GCHQ Claims Longer Passwords Are Unnecessary

GCHQ is a government body which monitors communication in the UK and protects the security of its citizens. While the organization remains fairly aloof, it has come under a great deal of scrutiny in lieu of the Edward Snowden revelations. GCHQ and the Centre for the Protection of National Infrastructure compiled a report entitled “Password guidance: simplifying your approach”. This piece of documentation recommends users to opt for a password manager instead of long and overly complicated passwords:

“Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users.”

Although, professional hackers are still capable of infiltrating any kind of software:

“like any piece of security software, they are not impregnable and are an attractive target”.

Nigel Hawthorn from security company Skyhigh Networks argued:

“The security industry is awash with password advice, but much of it is contradictory or simply not suited to modern working. The result – passwords still puzzle many. GCHQ’s latest advice is refreshingly to the point and covers some of the most pressing issues facing UK businesses and employees today.”

The question is, do you trust GCHQ’s advice given their less-than-admirable behaviour in recent years? Ideally, you should set a different password for each service to avoid every aspect of your being disrupted during a hack. Although, it can be quite difficult to remember passwords as various sites set specific stipulations for the characters used. Hopefully, fingerprint recognition and other methods will replace passwords in the near future.

Thank you The Guardian for providing us with this information.

LastPass Cloud Database Hack Compromises Hashed Master Passwords

Unknown attackers have made off with LastPass account emails, password reminders and hashed user vault master passwords. CEO Joe Siegrist was quick to note that no encrypted user vault data, plaintext passwords or user accounts were accessed. This is the second security breach LastPass has faced in four years. Despite the compromise of the hashed passwords, there is no need to panic just yet.

As befitting a security firm, LastPass chose a more secure way of cryptographically hashing user master passwords. Instead of going with fast md5 or SHA1commonly used, LastPass used PBKDF2-SHA256 with a random salt and 100,000 rounds. With the addition of at least 5,000 more iterations client side, it will make it difficult to hack the hashes and obtain the password. As the encrypted users vaults were also not accessed, attackers will have to obtain that some other way as well.

LastPass is also ensuring users who are logging in from an unverified IP or device to verify via email unless they already have two-factor authentication. Given the above average security, there is no rush to change stored plaintext passwords or the master password just yet, but the earlier it can be done the better. With the difficulty of cracking a password, only those who are likely to be specifically targeted should worry.

Storing passwords anywhere is risky and even more so in the cloud as this attack demonstrated. However, user machines are already quite vulnerable and using a password manager is better than not. The stronger security offered by password manager for regular passwords is invaluable and with only 1 master password to remember, it can be more complex and longer. I know I will continue to use my cloud supported password manager but maybe I think I’ll rethink my plans to store my banking credentials. You can find the LastPass blog post on the incident here.