Potential intrusion suspected in LastPass password service

"Network traffic anomalies" to and from the databases of the LastPass password management service have caused the company to suspect that intruders could have harvested personal information – including some customers' master passwords. LastPass is an online password manager that can automatically fill in the log-in forms of web pages by using a browser plug-in.

LastPass said that it doesn't have any concrete evidence of a break-in – but that "where there's smoke, there could have been fire". The company is, therefore, forcing all its customers to change their master passwords. LastPass said that, although it assumes that the salted password hashes will withstand a brute-force attack, very weak passwords could be cracked using a dictionary attack, and that it wants to be on the safe side.

The company is also taking this opportunity to make its passwords even more resistant to cracking attempts; LastPass has announced that it is taking the opportunity to implement the "Password-Based Key Derivation Function" (PBKDF2) standard using SHA-256 on the server with a 256-bit salt using 100,000 rounds. This increase in the numberof rounds will provide greater resilience: they increase the required computing effort and will apparently slow down even fast password crackers to such an extent that they can, for example, only manage 10 passwords per second instead of 100,000. LastPass said that it plans to implement PBKDF2 on the client in the future as well.

(crve)