LastPass, a password management app that stores passwords in the cloud and automates form filling via browser add-ons, could have been hacked, with user data — including email addresses, salted passwords and the server salt — potentially compromised, according to a post on the company’s blog. As a precaution, the company is forcing all its users to change their master passwords.
The post notes that anomalies in server traffic led the company to suspect its database has been accessed and take appropriate precautions, although it cannot be sure at this point in time. It also points out that the data accessed alone should not be enough to expose an affected user’s stored passwords. To get those, an attacker would also need the user’s master password, which is only really a risk if that password is easy to guess using a brute force attack. Users with strong, non-dictionary-based master passwords should be relatively safe, although as some users don’t use particularly strong mater passwords, the company has elected to force all of its users to change their master passwords. In addition, the company will be validating users changing their passwords by either checking that the user is visiting from a previously-used IP block, or by validating against their email address.
As a result of the potential breach, LastPass is also beefing up the encryption it uses:
We’re also taking this as an opportunity to roll out something we’ve been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We’ll be rolling out a second implementation of it with the client too.
This potential breach is a reminder that storing your passwords with a third party like LastPass
or competitor 1Password is risky. Their data is obviously a very attractive target for hackers, despite their encryption and robust security arrangements. But you have to weigh that risk against the convenience they offer: Using a password management tool makes it much easier to have a strong, unique password on every service you use. That’s much more secure than using the same password everywhere, which makes large security breaches, such as the recent PlayStation Network hack (s sne) or last year’s Gawker hack, so damaging, as attackers can gain access to wide range of different services with a single password. However, if you’re concerned about storing your passwords in a cloud service, you could always elect use a desktop password management tool like that stores your passwords in a local database like KeePassX instead; the downside is not being able to retrieve passwords everywhere. Whatever password management tool you choose, ensure you pick out a strong master password that’s not going to be easy to crack via a brute force attack.