LastPass Hacked, Exposing Encrypted Master Passwords

Spacescreamer

Spacescreamer

Herald
Password manager LastPass said Monday that email addresses and encrypted master passwords were compromised in a breach. LastPass CEO Joe Siegrist wrote in a blog post that the company does not believe user accounts were accessed in the attack, but the company recommended that users change the master password they use to access their account.

Password managers can be a smart way to increase your online security–until they get hacked.

LastPass, and other password managers like Dashlane and Roboform, were created to address the issue that passwords are a notoriously poor form of security. People tend to use weak, easy-to-remember passwords, re-use passwords across a multitude of accounts, and forget to change their passwords often enough (if at all). LastPass’ solution allows its 76 million users to only have to remember one strong master password, which is used to access all individual account logins and passwords stored by LastPass in encrypted user vaults.

LastPass says it discovered and blocked “suspicious activity” on its network on Friday. Further investigation revealed that email addresses, password reminders, server per user salts (data added to passwords to make them harder to crack), and authentication hashes were all compromised. The good news is that no accounts were compromised, and attackers didn’t gain access to encrypted user vault data (which would include all users’ individual account logins and passwords stored by LastPass).

Because of its strong encryption methods, LastPass says that the compromised encrypted master passwords will be very difficult to crack, as long as users created strong master passwords. “We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist said in his blog post.

LastPass employs per user salts, which means an attacker would have to attempt to crack each encrypted master password individually. ”Further, because a user’s password is hashed thousands of times before being sent to LastPass, and is again hashed 100,000 times before being stored, guesses can’t be done at significant speed,” LastPass press contact Erin Style explained via email.

Even so, LastPass is recommending that all users change their master passwords and set up two-factor authentication. Those with weak master passwords or those who re-used the master password on other sites should change their passwords immediately. LastPass says it’s not necessary to change the individual passwords of accounts stored in LastPass as this encrypted data was not accessed. As a safety measure, LastPass will require that anyone who logs in to their LastPass account from a new device or IP authenticate via email, unless the user already has two-factor authentication.
Click to expand...

Source
 
We had a security subject in our BE curriculum and I have been using this method to frame different passwords for online banking, emails,etc.
By using phrases,for instance, "Jack and Jill went up the hill to fetch a pail of water" becomes

J&Jwudh2fapw

This meets number,special character,caps and password length requirements.
The more easier and commonly used phrases, the easier to remember them.
The more creative a person, the more complicated and easier to remember such passwords.
They can be movie dialogues,songs,idioms,quotes,etc and many more.
I have never written down my passwords anywhere nor have they been compromised
My passwords are 13 character or more longer most of the times.

5 Ways to Create a Password You Can Remember
 
Arv90 said:
We had a security subject in our BE curriculum and I have been using this method to frame different passwords for online banking, emails,etc.
By using phrases,for instance, "Jack and Jill went up the hill to fetch a pail of water" becomes

J&Jwudh2fapw

This meets number,special character,caps and password length requirements.
The more easier and commonly used phrases, the easier to remember them.
The more creative a person, the more complicated and easier to remember such passwords.
They can be movie dialogues,songs,idioms,quotes,etc and many more.
I have never written down my passwords anywhere nor have they been compromised
My passwords are 13 character or more longer most of the times.

5 Ways to Create a Password You Can Remember
Click to expand...

https://en.wikipedia.org/wiki/Passphrase

Another is to choose two phrases, turn one into an acronym, and include it in the second, making the final passphrase. For instance, using two English language typing exercises, we have the following. The quick brown fox jumps over the lazy dog, becomes tqbfjotld. Including it in, Now is the time for all good men to come to the aid of their country, might produce, Now is the time for all good tqbfjotld to come to the aid of their country as the passphrase.

There are several points to note here, all relating to why this example passphrase is not a good one.
  • It has appeared in public and so should be avoided by everyone.
  • It is long (which is a considerable virtue in theory) and requires a good typist as typing errors are much more likely for extended phrases.
  • Individuals and organizations serious about cracking computer security have compiled lists of passwords derived in this manner from the most common quotations, song lyrics, and so on.
Click to expand...
 
@Arv90 passphrases are even more difficult to manage and remember. Do you really have different password for different sites and remember all of them?
 
letmein said:
https://en.wikipedia.org/wiki/Passphrase
Click to expand...
Yes, it is Passphrase

Individuals and organizations serious about cracking computer security have compiled lists of passwords derived in this manner from the most common quotations, song lyrics, and so on.
Click to expand...
I think this won't be an easy task for sure
As i said, the more creative you are, the more strong is your password.
Entropy as a measure of password strength
It is usual in the computer industry to specify password strength in terms of information entropy, measured in bits, a concept from information theory. Instead of the number of guesses needed to find the password with certainty, the base-2 logarithm of that number is given, which is the number of "entropy bits" in a password. A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss.
Source : Password strength
Click to expand...
Password's information entropy, H,
6270d629826e5df0949332423566dd78.png

where N is the number of possible symbols and L is the number of symbols in the password. H is measured in bits

To be frank I use bible verses as phrases and trust me this will be an infrangible one because
My passwords look like this : TLimS;IsnwPs23:1 which translates to "The Lord is my Shepherd; I shall not want Psalm 1:23" and cracking this will be equivalent to H=16(no. of symbols) x log 62 / log 2 = 95.26 bits
Which again calculates to H = 2*95(2 raised to the power of 95)

Here N = 62 is taken from this table without considering symbols(; & : in this case)
Entropy.png


To make it more complicated there are 23,145 verses in the Old Testament and 7,957 verses in the New Testament. This gives a total of 31,102 verses in the bible.
Source : Chapters and verses of the Bible
Which means a brute force attack of 31102 x 2* 95(2 raised to 95 which is without considering symbols)

avi said:
Do you really have different password for different sites and remember all of them?
Click to expand...
Yes, I have different passwords for FB,emails,online transactions,different online bank accounts,etc.

So BE CREATIVE!!!!
 
actually long passwords are more difficult to crack/decrypt using rainbow tables than short complex passwords..

jackandjillwentupthehilltofetchapailofwater is actually more diifficult to crack than J&Jwudh2fapw
 
Let the script remain roman and the language your mother tongue,
eg. hindi - yahmerA#@1pAsswordhain
Telugu - idinA#@1passwordundI
 
@avi - too many pass phrases are difficult to remember. I use only one at a time. But shuffle the words in a defined sequence for different accounts.

Taking the same ex: JackAndJill-808 will be used as
A/c #1 : jAj-808;
A/c #2: 808-jAj
A/c #3: -jAj808

This keeps the principle in place and easier to remember as only phrase is to be remembered at a time.
 
for remembering multiple passwords I just can't help but use a password manager and generate if site has complex requirement or write any incident of the day (long but memorable mnemonic)
 
Everytime I frame a new password, I write it down on my phone's sticky note.
After using it couple of times and confirming that I have remembered the password, delete it from the sticky note.
At a time I do remember 3-5 phrases
 
Back
Top