Yesterday, the password management system LastPass notified its users that it had “discovered and blocked suspicious activity” on its service. This post reviews what happened and encourages people to continue using password management services.
In a previous article that provided advice encouraging the use of password management services, we included this caveat:
“There is major drawback—if someone hacks into your password management app, all of that information is free for the taking. Most of these applications are fairly safe from remote hacking attempts, but that doesn’t account for a computer infected with malware (think key logger) or someone who has had their computer stolen.”
On Monday, June 15, 2015, one of the password management services we mentioned in that earlier post, LastPass, notified its users that it had “discovered and blocked suspicious activity” on its service. While the service indicated that no passwords or “encrypted user vault data” were taken, it did report that email addresses used to send out password reminders were compromised.
As can be expected, online coverage of the breach tended to be shrill and indicate that every user’s passwords to everything had been stolen. That was not the case.
A simple overview of what happened: The core service provided by LastPass was not compromised. However, criminal hackers were able to obtain email addresses that could potentially be used in attempts to encourage users to provide them with account-holder master passwords. The most obvious strategy would be sending out an email to users that appears to be from LastPass (phishing) seeking master passwords. Such email would likely encourage users to provide sensitive data like passwords to a representative of the company.
Why using a password management service is still wise
While it failed to prevent a breach of its system, the hack did provide an opportunity to again explain how a password management service is different from other methods. The most important difference is that a user’s “master password” is not stored by the service. It is stored on the user’s device. Obtaining access to user “password vaults” would require a much higher degree of sophistication.
The way in which password management services are still not 100 percent hacker-proof
Password management services help prevent two major security problems. They provide a way to avoid using the same password on multiple accounts. They provide the means to use more complex and highly encrypted passwords.
When a user can have dozens of accounts that require passwords, the temptation to use the same password on multiple accounts is too tempting to pass up. But nothing is 100 percent. Not even the most secret information about federal employees can be protected. Adding levels of difficulty for the hacker to deal with can serve as encouragement for the hacker to move on to someone else’s insecure data.
Protect your master password
From LastPast comes this advice that is true for any password service: “Never, ever disclose your master password or any confidential information, even to someone claiming to work for (the service).” Also, if you don’t already understand and use “two-step verification” on your most sensitive accounts, see, “What is Two-Step Verification and Why You Should Start Using Them.”