypted passwords for hackers to target. 1Password data is stored in a local file and the user has the option to upload it somewhere, typically Dropbox for example. At that point if Dropbox has a breach, I suppose a hacker could find the keychain file, get through the layers of security and decrypt it. But that’s not quite the same thing as what happened to LastPass.