Last night, password management company LastPass notified users in a blog post that it had been the target of a hack that accessed users’ email addresses, encrypted master passwords, and reminder words and phrases the service asks users to create for those master passwords.
In general, we are not a fan of password management tools. While they provide convenience, a central repository of any sensitive data is always going to garner greater attention from hackers.
In some ways, it might even be better to store this sort of encrypted password data locally on a piece of paper in your office. After all, these sophisticated hackers are more likely to be in China or Russia than they are in the cubicle down the hall from you.
But the good news about this story is that the hashes stolen were very well encrypted. The company noted that it has cryptographic protections in place on those master passwords, including “hashing” and “salting” functions designed to make cracking the underlying passwords nearly impossible. This should be enough to protect almost all of its users. Those who have not practiced proper password hygiene to date (i.e. using simple passwords or ones reused from other sites) may still be vulnerable.
In addition, LastPass offers two-factor authentication on their services, which will help minimize the impact of that breach. This serves as a good reminder that multi-factor authentication is an effective approach to minimize impact of breach on end-users. Is it inconvenient? Yes. But security is always on the other side of the see-saw from convenience and usability. Users should embrace this option, and even demand that their cloud providers "force two-factor authentication upon them". That way, even if (or more realistically when) their passwords are stolen, the underlying account cannot be compromised.