Snippet: LastPass announced June 15 that it had detected and subsequently blocked “suspicious activity” on its networks a couple of days before. The attackers made off with email addresses associated with LastPass accounts, hints that help users reset their master passwords, salted password hashes, as well as the associated salts.

LastPass announced June 15 that it had detected and subsequently blocked “suspicious activity” on its networks a couple of days before. The attackers made off with email addresses associated with LastPass accounts, hints that help users reset their master passwords, salted password hashes, as well as the associated salts.

If you use LastPass, it’s important to note that your actual password was not compromised. The “salted password hashes” that attackers stole are really encrypted forms of master passwords made with a one-way hash function such as SHA.A “salt” is a pseudo-random input added to your password before it is fed to the hash function; it’s included to protect against just this kind of situation. Attackers could attempt to break your password using brute force – trying every possible combination of digits in an attempt to match the hash, but without knowing exactly what the salt is, they would have an extremely hard time.

LastPass assumes the attackers have the salts, so let’s look briefly at what it would take to break your password with the data they have. Using a tool created by Mandy Lion Labs, we can approximate how long it would require to break your password using brute force techniques. If, for example, you have a 10-digit “strong password” (using lowercase and uppercase letters, numbers, and special characters), it would take someone with access to a single machine 179,947 years. With access to a cluster of a hundred machines, it would still take an awfully long time: 1,799 years. (Of course, some people use shorter passwords than that. Any password shorter than eight characters is breakable within seven days or less using modest amounts of processing power.)

As I’ve written before, every organization ought to view a breach as an inevitability and prepare accordingly. This is not to say that they should give up. No! As software developers and architects, we have a large tool kit at our disposal with which we can make it extremely impractical for anyone to benefit from stolen data. So let’s do it.

Hardware security modules (HSMs) are a technology often relegated to the dark underbellies of 1970s-looking bank data centres, where they are a requirement for doing PIN validation on debit card transactions. They’ve been certified by NIST (National Institute for Standards and Technology in the United States) under the FIPS 140-2 banner to provide superior cryptographic secrecy over software-based solutions: once a key is locked inside the HSM, it’s never coming out. You can perform cryptographic operations on said key, but you can never retrieve it. 

Using this type of a solution in conjunction with salted password hashes means that an attacker would have to physically break in and steal your HSM (or have continuous, direct access to it) to make sense of any hashed passwords they got their hands on. Entersekt uses HSMs to protect all of our sensitive key material.

The moral of this story is never to rely solely on one factor of authentication. A strong password might be a good first line of defense, but having multi-factor authentication, such as Transakt enabled on your LastPass account will prevent anyone from accessing your account, even if they have broken your password. They would need to access both your password and your mobile phone, in person, to compromise your account. As I said, make it as impractical as technically possible for thieves to benefit from stolen data.

Subscribe to our blog.


Christiaan Brand

FORMER CTO

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.