A number of security pros urge people to use password managers to keep track of passwords rather than use the same ones for several sites or keep them on sticky notes taped to monitors, where they can easily be seen.
But like any technology, password managers are susceptible to being breached. That happened last week when one of the biggest names in managers, LastPass, discovered that account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
“In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed,” the company added in a notice to users. Still, for a CISO who has told employees this is a safe solution to password overload it’s a little unnerving.
LastPass comes in free and enterprise versions, the later offering federated single sign-on access management for cloud-based services. There’s also a centralized control panel for administrators and auditors.
On the other hand, as Steve Ragan notes in a piece for CSOonline, there are two important things: First, LastPass quickly notified its users. Second, if you change the master password on your account you should be safe. The point of using a manager is to be able to NOT repeat the same password on any site, so even if a hacker breaks one password the others are still protected.
And as Brian Krebs writes, LastPass hashed and salted the master passwords it stores, so even if a hacker gets them it will be darn near impossible to break.
But he does quote an expert who observers that the stolen password reminders and email addresses could be useful to an attacker. “But,” the expert added, “password reminders are useful for targeted attacks, not massive attacks. That means that if your password reminder or hint is not particularly revealing to someone who doesn’t know you, it probably doesn’t matter much. Except in the case of targeted phishing attacks.”
Finally, to really be safe if the manager allows enable two-factor authentication. That capability should be one of the factors CISOs should consider if they recommend a password manager.