LastPass Breach - Security Done Rightish

In today's world it is only a matter of time before a company's data is breached and this time it was LastPass. They said that they discovered the breach on Friday, 6/12/15 and they quickly reported it to users the following Monday, 6/15/15. Nothing has been said to what date the breach actually occurred though.

LastPass has also stated that no encrypted user vaults were taken, nor that any user accounts were accessed. Only account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

This sounds like another terrible breach, right? What are all the LastPass users going to do now?



Well, because of LastPass's smart security practices and planning a head, all the users don't have much to worry about. This breach was handled better than any other one I've seen before.

First off LastPass actually hashes their user's passwords. Now a days this doesn't mean much because of GPU password cracking, but wait there is more. They also add a random salt value to the hash to make it even harder to crack. Okay...it isn't unheard of to have a salted hash cracked too. Well that is why LastPass also adds 100,000 rounds of server-side PBKDF2-SHA256 to the salted hash. This is a technique known as key stretching. It is done to slow down the hashing function, which in return also slows down the password cracking. This can make the cracking so slow that it isn't even worth spending the time to crack the password. For more information on hashing, salts, and key stretching check out CrackStation.

Another thing LastPass did right was informing their users of the breach within just a few days. We see most companies waiting weeks or months before deciding to inform everyone, by then their users' passwords could have been cracked and their accounts compromised. LastPass did it right by sending out emails and putting an official notice on their website right away (LastPass Notice).

After all those things LastPass took an additional step to make sure they kept their users' information secure. Users have to verify their email account if they are logging in from a new device or new public IP address, otherwise they have to sign in from a trusted device or have multifactor authentication enabled. This by it's self will make it really hard for the hacker to compromise a LastPass account, even with a cracked password.

With all that said I believe LastPass did a great job protecting their users. Yes, I know that email accounts were compromised and now whoever breached LastPass has them, but in the grand scheme of things that is only a minor information leak.

Resources

LastPass - https://blog.lastpass.com/2015/06/lastpass-security-notice.html/

CrackStation - https://crackstation.net/hashing-security.htm

Wikipedia - https://en.wikipedia.org/wiki/Hash_function

Wikipedia - https://en.wikipedia.org/wiki/Salt_(cryptography)

Wikipedia - https://en.wikipedia.org/wiki/PBKDF2

Wikipedia - https://en.wikipedia.org/wiki/Key_stretching

Wikipedia - https://en.wikipedia.org/wiki/Multi-factor_authentication