Just as predicted, there have been a huge number of hacks this year, including very notable ones like Lastpass, Kaspersky, and the White House’s Office of Personnel Management (OPM). Here are some lessons learned from those hacks in order to help you stay more secure, as well as tips for what to do if you've been hacked..
The first and most recent hack I want to talk about is in regards to Lastpass. I’ve done a podcast on Lastpass in the past for using it as a way to securely manage your passwords for all of your web accounts and payment information.
First of all, if you are using Lastpass to store your passwords, you should go change your master right now. Go on, I’ll wait for you ...
Alright and we’re back! According to Lastpass, on June 15th, they publicly announced that they noticed suspicious traffic on the network and stopped it immediately. They assured users that their encrypted data was not taken, and that the only user emails, hashed master passwords, and secret questions were stolen. Now, that’s pretty bad for a company whose sole business is to secure your information.
However, it’s not as bad as it could have been. Although information was stolen, the most important part was that the master password was still hashed. If you’re not familiar with how Lastpass works, you basically have to remember one password, which safeguards every other password that you use online.
When Lastpass stores your master password, it hashes it just in case something just like this happens. Without going into the nitty gritty of hashing and cryptography (if you’re interested I have a podcast on that subject), basically the hackers would have to break your hashed master password.
Due to the fact that Lastpass uses an extremely long and slow hashing function, if an attacker were to focus its efforts to break a user’s hashed password, it would take an extremely long amount of time. I’m talking hundreds of thousands of years. Without your master password, the hackers would only have your email, security question, and that unusable password, which isn’t much to go off of. Still it is recommended that you change your password, and set up some form of two factor authentication.