Top password-management service LastPass's servers were breached Friday (June 12), resulting in the theft of an unspecified number of "account email addresses, password reminders, server per user salts and authentication hashes," the company wrote in a blog post yesterday (June 15).
The company said that the "vaults" containing users' passwords to other accounts were not affected. Nonetheless, it has asked all its customers to change their master passwords.
Yet some experts say those master passwords, which LastPass stores as the aforementioned "authentication hashes," were so well protected that LastPass customers need not worry too much.
"I'm definitely not sweating this breach," Ars Technica Resident Password Expert Jeremi Gosney told the news site. "I don't even feel compelled to change my master password."
Like other password managers, LastPass saves and fills in users' passwords on multiple online accounts. Users need to remember only a single master password, which the service salts and hashes instead of writing it down as plaintext.
"Salting a hash," for those who do not know, involves adding a few random characters -- the salt -- to each password, which is then run through a mathematical algorithm to create a "hash" that looks like gibberish and cannot easily be reversed. Without salts, many password hashes could be guessed by comparing them to precalculated hashes of the 10,000 or 100,000 most common passwords. With salts, two hashes for "password1" won't match.
LastPass adds a third factor: Its password-hashing system re-hashes user passwords 100,000 times before storing them, making "cracking" a hash through brute-force decryption nearly impossible.
"What I could've [cracked] in an hour now takes a decade," wrote Rob Graham, CEO of Atlanta-based Errata Security, in a blog posting about the LastPass hack. "Even with 100,000 computers, the NSA won't be able to brute-force a 12-letter password" run through LastPass's system.
"Even weak passwords are fairly secure with that level of protection (unless you're using an absurdly weak password)," wrote Gosney, who uses software to jumble his own LastPass master password before it leaves his computer.
Absurdly weak passwords include the examples LastPass provided in its breach notification: "robert1", "mustang", "123456799", "password1!".
Not everyone agrees with Gosney that the LastPass master passwords are safe. Joseph Bonneau, a Stanford cryptography researcher whose focus is on password security, told Wired that we still do not know enough about this hack to stop worrying.
"It really depends on how quickly [Lastpass] discovered this," Bonneau said. "We don't have any information on that."
Also worrying is the fact that password reminders, or hints, relating to the master passwords were compromised. LastPass lets users create these hints themselves rather than just asking, "What's your mother's maiden name?" But if a user-generated hint is too obvious, such as "winner of 1995 World Series," it might not be safe. (Try the 1994 World Series instead.)
How should you protect yourself if you use LastPass or another password manager? The first step is to change any simple master passwords to something long, random and composed of digits, common punctuation marks, and uppercase and lowercase letters. If your service of choice offers two-factor authentication (LastPass does, and here's a link to its other options), enable it today.
One last piece of common advice about password managers: Do not use your master password anywhere else. If you do, and that second service or account is hacked, and your username is the same as for your password manager, then ALL of your online accounts are wide open.
- What to Do After a Data Breach
- How to Create and Remember Super-Secure Passwords
- Should You Use a Password Manager?