One of the most used online password managers, LastPass, winner of numerous IT awards, like PC Magazine editor’s choice and featured in IT podcasts like Security Now, is asking all its users to change their main account password after detecting an abnormal data transfer on their servers.
LastPass has noticed unexplained traffic and it is possible that encrypted data was pulled out from their database, the people who would be at risk in that scenario are those users using a weak password to log in, LastPass encryption algorithm is sound but using an easy to guess password makes it crackable using brute force attack, which consists in quickly trying all of the dictionary words in a matter of hours using specialist password cracking software.
Those using a weak easily guessed masterpassword stand a good chance to be affected, LastPass recommends all of its users to change their main password account, the amount of data transferred by the hackers appears to be enough to contain the user’s email and salted hashed (encrypted) password.
Is LastPass still secure?
The company is announcing the roll out of a one-way encryption algorithm even stronger than the one they are using, PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds.
I would be concerned about about storing all of your passwords online, whether encrypted or not, breaking into LastPass, or any other online password manager, would mean a profit of millions of dollars for malicious hackers, just imagine what they could get, email accounts, online banking details, credit card numbers (stored in notes), date of birth and names (stored in profile), forum usernames for identity theft, etc.
I would imagine LastPass is pretty high in the list of targets for cybercriminals, my main concern with LastPass it is that like all of the online password managers out there, their PR claims that their servers are extremely secure, but even the USA Government secret services get hacked, I don’t think any server out there is 100% secure if it is connected to the Internet.
My other concern, with online password managers in general, not only LastPass, is that the company will have a personal interest in minimizing the incident, LastPass for example it is not even admitting they have been hacked.
I doubt LastPass would come out public with this if they did not believe the chances of someone having hacked their servers were pretty high. Can hackers erase all of their IP traces or is LastPass unwilling to admit they have been hacked for certain? Whichever the case, poor log auditing or a company covering it up, the result it is the same, not trustworthy.
Every time I see a company with its user’s database compromised (Gawker, Sony, Lush, etc), I notice a total lack of transparency, you just have to sit down and trust that the company with a direct economical interest in not making fuss over the incident explains the details of what exactly happened and what security mistakes they did.
You should also be aware that due to all of the people login into LastPass at once to change their password the server could not handle it and it momentarily it blocked some user’s access, a Denial of Service attack locking you out of your password manager is another hazard you are exposed to by using an online password manager.
Online password manager alternative
The obvious LastPass, or any other online password manager, alternative it is an offline password manager, a good choice would be KeePass which is free and open source. By using KeePass you are making sure that you will be in control of you passwords database at all times, if you are a LastPass customer, read the instructions to import LastPass passwords into KeePass.