LastPass-AH-1

Security Experts Sound Off On LastPass Hack

June 16, 2015 - Written By Tom Dawson

It’s 2015, and the vast majority of us have some sort of personal information online, with well over half of us storing oodles of personal information behind social media accounts, cloud storage and other platforms. Let’s say that you have an Instagram account, a Facebook account and a Google+ account along with services like Spotify, Amazon and more. That’s a whole lot of passwords and in the last few years, people have increasingly been turning to password managers in order to keep all of their many passwords safe, and in a lot of cases a way to help generate super-strong passwords that will hopefully keep people locked out of your accounts and your info.

Sadly, LastPass, a popular password manager service was recently hacked. The news broke over the weekend, and while LastPass themselves said that while there was no signs or “vidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed” they did say that “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised”. The fact that the authentication hashes themselves were compromised could prove to be the biggest headache for LastPass as time goes on, as there’s a possibility that the perpetrator could figure out how to access and decrypt passwords in the future, although it is doubtful.

When something like this happens online, it sends waves throughout the community as a whole, and we’re seeing that the LastPass hack has caused some to ponder the very existence of password managers. Elizabeth Stark noted that storing any large amount of data in one place was a bad idea, while CNNMoney’s Jose Pagliery said simply that “Password managers are not smart.” Christopher Soghoian, the principal technologist for the American Civil Liberties Union simply thinks that “password reminders are a bad idea” on the whole.

Nothing is foolproof these days, it would appear, and as hackers continue to find new ways of causing harm to services online, or ways to cause outright breaches it’s no surprise that LastPass has been hacked. Perhaps the best lesson from this is the old proverb that “if you don’t want anyone to know something, don’t write it down”, if that’s too simple for you there are options out there for offline, 256-bit encryption password managers that keep all the info on your phone, and away from the big, bad Internet.