Consumers hate passwords, and they are notoriously bad at choosing good ones. Today, the only alternative to being a memorization genius or re-using passwords is to use password management software that remembers all your well-crafted logins for you. It has risks, too — putting all those keys in one place gives a criminal a chance to get what might be considered the master key for your whole digital life.
But like all security questions, the issue is not black and white. The risk of a hacker stealing your well-protected master key might be considerably less than a hacker breaking into multiple sites by guessing your poor passwords.
Maybe.
Today comes news that could make plenty of folks re-examine that equation. Popular password management software LastPass announced on its website today that criminals have infiltrated its network. The news is a mixed bag: the firm says encrypted passwords were not compromised, but the hackers got away with other data.
“LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,” it says.
The good news: “Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.”
The bad news: “We will also be prompting users to update their master password. … If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites.”
Hopefully, LastPass users are the type to utilize very strong passwords for their keys to the kingdom. And hopefully, LastPass is right, and there’s no risk that criminals have en masse stolen enough data to hack away at login credentials for thousands of websites.
Still, the news brings with it a reminder that password managers have risks too.
“On the surface, it sounds like LastPass took all the right kind of precautions including encryption, anonymization and hashing,” said John Zurawski, vice president at security firm Authentify. “The email addresses and password reminders are troubling. The keys to an individual’s digital kingdom are often an email as a username plus only a password. In today’s cyber-risk climate, that’s not enough. Therein lies the problem. They offer their end users more than half a dozen forms of multi-factor authentication options, but they are just that – options. Most end users are not security professionals. They won’t automatically choose extra security because they don’t understand the danger at a deep enough level. Stronger multi-factor authentication should be a requisite.”
A quick warning: LastPass users can expect an email about the incident. Be skeptical about it. Criminals can use the stolen data to craft very believable phishing emails, so beware of those.
Be the first to comment