On Monday, June 15, 2015, a popular password manager, LastPass, announced a security breach. After noticing suspicious activity on their network, LastPass discovered that their account email addresses, password reminders, server per user salts, and authentication hashes were compromised. However, they announced that they have found "no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed."
While many in the IT industry have been skeptical of using password managers for fear of them being enormous targets for hackers, others have argued that the benefits outweigh the risks—namely, that password managers enable people to use randomly generated, stronger passwords and reduce human error that comes with using weak passwords. Whether password managers are, in fact, a greater risk or greater benefit to keeping your data secure, the only conclusive result from this hack is the importance of two-factor authentication.
As we've described in a recent blog post, two-factor authentication (2FA) is using something you know (a password) and something you have (e.g., a one-time password on your smartphone or tablet) for authentication and access to your account. This security practice ensures that even when hackers steal passwords, they cannot access your accounts because they do not have access to the one-time password via your smart device. Although 2FA is largely known as a good security practice within the info sec industry, this is not as common in other industries.
As Joe Siegrist, CEO from LastPass, said in the recent announcement, LastPass has always encouraged users to use multi-factor authentication (MFA). With this particular hack, Siegrist has said that while they would require that "all users who are logging in from a new device or IP address first verify their account by email," those with multi-factor authentication would not be required to do so. The protection and individual control that two-factor (or multi-factor authentication) provides users is a step in the right direction to making companies and individuals more accountable for their own information security.
While LastPass has stated that they are "confident their encryption measures are sufficient to protect the vast majority of users," companies and individuals should take this hack as an opportunity to improve their security practices for the future*—as everyone know this is not the last time a password will be stolen.*See this Two-factor Authentication List for a list of enterprises that support 2FA, and instructions on how to enable it for each account.