LastPass Breached Again. Is This a Trend?

Sue Marquette Poremba
Slide Show

Ten Top-Paying Tech Security Jobs

A week or two ago, a Facebook friend of mine posted how much he loved the cloud-based password manager that he uses and how safe it is. Many others chimed in with similar comments. You just know I’m going to pop up and warn that there are still plenty of security risks with these password manager sites, and there have been incidents where they’ve been breached. I was surprised at the number of people who took me to task and asked me to “prove it.”

I claim no psychic powers, but before I had the chance to go back and find information on past breaches, I began to get emails alerting me that LastPass had been breached. I honestly thought it was such an odd coincidence that my mind was playing tricks on me, and I had to go check again to make sure that my email wasn’t somehow regurgitating three-year-old messages.

Nope. LastPass has been breached. Again. For at least the third time now since 2011. At what point is something an anomaly and at what point is it a trend?


According to eSecurity Planet, here is a brief overview of what exactly happened:

While no LastPass user accounts were accessed and no encrypted user data (stored passwords) was stolen, the company's investigation has determined that LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised.

I get why people turn to password managers like LastPass. Passwords are cumbersome and frustrating and just so hard to remember, but until we decide on some replacements for passwords, we’re stuck. On the surface, password managers allow us to remember only one password and then have dozens of unique passwords that are recommended for security.

But it is time to stop thinking of password managers as a secure place to store those passwords because, like everything else, they are ripe to be stolen. As Devin Egan, co-founder and CTO of LaunchKey, told me in an email:

Password vaults in the cloud are potentially dangerous as a breach like this could expose every password to every site for a wide range of users. Unlike a site that stores passwords one-way hashed, a password manager encrypts the users' passwords with a way to decrypt them so they can be used later. Thus, LastPass's breached hashes and salts will be under attack and any successful crack could lead to a specific user without additional factors of authentication open to further data breaches.

Unfortunately, password managers lull users into a sense of false security, Ken Westin, senior security analyst at Tripwire, told me. You still need a password to log in and that can be stolen just as easily as any other password.

LastPass advises its customers to use a multi-factor authentication system to access the site, and that’s a good idea – especially since we know that LastPass’s security problems are leaning toward being a trend, and we simply have to recognize that we can’t count on anyone being as secure as we’d like. Not even the sites whose primary purpose is security.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba



Add Comment      Leave a comment on this blog post
Jun 23, 2015 8:48 AM Adam D Adam D  says:
I agree that using cloud based password management is a risk, but far lower than saving to browser or text file for most users. all it takes is a strong master password to increase cracking time to billions of years. The same can't be said for local security. There are known 0day exploits for all operating systems which will bypass all anti-virus programs (the recent firmware boot being one example).Hacking a company such as LastPass, then breaking the randomly salted private keys isn't doable enmasse. Getting a user to visit a malicious URL with a payload to infect their machine is far easier. There are many ways to exfiltrate data from a users machine which would be easier than breaching the likes of LastPass. They are one of the few companies to do it correctly. It's also been audited several times by industry experts. The leak is bad, but cracking relies on a bad master password. Reply
Jun 23, 2015 10:23 AM DovellB DovellB  says:
Not all password managers are created equal. Here are some features to look for: 1. Multifactor authentication 2. Data stored on company's servers not in a shared cloud account 3. IT Centralized control that takes the employee out of the security business. 4. FIPS 140-2 verified 5. Encryption, salting, and secure communications 6. Multi-applications on a single card: Combine physical and cyber access control together. 7. Limitations of false card entries. and many more. Reply
Dec 3, 2015 12:55 PM Juks Juks  says: in response to DovellB
What password manager is FIPS 140-2 qualified? What password manager even uses FIPS approved algorithms? I can't think of any. Most use Twofish or AES or something to that affect. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.