Network Anomoly Sparks Password Concerns for LastPass UsersBy Channel Insider Staff | Posted 2011-05-06 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Online password manager LastPass notified customers of a potential breach that requires them to change their master passwords immediately.
An "anomaly" in the network traffic has prompted online password manager LastPass to notify its customers of a potential security breach that requires them to immediately change their master passwords.
Administrators noticed a "network traffic anomaly" that lasted a few minutes from a "non-critical" machine on May 3, LastPass wrote on its blog on May 4. Most anomalies generally turn out to be an employee poking around or an automated script executing a process.
After some more digging, the team discovered a matching anomaly in which more traffic was sent from the database compared to what was actually received by the server. The team was able to gauge roughly the amount of data that had been stored, calculated that it was big enough to have transferred user email addresses along with the server "salt and salted" password hashes from the database. The amount of data taken wasn’t "remotely enough" to have pulled many users’ encrypted data blogs, according to LastPass.
"We’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," the LastPass team wrote.
Salts are randomly generated bits of data that is combined with a password before generating a cryptographic hash, which is saved in the database. Using a salt generally makes it harder for attackers to brute-force a password. Using a salt expands the storage and computing power required to create a rainbow table, or a precomputed lookup table containing hash values of dictionary words and a salt. So conventional wisdom says it is not feasible to crack passwords protected in this way. However, there have been recent reports of hackers leasing resources from Amazon EC2 to crack passwords.
As a result, if the user selected a strong, non-dictionary-based password or passphrase for the master password on LastPass, the potential threat is very small because it’s unlikely the attacker would be able to brute-force its way to gain access to other accounts, according to LastPass.
"Unfortunately not everyone picks a master password that’s immune to brute forcing," the team wrote.
For more, read the eWEEK article: LastPass Forces Master Password Reset After Detecting Network Anomaly.