LastPass Cloud Database Hack Compromises Hashed Master Passwords

Unknown attackers have made off with LastPass account emails, password reminders and hashed user vault master passwords. CEO Joe Siegrist was quick to note that no encrypted user vault data, plaintext passwords or user accounts were accessed. This is the second security breach LastPass has faced in four years. Despite the compromise of the hashed passwords, there is no need to panic just yet.

As befitting a security firm, LastPass chose a more secure way of cryptographically hashing user master passwords. Instead of going with fast md5 or SHA1commonly used, LastPass used PBKDF2-SHA256 with a random salt and 100,000 rounds. With the addition of at least 5,000 more iterations client side, it will make it difficult to hack the hashes and obtain the password. As the encrypted users vaults were also not accessed, attackers will have to obtain that some other way as well.

LastPass is also ensuring users who are logging in from an unverified IP or device to verify via email unless they already have two-factor authentication. Given the above average security, there is no rush to change stored plaintext passwords or the master password just yet, but the earlier it can be done the better. With the difficulty of cracking a password, only those who are likely to be specifically targeted should worry.

Storing passwords anywhere is risky and even more so in the cloud as this attack demonstrated. However, user machines are already quite vulnerable and using a password manager is better than not. The stronger security offered by password manager for regular passwords is invaluable and with only 1 master password to remember, it can be more complex and longer. I know I will continue to use my cloud supported password manager but maybe I think I’ll rethink my plans to store my banking credentials. You can find the LastPass blog post on the incident here.

New LastPass Mac App Announced

The people behind LastPass, the popular and free password generation software, have announced their new standalone Mac app. The app offers significantly more functionality than the browser version with a number of new features.

The app features a vault specifically for storing any sensitive information, from the usual passwords to credit cards and sensitive notes. It also comes with a feature called Securtity Check that allows users to check the strength of their passwords over time, allowing them to make sure whether each password is as strong as they can be.

There’s also a feature called Quick Search allowing users to search through pretty much everything in their vault, including specific logins for specific sites.

“The LastPass Mac App functions as a vault that safeguards sensitive information. It allows our customers to have convenient local access to their data, saving them the distraction of recalling passwords or manually typing in their login details.”  LastPass CEO and Co-Founder, Joe Siegrist

The app will available soon from the Mac App Store.

Source: MacRumors