BEST OF THE WEB

Hack at password manager LastPass raises questions

A number of security pros urge people to use password managers to keep track of passwords rather than use the same ones for several sites or keep them on sticky notes taped to monitors, where they can easily be seen.

But like any technology, password managers are susceptible to being breached. That happened last week when one of the biggest names in managers, LastPass, discovered that account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

“In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed,” the company added in a notice to users. Still, for a CISO who has told employees this is a safe solution to password overload it’s a little unnerving.

LastPass comes in free and enterprise versions, the later offering federated single sign-on access management for cloud-based services. There’s also a centralized control panel for administrators and auditors.

On the other hand, as Steve Ragan notes in a piece for CSOonline, there are two important things: First, LastPass quickly notified its users. Second, if you change the master password on your account you should be safe. The point of using a  manager is to be able to NOT repeat the same password on any site, so even if a hacker breaks one password the others are still protected.

And as Brian Krebs writes, LastPass hashed and salted the master passwords it stores, so even if a hacker gets them it will be darn near impossible to break.

But he does quote an expert who observers that the stolen password reminders and email addresses could be useful to an attacker. “But,” the expert added, “password reminders are useful for targeted attacks, not massive attacks. That means that if your password reminder or hint is not particularly revealing to someone who doesn’t know you, it probably doesn’t matter much. Except in the case of targeted phishing attacks.”

In an email James Arlen, Hamilton, Ont.-based director of risk security for Leviathan Security Group said “Lastpass was breached in kind of an ugly way … But the facts remain that all users would benefit from a password manager of some type.
From a paper based “manager” — that stays in your wallet to a web-based system like Lastpass to my preference: a local password manager that encrypts and stores in your own computer — any manager is better than the one between your ears.
You need a manager for one simple reason: never reuse the same password. If your manager auto-generates complex passwords of long length, even better. A unique per-site password is your best defense for sites that do not offer multi-factor authentication.”
So if you’re a LastPass user and hold a C-level, VP or system admin position, you might want to consider changing your password hint. And for any user of a password manager, change your master password every quarter.

Finally, to really be safe if the manager allows enable two-factor authentication. That capability should be one of the factors CISOs should consider if they recommend a password manager.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web