We’re big fans of password managers here, and in our experience, so are most system administrators and developers. Anyone with an understanding of the risks of using passwords for authentication knows that they have to be long, random, and unique to offer a reasonable level of security. Given how many passwords the average user has to wrangle, password managers are the only way to ensure that good practices are adhered to, which is why it’s so worrying when one of the most popular password management tools suffers a potentially serious data breach.
In a blog post earlier this month, LastPass CEO Joe Siegrist announced that the service had be hacked, allowing unknown attackers to see hashed master passwords, usernames, emails, salts, and other details.
That sounds serious, but the fact of the matter is that if data is stored on Internet-facing servers, eventually it is going to be hacked — particularly for a service as popular as LastPass. So the real question is not what was taken, but whether it is likely to be useful, whether the attacker will be able to get from the hashed passwords to their originals. In this case, it seems highly unlikely.
According to the company:
“We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database.”
Because the company chose to use a very slow hashing algorithm with multiple rounds of hashing, reversing the hashes would be just as laborious. In fact, for any reasonably complex password, it is impossible in reasonable timeframes using even the best hardware. Given that any data stored online is a potential risk, LastPass did the right thing — unlike many online services that use fast hashing algorithms to conserve resources.
Some security experts are so unconcerned about the risk the they aren’t planning on changing their master password. I think in the interest of an abundance of caution, it’s probably best if users do change their passwords — and they’ll be forced to if they log in from a new device — but because of the way LastPass has protected the data, the risk is minimal.
The only likely risk scenario is if the user has an absurdly simple password and they are specifically targeted by the attackers. In that case, with sufficiently strong hardware, it may be possible to reverse the hashes, although it’s still fairly unlikely.
It looks like LastPass is as safe as a system that stores sensitive data online can be, but passwords are always going to be the weak link in the authentication chain, which is why users of password managers should activate two factor authentication if it’s available (which is in LastPass).