Password Manager LastPass Reports New Security Breach
On August 25, 2022, LastPass, one of the world’s largest and most popular password management applications, reported that they had experienced a data breach. To this point, company CEO Karim Toubba posted a blog on the company’s website which stated that “we have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.” Toubba went on to claim that this data breach did not comprise the personal information of LastPass customers, or the encrypted password data vaults of said customers. Nevertheless, the fact that LastPass has sustained a second security breach in two years will surely be an unexpected development for many consumers and businesses alike.
To this end, the entire purpose of using a password manager such as LastPass is to protect personal data and information from being accessed by unauthorized individuals, as users of LastPass will often store a great number of their passwords within the application. From financial account information to employee login credentials, the contents of a user’s LastPass Vault will generally contain some of the most personal information imaginable. Nonetheless, the fact that LastPass could be involved in a data breach incident highlights the risks that all businesses and organizations face as it relates to cybercrime and data security. However, the way in which LastPass is handling the data breach thus far also emphasizes the great lengths that the company goes to when looking to ensure that the data of its customers remain secure at all times.
The “Zero Knowledge” Model
Despite the ways in which the data breach that LastPass experienced this week may impact the overall perception of the company, the claims that company CEO Karim Toubba made with regard to the security of the personal data of LastPass users are likely to be true, due in large part to the methods and techniques that password management applications use to safeguard this information in the first place. More specifically, password managers like LastPass, as well as other applications and services that are used to store personal information, rely on the data protection practices of “hashing and salting”. LastPass utilizes these data protection practices to facilitate what the company refers to as the “Zero Knowledge” Model, which essentially means that the millions of passwords that are held within the application are unknowable to anyone besides the user that has created these passwords.
Hashing and salting
In the context of cryptography, hashing is defined as “the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents”. As such, hashing works to facilitate a one-way process that can be used to convert a password into cipher text through the use of hash algorithms. A hashing algorithm is a mathematical function that can be used to obscure personal information and make it unreadable, making it ideal for protecting data such as passwords. Using a hashing algorithm, password management companies such as LastPass can create unique hash values for each of their respective passwords, making it difficult for a cybercriminal or bad actor to steal this information during a security breach, as while it is technically possible to reverse the hashing process, the computational power that is necessary to do so makes it very difficult and unfeasible in practice.
On the other hand, the practice of salting refers to adding a unique character or element to a value prior to hashing it, much like a chef would add salt to their hash browns in order to provide their food with additional seasoning and flavor. This being the case, password management companies like LastPass use salting to assign a random string or sequence of characters to a particular password, with the aim of providing users of such services with an additional layer of security. In effect, a hacker that is looking to steal information from LastPass would have to work through two separate layers of security, as many of these criminals rely on speed to plunder personal information, and the method of salting makes stealing passwords that much more time-consuming for bad actors.
Irrespective of any technological methods or techniques that a given business or organization may employ when looking to protect its customers, the inevitable reality of conducting business in the 21st century is that data breaches are virtually unavoidable. However, this does not mean that businesses and organizations do not have the ability to greatly reduce and mitigate the effects of a data breach incident, as the most recent security breach of LastPass has shown. From hashing and salting to redaction, there are a number of means that can be taken to prevent cybercriminals from stealing personal data, and protecting such data must be a top priority for all companies and organizations around the world.