IT Focus Area: Security
June 16, 2015
The Evolution of Password Management and the LastPass Hack
LastPass—a leading password management service that “helps millions around the world solve their password security problems” announced yesterday that it has been breached.
LastPass customers store individual passwords for numerous sites in a “vault,” and can log into those sites automatically through a single master password linked to the service. It also includes tools for generating strong passwords. Services like LastPass are a natural part of the evolution of password management.
Initially, the advice was not to write down your passwords (remember that yellow sticky note on your cube-mate’s PC back in the day?) or otherwise make them physically accessible. Then the buzz was about making passwords more complex. When users started relying on the same password across many sites, the next step was to not only increase complexity, but to also make each password unique. It’s a great idea, but unlike the devices and services we’re trying to connect to, we’re human—most of us aren’t equipped to remember a bunch of unique passwords with complex character strings.
Hence the introduction of services like LastPass. They’re helpful for security-conscious, hyper-connected users with a bunch of disparate passwords, but their security depends on the service itself not getting hacked. Which it just has, for the second time in four years.
In this case, the company’s CEO reported that unknown attackers have made off with hashed user passwords, cryptographic salts (unique elements that make each password more difficult to crack), password reminders, and email addresses. There is no indication that the attackers were able to open cryptographically locked user vaults where the plain-text passwords are kept, but the password reminders could be useful to attackers in a targeted attack.
So what is the key takeaway? What can we do?
The immediate answer is that LastPass users need to set a new master password for their vault, and anyone logging in from a new device or IP address will need to verify their identity if they don’t have two-factor authentication enabled.
The long-term answer is that there isn’t an easy answer. LastPass customers use the service because they are trying to be vigilant—just like the customers affected by the Target breach who went to Experian for credit monitoring, only to discover that Experian itself had recently been breached (through a subsidiary). It’s hard to keep data safe these days.
One possible next step in the evolution of password management is broader adoption of the use of two-factor authentication to better protect log-ins. You may have read that a startling lack of two-factor authentication played a role in the recent data breach at the U.S. Office of Personnel Management (OPM). A report by OPM’s Office of the Inspector General on the agency’s compliance with the Federal Information Security Management Act detailed “significant” deficiencies in the department’s IT security, including the fact that that multi-factor authentication was not required to access OPM systems.
Two-factor authentication (TFA or 2FA) involves the presentation of two different kinds of evidence to assert identity when requesting access. The two “factors” can be a combination of any two of the following: something the requestor knows (such as a password or PIN), something they have (such as a physical token or badge), and something they “are” (such as a fingerprint or iris scan). The driving principle behind multi-factor authentication is to increase security by requiring pieces of evidence that have different attack vectors (e.g. logical, physical). It’s a lot more secure than a (hackable) password alone, and is one of the best things organizations in all industries can do to protect accounts.