If you’re one of the thousands of LastPass users who’ve felt very secure using the Internet thanks to promises of nearly unbreakable security, you may feel a little less secure knowing that on June 15th, the company announced that they detected an intrusion into their servers.
LastPass initially sent an email notice to users advising them that the company had detected “suspicious activity” on LastPass servers, and that user email addresses and password reminders had been compromised.
The company assured users that no encrypted vault data had been compromised, but since the hashed user passwords had been obtained, the company advised users to update their master passwords, just to be safe.
The LastPass Hack Explained
This isn’t the first time LastPass users have been concerned about hackers. Last year, we interviewed LastPass CEO Joe Siegrist following the Heartbleed threat, where his reassurances set users’ fears at ease.
This latest breach took place late the week before the announcement. By the time it was detected and identified as a security intrusion, the attackers had gotten away with user email addresses, password reminder questions/answers, hashed user passwords and cryptographic salts.
The good news is that the security of the LastPass system was designed to withstand such attacks. The only way to access your plain-text passwords would be for the hackers to decrypt the well-secured master passwords.
Due to the mechanism used to encrypt your master password, it would take massive amounts of computer resources to decrypt it – resources that most small or mid-level hackers don’t have access to.
The reason you’re so protected when you use LastPass is because that mechanism that makes the master password so hard to obtain is called “slow hashing” or “hashing with salt.”
How Hashing Works
LastPass uses one of the most secure encryption techniques in the world, called hashing with salt.
The “salt” is a code that’s generated using a cryptography tool – a sort of advanced random number generator created specifically for security, if you will. These tools create completely unpredictable codes when you create your master password.
What happens when you create your account is the password is “hashed” using one of these randomly generated (and very long) “salt” numbers. These are never reused – they’re unique for every user and every password. Finally, in the user account table, you’ll find only the salt and the hash.
The actual text version of your master password is never stored on LastPass servers, so hackers don’t have access to it. All they were able to obtain in this intrusion are these random salts, and the encoded hashes.
So, the only way LastPass (or anyone) can validate your password is:
- Retrieve the hash and salt from the user table.
- Use the salt on the password the user types in, hashing it using the same hash function that was used when the password was generated.
- The resulting hash gets compared to the stored hash to see if it’s a match.
These days, hackers are able to generate billions of hashes per second, so why can’t a hacker just use brute-force to crack these passwords? This extra security is thanks to slow-hashing.
Why Slow-Hashing Protects You
In an attack like this, it’s really the slow-hashing part of LastPass security that really protects you.
LastPass makes the hash function used to verify the password (or create it) work very slowly. This essentially puts the breaks on any high-speed, brute-force operation that requires speed in order to pump through billions of possible hashes. No matter how much computational power the hacker’s system has, the process to break the encryption will still take forever, essentially rendering brute-force attacks useless.
On top of that, LastPass doesn’t just run the hash algorithm once, they run it thousands of times on your computer, and then again on the server.
Here’s how LastPass explained its own process to users in a blog post following this latest attack:
“We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash.”
The LastPass Help Desk has a post that describes how LastPass utilizes slow-hashing:
LastPass has opted to use SHA-256, a slower hashing algorithm that provides more protection against brute-force attacks. LastPass utilizes the PBKDF2 function implemented with SHA-256 to turn your master password into your encryption key.
What this means is that despite this recent security breach, your passwords are pretty much still very secure, even though your email address isn’t.
What If My Password Is Weak?
There is one excellent point brought up on the LastPass blog concerning weak passwords. Many users are concerned that they didn’t dream up a unique enough password, and that these hackers will be able to guess it without very much effort.
There is also the remote risk that your account is one of those that hackers are wasting their time trying to decrypt, and there’s always the remote possibility that they could successfully obtain your master password. What then?
The bottom line is that all of that effort would be wasted, since logging in from another device requires verification via email – your email – before access is granted. From the LastPass blog:
“If the attacker attempted to get access to your data by using these credentials to log into your LastPass account, they’d be stopped by a notification asking them to first verify their email address.”
So, unless they can somehow hack into your email account in addition to decrypting a nearly uncrackable algorithm, you really have nothing at all to worry about.
Should I Change My Master Password?
Whether or not you want to change your master password really boils down to how paranoid or unlucky you feel. If you think you may be the one unlucky person who has their password cracked by talented hackers who are able to somehow decipher through LastPass’s 100,000 round hashing routine and a salt code that’s unique just to you?
By all means, if you worry about such things, change your password just for peace of mind. It’ll mean that at least your salt and hash, in the hands of hackers, becomes useless.
However, there are security experts out there who are not at all concerned, such as security expert Jeremi Gosney over at Structure Group who told reporters:
“The default is 5,000 iterations, so at a minimum we’re looking at 105,000 iterations. I actually have mine set to 65,000 iterations, so that’s a total of 165,000 iterations protecting my Diceware passphrase. So no, I’m definitely not sweating this breach. I don’t even feel compelled to change my master password.”
The only real concern you should have about this data breach is that hackers now have your email address, which they could use to conduct mass phishing expeditions to try and trick people into giving up their various account passwords – or maybe they may do something as mundane as selling all of those user emails to spammers on the black market.
The bottom line is that the risk from this security intrusion remains minimal, thanks to the overwhelming security of the LastPass system. But common sense says that any time hackers have obtained your account details – even protected through thousands of advanced cryptographic iterations – it’s always good to change your master password, even if it is for peace of mind.
Did the LastPass security breach get you very concerned about the safety of LastPass, or are you confident about the security of your account there? Share your thoughts and concerns in the comments section below.
Image credits: penetrated security lock via Shutterstock, Csehak Szabolcs via Shutterstock, Bastian Weltjen via Shutterstock, McIek via Shutterstock, GlebStock via Shutterstock, Benoit Daoust via Shutterstock