The password-storage maker LastPass announced the worst possible news for a company in its business on Monday: its password database was breached and user account information stolen. Because LastPass allows central storage and synchronization of your data store—the “vault” of passwords and other information you use with its app and website—someone being able to suss out your master password would seemingly have access to all your secrets.
Fortunately, LastPass seems to have employed enough layers of security in the right way that even this scale of failure shouldn’t rebound on you. Let’s review what risk you’re exposed to if you’re a LastPass user, and what steps you should take to reduce those.
Round and round we go
Early password-storage software on desktops and smartphones was hampered by both the low computational power available and implementation issues. In a report in 2012, digital forensic software firm Elcomsoft found flaws in 17 smartphone password-management apps, some severe. (Some of those problems were mirrored in desktop versions, too.) That report spurred fixes and development, and companies became smarter or more thorough. That paid off in this breach.
Passwords have to be stored in a manner in which they can’t easily be recovered, whether in an operating system, for a website, or protection an app’s data storage. Every kind of system that uses a password for authentication or access employs a one-way process—unless the outfit running it is negligent.
Many websites almost certainly still use a simple method. They take your password, run it through what’s called a hashing algorithm that performs intensive mathematical operations on it, and produces a result (a “hash”) that can’t be reversed: knowing the hash doesn’t reveal the original password.
Whenever you login, your password isn’t checked against a stored password. Rather, the site or service runs whatever you entered through the same hashing process and tests the result against the stored has. If your freshly entered text when hashed matches the previously calculated one, you’re legit.
When ne’er-do-wells steal password files, they don’t immediately get access to passwords. They need to perform cracking operations, working their way through common passwords (based on many large previous public thefts) and into common words and combinations. Crackers don’t go through every possible combination; they pick the most likely ones first. For instance, if asked to enter a word with mixed case, a number, and punctuation, people are more likely to enter
ec7*JH43(k; crackers now follow these sorts of paths to harvest more results.
A well equipped desktop PC with a high-end graphics card (or several) can churn through billions of password tests per second—yes, per second. Companies like LastPass build in layers of protection to slow them down.
First, LastPass uses a “salt,” which is text that’s combined with a password so that when it’s hashed, all of the identical passwords for user accounts have different hashes. “aa” + “Apple1!” is very different when hashed than even “aA” + “Apple1!”.
Second, the company uses an algorithm that doesn’t just hash once, but many times. The default for LastPass on the client side—in a native or Web app—is 5,000 rounds.
Third, when you log into LastPass on the website or via a sync client, the password still isn’t sent. Instead, your locally hashed password is sent in that form to the server, where it’s run through another 100,000 rounds.
This isn’t just for show. The estimate I can come up with for all of that combined cracking with about $10,000 of graphical processor units (GPUs) about 30 passwords per second instead of billions. An Ars Technica expert thinks it’s even lower: about 10 passwords per second.
Now, we have to factor in the fact that some people’s password hints may allow specific accounts to be targeted (“my password is my first name plus a one”), and that determined crackers might gain access to or have bought (or stolen) 1,000 times the power of the rig I’m using for rough estimation.
But the odds of mass decryption are very low, and if you’re a LastPass user, you can make them even lower.
What you can do
LastPass says in its blog entry, “Encrypted user vaults were not compromised.” This is a critical fact because changing your master password will immediately make the stolen password information useless. If crackers had stolen vaults, they would be able to churn on them forever or return to them to the future and crack them with more advanced or powerful technology. Since people often don’t change passwords for years at a time or forever, that could have still been a risk.
LastPass also advises changing your password at any other account for which you use the identical password. Because email addresses and password hints were stolen, crackers who compromise one account will try for others. However, unlikely, it’s good to make these changes. (Also, if you use LastPass or similar software, you can easily avoid using the same password twice or more.)
The benefit of second-factor authentication also remains in effect. The information stolen from LastPass doesn’t let a cracker who recovered your password gain access without the token you need to generate on a device or in an app to which you have access. (LastPass conceivably has kept secure the seeding information used for second factors.)
When setting a new master password, you can avoid the often bad advice about selection that advises something that’s hard to remember and type. The notion is that coming up with something short and complex is better than something long and simple. This is incorrect.
A set of three or more words that are unusual together is more secure than a short complex password that you invented yourself. Because you can’t store LastPass’s master password in LastPass, you should think of a way to make a memorable result. Some experts suggest phrases or unlikely conjunctions: you were running in the woods and stubbed your toe when you saw a unicorn becomes “runs stubbed unicorn”. It would take on the order of a quintillion password checks to get to that result.
LastPass wasn’t just lucky. Their preparations paid off. I’m looking forward to learning more about just how their systems were penetrated, and I hope in the interests of transparency, the company will provide more details. But it’s nice for once to see that an ounce of prevention was worth a million tons of cure.