LastPass provides users of their service with an online vault to store their passwords and form-fill information, everything being locked up with a master password.  LastPass announced in its blog earlier this week that after investigating a traffic anomaly on their network that some of their servers may have been compromised.  The post goes on to say that the data leaving the database server was consistent in size with the email addresses of users, the server salt and their salted password hashes.  Modern operating systems and well designed application systems do not store passwords in plain text.  Instead the passwords are encrypted for storage using a repeatable technique so that when a user provide a password to authenticate their input can be put through the same process and the output compared to what is stored.  If the output matches what is stored then user provided the correct password and authentication is successful.  In this scenario, LastPass was using salted hashing to encrypt user’s master passwords before they were stored.  Hashing is a one way encryption scheme that cannot be reversed but can be factored by generating every possible password until a matching hash is found.  A “salt” is a group of random bits of data inserted into the hashing function to further obfuscate the resultant hash of the original password before being stored.  Without the salt, the matching password cannot be generated through hashing techniques even if the attacker had obtained the stored hash of the password.  However, with both the salt and the has in hand passwords could be factored.

LastPass users should change their master passwords, even though it is not required now that LastPass has reportedly offered an option to confirm that the master password was a strong password. Information Security professionals should be reviewing their Policies and Procedures to investigate if controls are in place to prevent the storage of corporate credentials in third party systems and effective.  Further, this incident should be used as an education tool to remind users on how to create and maintain good passwords pass phrases.  For more information on pass phrases look at the Insight section of our site.  While it remains unclear if any users’ accounts were compromised as a direct result of the LastPass anomaly, users and security professionals need to take a hard look at who is being trusted with authentication credentials.