LastPass Was Hacked – Are Password Managers Really a Good Idea?

Sep 30, 2021 | Uncategorized

Passwords! Passwords Everywhere!

Individuals are keeping up with more passwords now than ever. Unique passwords are best, so that if someone gains access to one of your accounts they can’t automatically get to your others. Passwords should also be “strong”. Generally this means at least eight characters long, including numbers, upper and lower case letters, and symbols. Ideally, a strong password does not even contain any words found in a dictionary.So how does one keep up with all these unique, long and strong passwords? It used to be the only way to do this was to write them down. While this is a valid form of password management (if you can keep your list safe), nowadays we also need those passwords while out-and-about, and on multiple devices. Cloud-hosted password management tools, such as LastPass and Dashlane, provide this desired portability. These tools help people keep their passwords strong, unique, secure, and accessible.

One Password To Rule Them All!

Password management tools work by having you create a single master password, which is used to log in to the tool. The master password also encrypts and decrypts a vault that stores all of your passwords. If you forget your master password, you have a password reminder. This is the only reminder that can be provided by the application developers, because even they don’t have access to your un-encrypted password. If you forget your password completely and your password reminder doesn’t jog your memory, then you can’t get back into your password vault.An online vault of passwords, even when it is encrypted or hashed, is an appealing target for hackers. Therefore, these companies take security very seriously. However, no system is perfect. LastPass was the most recent of the major tools to report a breach. On June 15, 2015, attackers stole encrypted master passwords, email addresses, the password reminders, and some other odds and ends of many accounts.

How Do They Get Your Password If It Is Encrypted?

When usernames and encrypted passwords are stolen, the attackers will try to guess the corresponding plain text (non-encrypted) password. To do this, they take a guess, encrypt it, and then compare it to the list of stolen passwords. If they get a match, they can log in as the user. In an attack that does not involve a password vault, the attackers will often try this same username and password combination on other sites, like banks. The success of this form of attack is highly dependent on how fast these guesses can be generated.There are many ways (algorithms) to encrypt, or hash, passwords. For the most common ways, hackers can use specially built computers to guess millions, or even billions, of passwords in a second. Three years ago, an expert demonstrated a computer that was able to go through 180 billion combinations in a second! However, this speed is not attainable for all encrypting algorithms. To combat the ability of modern computers to guess so many passwords so quickly, new algorithms are being implemented. These algorithms are slower to execute which means it takes longer to generate a single guess.

So What About LastPass?

LastPass uses one of the new, slower algorithms to encrypt everyone’s master password. But they don’t stop there. Further increasing the time it takes to encrypt the master password, LastPass sends it through this process 100,000 times. An attacker has to do the same thing to end up with an accurate, encrypted guess.It takes a long time, in computer terms, to encrypt a password in the way that LastPass does. So instead of billions to hundreds of billions of guesses in a second, it is more along the lines of tens of thousands or millions of guesses in a second. While this still seems like a lot guesses, it really means that a strong master password can still be considered secure.Now we come to the possible Achilles heel of a strong password: the password reminder. Password reminders stored in plain text were compromised during the recent breach. If the password reminder makes the password easy for someone else to guess, then that account is more at risk. For example, “first names of kids” is not ideal because a search of your email address might lead to information with their names. All of this to say: Be careful when creating a password reminder. Be aware that even things that are supposedly private might be found online through a simple search.Password vaults are always encrypted before being sent to LastPass. Therefore, the attacker has to get the master password to access any of the other passwords. No one can decrypt the vault without the master password. If the master password is strong, the vault is reasonably secure. However, if the master password is weak, or easily guessable from the password reminder, then the vault is at risk. Either way, changing the master password after a breach will once more secure the vault and all the passwords it contains.

Thanks for the info, but should I use a password management tool?

Yes, you should. Everyone today should be using some form of password management to keep their passwords strong and secure. The password management tool could be pen, paper, and a locked filing cabinet. It could also be a tool that is only installed on your computer and doesn’t have a cloud component. However, a properly designed and implemented online password management tool, such as LastPass, is still a good choice for helping to keep your passwords safe.