My Password-Manager Service Got Hacked. Things Could Be Much Worse.

image

(Photo by Rob Pegoraro/Yahoo Tech)

At 11:09 last night, I got the one email you don’t want to get from the service keeping your passwords safe. Hint: It has the phrase “security notice” in its subject line.

LastPass, the Fairfax, Va., password-management firm I use on a near-daily basis, discovered on Friday that somebody got into its network. As that dreaded email explained: “No encrypted user vault data was taken; however, other data, including email addresses and password reminders, was compromised.”

A blog post offered more detail: “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”

What, me worry? No, and I have reasons.

Don’t Panic, Pass the Salt

Email addresses, password reminders, salts, and hashes. What’s that mean? Having my email out there may get me more spam, but I already know to ignore that. I don’t remember what password reminder I’d set on that site, so I don’t care about that either.

What’s are a “salt” and a “hash”? A salt is random data added to the password before it’s further scrambled mathematically to yield a “hash.” Both can keep a compromised password unusable for longer.

The result is an encrypted file in which even identically-typed passwords look different to anybody who defeats that cryptographic hash. And in LastPass’s case, that will take a while: Its post says it runs each salted and hashed password through an additional encryption equation 100,000 times.

Remember, LastPass says no saved passwords for other sites left its servers. (I emailed CEO Joe Siegrist twice for comment but did not get a reply.)

“Your data is protected by a very expensive password hashing scheme,” Johns Hopkins University professor and cryptographer Matthew D. Green wrote in an email. That’s “expensive” in terms of computing power and time, but also dollars.

Changing the LastPass master password that the unknown trespassers might decode in days or weeks should only take about a minute, as I verified firsthand today. Do that now, then come back to this post.

(For more detail about this, please read two tech journalists I trust, Glenn Fleishman at Fast Company and Brian Krebs at his own Krebs on Security blog.)

image

Password Pain Points

Services like LastPass exist because most human beings can’t remember complex passwords. We compensate by using simpler ones — at best, we get creative by using passwords that evoke fond memories — and by reusing them across different sites.

Both are unwise strategies. Shorter passwords are easier to untangle mathematically if a site gets hacked, especially if it skips the precautions LastPass took. Reused passwords immensely increase your risk.

Writing down complex passwords on a piece of paper that you keep in your wallet — something you already know to keep safe — is one answer. Security expert and cryptographer Bruce Schneier has recommended it for years.

But that approach doesn’t work well with dozens of logins. Or if that paper in your wallet gets damp.

Password-manager services like LastPass and competitors like Dashlane and 1Password instead store your passwords in tightly encrypted databases and make them available in your browser, in apps, or both.

With one of those, you only have to remember one complex password. Turn on its two-step verification option, which will confirm any unusual login with a one-time code sent via text message or computed with a mobile app like Google Authenticator, and you’ll have security resistant to a password compromise — as in, what LastPass does not actually seem to have suffered.

But you are left with angst over keeping your passwords at a site that has a giant target on it. As Green wrote: “I think the idea of storing your passwords in the cloud is a risky one, no matter how the technology is implemented.”

What else can you do? You can use only the password manager on your computer (for instance, OS X’s Keychain), but then you must update passwords separately on every machine. And that computer could still get hacked or stolen.

You can use 1Password’s WiFi-only sync to keep your logins offline — but that’s not automatic, and a loss of the device you have with you may leave you locked out of multiple accounts.

“I certainly think that there are more secure methods to be used than a centralized password manager,” said Chris Soghoian, chief technologist at the American Civil Liberties Union (and a LastPass user). “But most people aren’t going to do that.”

Choose Your Own Adversary

Now consider who’s out to get you. If it’s a state-level adversary with the resources of the National Security Agency, the discussion may be academic. As Schneier said during a panel in Washington last month: “If the NSA wanted to be in my computer, they’d be in it.”

Johns Hopkins’s Green urged a pessimistic view for LastPass users, noting that “motivated attackers with specialized hardware rigs and some personal knowledge of the target” wouldn’t be starting off blind at cracking your password. But you already changed your LastPass password … right?

You should think about what accounts pose the most risk of harm if they’re compromised. “Just because you use LastPass doesn’t mean you need to use it for every password,” Soghoian said.

But most of us aren’t interesting on a personal level to hackers. We are undifferentiated blobs of bits that might yield cash if we can only be separated from our logins. If you fall into that category and you use LastPass, you should change your password there — you already did, yes? — and get on with your life.

By which I mean, resume fretting over an actual danger: say, that a gigantic data breach will expose your data in a way that you could have done nothing to protect and which you only learn about months afterwards.

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.