LastPass, the online password manager, has now revealed that it has become victim of a cyberattack in which user data was compromised and it has urged all users to change their master password. LastPass account email addresses, password reminders, hashed user passwords and cryptographic salts were all stolen in the cyber attack. You can find more on this news here.
Geoff Webb, vice president, solution strategy at NetIQ, the security portfolio of Micro Focus:
“While the breach at LastPass will probably not cause significant problems for their users (provided they change their master password as advised) it does underline the broader issue with authentication and the use of passwords as a single-point of identification.”
“However the system is implemented, using a password alone ultimately places the totality of our trust in the authentication method in a single factor – in one piece of information that is used to prove we are who we say we are. This is still, and will always be, the weakest link in the chain and so it’s not surprising that attackers focus on it. Whether it’s an attack aimed at a service like this, or simply working to identify users with weak, multi-use passwords, attackers know that successfully gaining access to an account is usually just one password away.”
“We are at the end of the useful lifespan of the password as the sole method of authenticating who we are – the more complex interactions we undertake online, and the sheer volume of services we work with, now mean we must use an approach that is more sophisticated if we want to stay secure and keep our information private. Whether the right answer is using tokens, smartphones, biometrics, behavioural indicators, or some mixture of them all, will depend greatly on the sensitivity of the information or service being secured, but whatever it is, simply relying on a user to think up, and remember a sufficiently secure password is not going to be enough anymore.”