By Tom Stibolt, MD, Mobile Musings Column Editor

In June 2015 my password manager of choice, LastPass, was hacked. This leaked users’ email addresses, master password reminders, and the hashed version of user passwords. There was an immediate backlash, and a number of articles quickly appeared suggesting the breach was a huge problem. The sensationalism soon subsided, and as it turns out, LastPass was designed to withstand attacks from hackers. It is feasible user emails could be used to contact users with the aim of luring them into putting their information at risk. Though most users should be able to tell the difference between a phishing email and a legitimate one.

Password Reminders

An unsecure master password reminder could be a problem if a user simply put their actual password as their reminder. A more appropriate reminder would be something that would cue the user to what they used as a password but which would not be useful to someone else. For instance, my master password reminder is “better sim mobile lotus.” It is sufficient to help me recall my master password, but I do not think it could be used by anyone other than me. As a result of the breach, LastPass recommended that users change their master passwords. For those using an obtuse master password reminder, like myself, this was probably not entirely necessary.

Hashed Passwords

Losing hashed versions of user master passwords may sound problematic, but closer inspection reveals otherwise. Firstly, LastPass does not store user passwords.What the service does store is a mathematically processed signature of the password. The process of creating the signature is both mathematically complex and, more importantly, irreversible.

The reason it is not reversible is that information is dropped in the process of creating it, so going backward is simply not possible. LastPass developers use a secret and highly sophisticated algorithm to block hackers. If a hacker wants to try to find your password using a brute force methodology, they would have to attempt logging into your account using various guesses. To counter this, LastPass built a several second delay in the login process. As a user using my actual password, this delay is not noticeable. But if a hacker is trying multiple passwords, the time delay severely slows them down. And after a number of incorrect attempts to login, LastPass will freeze the account. The exact number of attempts allowed is not disclosed by LastPass, although representatives do note that the number of attempts is shorter when originating from an unfamiliar IP address.

Further Measures

In writing about this, I am reminded of another recommendation I make to colleagues. Many websites, especially financial institutions, have users create a series of security questions that can be used to challenge them, particularly when they sign on from an unrecognized device. The questions are typically things like, “In what city were you born?” or “Who was your childhood best friend?” Sadly, in an era of social media and numerous databases tracking us, the answers to these questions may easily be found. For that reason, I have created nonsense answers that I use with these challenge questions. As an example, I might use “pumpernickel” as the answer to the question about where I was born. (I actually store my responses in LastPass since it is designed to encrypt them.) Anyone using information about me that is available on the Internet will be hard pressed to crack the code. I feel safer taking these measures.

Other options worth considering are passwords with a mixture of alphabets and characters, as they are more difficult to break using brute force. As a general rule, the longer the password the more secure. Periodically changing your passwords is also helpful.

No LastPass users appear to have experienced damage from the June 2015 hackings. My kudos to their developers.

Editor’s note: The ATS does not endorse any of the programs or products mentioned in this column.

Related post: Living in the Cloud July 2014 Mobile Musings