LastPass is a very popular app designed to improve users’ online security by storing and managing their passwords for them. Freed from the need to remember a different memorable password for each important web site and service they use, password managers make a valuable contribution to users’ security when using the internet.
- KeePass is open source – this means that the code can be independently audited to ensure nothing untoward is going on. With closed source code (as used by LastPass), we have to trust a commercial company that it is doing what it says it is doing. When it comes to security software, this is something we are loath to do.
- All encryption/decryption is performed client-side – so you do not have to trust a third party
- All encryption keys are also generated client-side and stored locally (i.e. they are not kept in a central database) – the downside here is that is a user loses/forgets their master password, then there is no way to access their saved passwords
- Passwords are usually stored locally, so only those with access to a user’s local machine can access them. It is possible to store the passwords on a cloud service (such as Dropbox), but since they are encrypted, and only the user should know the master password, they remain highly secure.
LastPass has now announced that its servers have been hacked,
‘We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.’
Unsurprisingly, LastPass is keen to downplay the issue, and notes that all passwords are securely encrypted,
‘We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.’
This last part is important, because with ‘account email addresses, password reminders, server per user salts, and authentication hashes,’ the hackers could quite easily guess users’ master passwords, although this would have to be done on a case by case basis (and would therefore be very slow).
As Chris Boyd from Malwarwbytes noted in an email to the press,
‘The biggest cause for concern in the immediate aftermath of the LastPass breach is ‘easy to guess’ password reset questions and password reuse across multiple websites.’
LastPass recommends that all users’ change their master password (not their individual passwords), and turn on two-factor authentication (2FA) for extra security.
It should be noted that this is not the first time LastPass has been hacked, as it suffered a similar incident four years ago.
Boyd notes that even despite the security breaches, using a password manager is still preferable to other insecure alternatives,
‘Many of those affected could say ‘Enough is enough’ and go back to storing passwords on the desktop. While that works for some people, too many would probably fail to consider the security risks brought on by such actions.’
While this is true, we will point out that users of KeePass are not vulnerable to any such attack, as their passwords and the clues needed to decrypt them (e.g. master password hints) are not stored on any central database that could be hacked (while still being very securely stored).