Password manager service LastPass announced last week that they experienced a data breach that exposed users’ email addresses, encrypted passwords and cleartext password reminder hints.
Following the good advice to never use the same password twice, and to choose passwords that are difficult to guess (and remember), many people use password management sites such as LastPass. But the problem with using a Web-based third party to store your passwords is that they can get hacked, too.
LastPass certainly took many security precautions, and some of them worked. For example, LastPass never had access to customers’ master passwords in cleartext. But they did store other information about users in cleartext, and it’s this compromised information that can be used to guess weak master passwords.
LastPass’s blog announced explains that server-per-user salts and authentication hashes were also compromised. Employee Joe Siegrist wrote in a follow-up blog to customers:
“An attacker could try to guess your master password, then use your per-user-salt and authentication hash to determine if their guess was correct. […] If your master password is weak or if your password reminder makes it easy-to-guess, then the attacker could significantly reduce the number of attempts needed to guess it