I have a couple of thoughts regarding the breach on the popular password manager LastPass earlier this week. Initially I was disheartened to hear about the breach but was very glad that LastPass dealt with it swiftly and responsibly. I actually learned of the breach from LastPass, with an email alerting me to change my master password. Additionally LastPass is verifying all intial post-breach logins via email unless two-factor authentication is enabled on the account. I was also glad to hear that the attackers were unable to make off with anything more substantial than very strongly hashed (encrypted) master passwords, cryptographic salts, and email addresses. Though certainly less than ideal, the attackers were still unable to capture plaintext password vaults.
Though I don’t use LastPass anymore I did for several years and because of this and my comfort with it, I recommended it in Your Ultimate Security Guide: Windows 7 Edition and plan to in the upcoming iOS 8.3 Edition. The two big take-aways from this breach (at least in my mind) are:
Cloud-based password managers are inherently risky. This may be a provocative statement because many people use web-based password managers without incident. But for how long? Because of the treasure trove of information a password manager contains they are naturally a target. Secondly, because they are a more complex system than a host-based password manager like Password Safe there are more potential points of failure. The data must transit the internet, back and forth from your computer to the internet, be decrypted locally to be used, be re-encrypted before being re-uploaded to the cloud server, etc. A lot of things have to be done correctly for it to be secure throughout the entire process.
Two-factor authentication is important. When I first saw the email from LastPass about the breach my heart sank. I no longer use LastPass but I know a lot of people who do. Fortunately I know that msot of them also use two-factor authentication and as I learned more about the breach I realized that accounts protected with two-factor were still safe. I gave high praise to LastPass in Your Ultimate Security Guide: Windows 7 Edition for the multitudinous two-factor options it offers: “The Grid” (my favorite), Google Authenticator, fingerprints, Yubikey, etc. With two-factor enabled my friends were able to rest easy that their passwords had not been breached. This is the kind of confidence I want in an internet system, especially one with which so much critical data is entrusted.
As I said earlier, I would still recommend LastPass to anyone who is determined to have a web-based password manager. The convenience of the system is hard to deny, but personally, I’d rather have the security of knowing exactly where all of my passwords are stored.