Password management service LastPass has reported a hack of its system, with hackers being able to steal cryptographically protected passwords along with other sensitive data.
Fortunately, hackers were not able to access the vaults where plain-text passwords are stored, essentially resulting in little risk to users with moderately strong passwords. The hack does, however, put into question the safety and risk associated with services such as LastPass.
"Because LastPass recommends but does not mandate that its users create a very strong master password, those accounts with weak passwords are at risk," said Barry Shelton, an attorney at Pillsbury Winthrop Shaw Pittman LLP, which specializes in technology law, in an email with Tech Times. "LastPass is also belatedly changing its key derivation process after the possible breach ... that is an excellent measure, [one] hopefully not too late for its users."
Of course, this is not the first time that LastPass, specifically, has run into trouble. In 2011 the company detected anomalies in server logs, with data being accessed in 2011 that may have included passwords.
It is important to note that hackers being able to steal cryptographically protected passwords isn't really that big of a deal. Users who are worried should be able to simply change their master passwords and be safe, especially if their master passwords are reasonably strong. It is unlikely that hackers will be able to use the information they stole in any significant way. That, however, is a very specific scenario. It is lucky that LastPass did not lose more valuable information. If the hackers did manage to steal master passwords, there would be a real issue, and they would potentially be able to access hundreds of user accounts for all kinds of different websites, likely including bank accounts and other important online accounts.
"Password vaults in the cloud are potentially dangerous as a breach like this could expose every password to every site for a wide range of users," said Devin Egan, co-founder and CTO of LaunchKey, a mobile password security service, in an email with tech Times.
"As LastPass themselves recommend, users need to enable additional factors of authentication on these systems, as protecting this data with a password alone is not secure. Unlike a site that stores passwords one-way hashed, a password manager encrypts the users' passwords with a way to decrypt them so they can be used later."
Of course, just because most users are safe doesn't mean that it's insignificant that a company based on security could be hacked. They, like all other websites and networks, are susceptible to hackers. In short, services such as LastPass are not extremely safe, but they are certainly safer than simply using a password for every website that a user is a part of.
At a minimum, users should take note of the incident and ensure that their passwords are as strong as possible. Not only that, but users should use different passwords for different websites, instead of, like many people, reusing passwords for convenience.
Fortunately, it is highly likely that better security systems than passwords, such as biometric authentication systems, will soon be the norm. These will utilize things like fingerprints and facial recognition to authenticate a user, and are far less "hackable."