LastPass, the top password management service servers were hacked on Friday, 12th June. This resulted in the hacking on unlimited and currently unspecified number of user accounts, their email addresses, their password reminders, authentication hashes as well as server per user data.
This information was confirmed by the company in their official blog post. According to the company, its vaults which contained the passwords of the users, which gives access to their other accounts did not get affected. Despite this the company has requested all their customers to make changes to their master passwords with immediate effect.
Some of the market experts have confirmed that the company stores the authentication hashes with the ultimate protection methods, hence the customers of LastPass do not have to worry about it much. According to Jeremi Gosney, Ars Technica Resident Password Expert, he finds no reason to get worried about this breach and nothing has compelled him to make changes to his master password.
Just like many other password managers, LastPass allow the users to save and auto fill their passwords in many online accounts. The only work that the users have to do is to remember their master password which is hashed by the service rather than writing it out in plain texts. Adding a random character to the user password is called the salting a hash and LastPass is known for using this service. Once the password is salted, it is processed using a mathematical algorithm which creates hashes, making it difficult for the hackers to reverse it. Lack of salts makes the password with hashes easily predictable by the companies.
Decryption of the hashed password using the salting method makes it impossible for the hackers to breach and identify the password. According to CEO of Atlanta-based Errata Security, Rob Graham, it takes nearly a decade for him to work on cracking such password, earlier this was possible within an hour.
When it comes to weaker passwords, even they are very secure with the level of protection that is being offered by LastPass. Unless the user is depending on some absurdly weak password, they are secure. Many users jumble their master password each time they leave their computer. However, not everybody in the market agrees with the perspective of Gosney in terms of the LastPass master password being safe.
According to a Stanford cryptography researcher, Joseph Bonneau, not much information has been released by the company about this hack; hence people should not get worried about the same. What matters is the action taken by the company after they have discovered the hack. Users might get worried if the hints or password reminders are getting compromised relating to master passwords. The users have the option of creating these hints rather than the same being offered by the company.
How to protect yourself? Ensure that the master password is long, comprises of digits, punctuation markers, mix of upper and lower case letters as well as random digits. Always opt for two factor authentication process for better security. Never use the same master password in any other account.