Hack Brief: Password Manager LastPass Got Breached Hard

On Monday password manager service LastPass admitted it had been the target of a hack.

Experts recommend password managers like LastPass as the easiest way to generate unique, strong security codes for every one of your online accounts---which sounds great, until that password manager itself is cracked, potentially offering attackers access to all the accounts it was designed to protect.

The Hack

On Monday password manager service LastPass admitted it had been the target of a hack that accessed its users' email addresses, encrypted master passwords, and the reminder words and phrases that the service asks users to create for those master passwords.

Who's Affected

The company says the cryptographic protections it has in place on those master passwords---which include "hashing" and "salting" functions designed to make cracking the underlying passwords nearly impossible---are enough to protect almost all of its users. But those with simple passwords or ones reused from other sites could still be vulnerable. "We are confident that our encryption measures are sufficient to protect the vast majority of users," LastPass CEO Joe Siegrist wrote in a note to customers. "Nonetheless, we are taking additional measures to ensure that your data remains secure, and users will be notified via email."

Those additional measures include resetting master passwords and requiring people to verify themselves by email when they log in from a new device, unless they use two-factor authentication. If you don't already use two-factor authentication on your password manager, you probably should.

How Serious Is This?

That depends. The severity of this latest LastPass's hack---the first it's experienced since it admitted to an earlier possible breach in 2011---is contingent on both the strength of a person's master passwords and how long the breach went undetected. Given the encryption that LastPass describes, a strong, truly random master password is likely safe, says Joseph Bonneau, a Stanford cryptography researcher who's focused on password security.

But "this is still pretty bad," says Bonneau, particularly for users with weak passwords that are vulnerable to guessing. "If they can brute force any master passwords, the attackers could extract password vaults and decrypt them for lots of users or some high value targets."

LastPass says it detected the attack on Friday, just days before it reset users' passwords, required email verification, and alerted law enforcement and security forensics experts. But if the attack had persisted for any period of time undetected before that, it's possible that even stronger master passwords could have been compromised, Bonneau says. Right now, we just don't know how long the hack lasted. "It really depends on how quickly [Lastpass] discovered this, and we don’t have any information on that," Bonneau says.

The incident, says Bonneau, should serve as a reminder that anyone who relies on a password manager for their online security should make that master password as long and random as possible. "It’s really important when you use a master password that password be really strong," says Bonneau. "At the end of the day, that’s the only safe way to use this kind of password vault."