Consultant: Don’t sweat the LastPass breach
22 June, 2015
category: Corporate, Digital ID, Financial
LastPass users and the security community were shaken up last week following news that the online password manager experienced a data breach that exposed users’ encrypted master passwords. But at least one password-cracking expert says the LastPass breach is nothing for users to sweat about, especially if they picked a strong master password.
“Password management solutions like this are designed specifically to withstand breaches like this. They are designed to be secure in spite of the breach,” says Jeremi Gosney, CEO of Sagitta HPC, a firm offering password-cracking services.
Gosney is also a co-founder of the hacker conference PasswordsCon and a senior consultant for security and compliance provider ControlScan. Users appear to have math on their side. With the strong hashing algorithms LastPass employed, even moderately strong passwords should be completely safe, Gosney says.
Assuming LastPass has 1 million users, it would take a password cracker more than 44 years just to exhaust the 14 million-word RockYou wordlist — the passwords for the users of RockYou.com from when the social gaming site suffered a massive breach in 2009 — against the LastPass hashes. The RockYou list has become a go-to standard in the password cracking community.
“The password hashing is among the best we’ve ever seen, quite spectacular really, especially for an organization of this size,” he says.
On June 15, LastPass announced on its blog that its security team had discovered and blocked “suspicious activity” on its network. After investigating, LastPass found that master passwords, email addresses and password hints had been compromised. There was no evidence that the hackers broke into users’ encrypted password vaults or accessed their accounts.
Gosney says users should be operating on the assumption that someone is going to be able to access their encrypted data, and thus protect themselves accordingly. “The piece of mind is that even if someone gets a hold of that encrypted information, it’s useless to a hacker,” he says.
LastPass users are advised to take these precautions:
- Change your master password: LastPass is prompting all of its users to do this, and says that users who have reused their master password on other websites should replace those passwords as well. Gosney says LastPass users should consider using the breach as an opportunity to upgrade their master password through a method known as diceware, an application that essentially rolls virtual dice to pick words at random that you can combine into a four-word passphrase.
- Disable the “Allow reverting LastPass master password changes” option in Advanced Settings. Otherwise, changing your master password won’t make much difference.
- Enable multifactor authentication for your account.
- Be on the lookout for phishing campaigns, now that the hackers have a list of every LastPass account user’s email address, Gosney says. And do not click on any links in emails pertaining to LastPass.
A longtime LastPass user himself, Gosney says he doesn’t plan to change a thing following the breach – not even his master password. “I am confident in the strength of my master password. As a password cracker, I know it’s impossible to crack,” he says.