Popular third-party password manager LastPass revealed yesterday that it may well have been hacked and that some e-mail usernames and master passwords may have been stolen. Does this mean it's time to migrate to another password manager, or even abandon the entire concept of online password management for a pen-and-paper solution?
Given the facts of the situation from LastPass' blog post explaining what happened, I'd say no to giving LastPass the boot, and definitely not to abandoning digital password management for a "little black book."
Leaving a paper trail is a horrendous idea for two reasons. The first is that if you lose your book or it gets stolen, it's gone and you've got a statistically tiny chance of recovering it. The other is that the book itself offers zero security. If somebody else sees it, your passwords are compromised even if the book doesn't get stolen. From any angle, it's just a bad idea.
Before I get to why it's OK to stick with LastPass, though, let's review some of the reasons people use third-party password managers in the first place. Though the five major browsers now offer some method of password protection and management, including syncing between mutliple devices, many people have flocked to third-party password protection because it tends to be browser-agnostic. You can access it from any browser, including on your smartphone, and the third-party vendors often provide more features, such as stronger security, password grouping, password generation, password-associated note-taking, and password sharing to trusted individuals.
In fact, one of the best reasons to use LastPass is that it uses 256-bit AES encryption to protect your data, and the company is solely focused on providing password protection. LastPass also uses one-way salted hashes, which is not a potato-based concoction. A "salted hash" in cyptographic terms means that random binary numbers are used in conjunction with a password to ensure that the data transfer is legitimate and not being spoofed. It prevents pregenerated password tables from being used to gain access to the system, because the random binary part of the hash would be too large to easily spoof.
LastPass noted in its blog announcing the possible breach that the company has taken the opportunity to implement salted hash 256-AES protection with PBKDF2. This is a very strong manner of encryption, and brings us to why it's still a good idea to continue to use LastPass. Unlike recent high-profile data theft cases involving companies like Sony, Ashampoo, Verizon, and Epsilon, LastPass has been very forthcoming with information on the steps the company has taken to ensure continued user protection. This includes noting that despite thin evidence that the possible breach had affected many customers, LastPass decided to take the precautionary step of resetting everybody's master, and not just those of users on the affected server.
The key paragraph from the LastPass blog post announcing the possible breach is this:
"In this case, we couldn't find that root cause. After delving into the anomaly, we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's e-mail addresses, the server salt, and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users' encrypted data blobs."
So, assuming that LastPass is being forthright and not lying, the following statement also makes sense:
"If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you--the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.
"To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your e-mail address."
Again, assuming honesty from LastPass--which admittedly may be too much for some people--it appears that LastPass is taking extreme measures to protect all its users from what potentially might have been a data breach. Another reason that LastPass might be requiring all users to reset their passwords is that the company doesn't have access to the salt hashes on its own servers. They couldn't see your passwords if they wanted to.
It's this kind of straightforward frankness about data breaches that other companies would do well to learn from. Data breaches are inevitable. There is no such thing as a foolproof system, whether we're talking about security virus definition updates or securing data on a server. But as more and more of our personal data is stored up in the cloud, what will differentiate the responsible corporations and companies from the reckless ones is clear and quick communication about both security upgrades and data breaches.