ÃÛÌÒTV

Best Practices 06-16-2015

LastPass Hack and the Case for Two-factor Authentication

Ashley Call

On Monday, June 15, 2015, a popular password manager, LastPass, . After noticing suspicious activity on their network, LastPass discovered that theirÌýaccount email addresses, password reminders, server per user salts, and authentication hashes were compromised. However, they announced that they have found "no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed."

While many in the IT industry have been skeptical of using password managers for fear of themÌýbeing enormous targets for hackers, others have argued that the benefits outweigh the risks—namely, that password managers enable people to use randomly generated, stronger passwords and reduce human error that comes withÌýusing weak passwords. Whether password managers are, in fact, a greater risk or greater benefit to keeping your data secure, the only conclusive result from this hack is the importance of two-factor authentication.

WhyÌýTwo-Factor AuthenticationÌýMatters

As we've described in aÌý, two-factorÌýauthentication (2FA) is usingÌýsomething you know (a password) and something you have (e.g., a one-time password on your smartphone or tablet) for authentication and access to your account. This security practice ensures that even when hackers steal passwords, they cannot access your accounts because they do not have access to the one-time password via your smart device.ÌýAlthough 2FAÌýis largely known as a good security practice withinÌýthe info sec industry, thisÌýis not asÌýcommon in otherÌýindustries.

As Joe Siegrist, CEO from LastPass, said in the recent announcement, LastPass has always encouraged users to use multi-factor authentication (MFA). With this particular hack, Siegrist has said thatÌýwhile they would require that "all users who are logging in from a new device or IP address first verify their account by email," those with multi-factor authentication would not be required to do so. The protection and individual control that two-factor (or multi-factor authentication) provides users is a step in the right direction to making companies and individuals more accountable for their own information security.

WhileÌýLastPass has stated that they are "confident their encryption measures are sufficient to protect the vast majority of users," companies and individuals should take this hack as an opportunity to improve their security practices for the future*—as everyone know this is not the last time a password will be stolen.

*See this for a list of enterprises that supportÌý2FA, and instructions on how to enable it forÌýeach account.
UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-27-2024

6 actionable ways to secure the IIoT at every stage

Tracking the progress toward post-quantum cryptography

The state of PQC since the publication of FIPS 203, 204 and 205