Expert Comment on Silver Linings to LastPass Hack from Damien Hugoo with fraud detection and protection provider Easy Solutions.
Damien Hugoo with fraud detection and protection provider at Easy Solutions :
Password management company LastPass notified users in a blog post that it had been the target of a hack that accessed users’ email addresses, encrypted master passwords, and reminder words and phrases the service asks users to create for those master passwords.
In general, we are not a fan of password management tools. While they provide convenience, a central repository of any sensitive data is always going to garner greater attention from hackers. In some ways, it might even be better to store this sort of encrypted password data locally on a piece of paper in your office. After all, these sophisticated hackers are more likely to be in China or Russia than they are in the cubicle down the hall from you.
But the good news about this story is that the hashes stolen were very well encrypted. The company noted that it has cryptographic protections in place on those master passwords, including “hashing” and “salting” functions designed to make cracking the underlying passwords nearly impossible. This should be enough to protect almost all of its users. Those who have not practiced proper password hygiene to date (i.e. using simple passwords or ones reused from other sites) may still be vulnerable.
In addition, LastPass offers two-factor authentication on their services, which will help minimize the impact of that breach. This serves as a good reminder that multi-factor authentication is an effective approach to minimize impact of breach on end-users. Is it inconvenient? Yes. But security is always on the other side of the see-saw from convenience and usability. Users should embrace this option, and even demand that their cloud providers “force two-factor authentication upon them”. That way, even if (or more realistically when) their passwords are stolen, the underlying account cannot be compromised.
[su_box title=”About Brian Damien Hugoo” style=”noise” box_color=”#336588″]
Damien Hugoo is a seasoned technology professional with 10 years of experience in creating, building and deploying digital software products for the financial services industry. Damien serves as product manager at Easy Solutions, where he plays a key role in the creation of the most innovative and comprehensive fraud prevention and detection solutions available on the market.
Prior to Easy Solutions, Damien held product management roles at FIS, the world’s top provider of banking technology, where he most recently lead all aspects of product management for 2 online banking products that served over 600 financial institutions in North America.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.