A password storage company has – ironically – experienced a breach. LastPass confirmed in a blog that it found ‘suspicious activity’ in its network on Friday. Whilst the company is saying it’s not a huge problem because it’s pretty hot on security, you might receive some unusual communications from them so it’s important to be aware of what’s going on. There are also some general security tips that anyone can take from it!
On Monday the company admitted that “LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised”, but maintains that its encryption methods should continue to protect most of its users. The blog says: “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.”
Some terms unpacked:
Hash: This is an encryption algorithm that takes an input message and runs it through a bunch of operations that compress it down to a ‘hash’. It’s a way of make sure the original message doesn’t get changed whilst also storing a password that’s not in plain text. The good thing about this is that it can’t be done in reverse to get the original message, and similar hashes will give different messages so there’s no danger of figuring it out from a similar hash.
Salt: The value that you combine with the password before you hash it. So even if you had two passwords which are exactly the same they would produce different hashes with different salts.
But it’s better to be safe not sorry, so the company is taking steps to make sure that users are definitely protected – step one was letting people know swiftly, which is great. Step two is that all users logging in from a new IP or device will have to do an email verification unless they already have two factor authentication (2FA) turned on. It’s also going to ask users to update their master password which is a good idea at this stage, but it’s best to wait until you receive the email before changing it!
If you’re a LastPass user you should get an email directly about the sitch, and the company recommends turning on 2FA – as do we. If you use the master password on any other sites you should change them too; although considering the whole point of using a site like LastPass is to create and remember unique passwords hopefully you won’t be reusing any! However, you don’t need to change passwords stored in your LastPass account because encrypted data wasn’t taken.
To help create longer, stronger passwords, UKFast customers can try our password generator widget on your MyUKFast dashboard or download the desktop version!