Call it reverse schadenfreude, or maybe digital empathy, but when a tested, hardened and demonstrably security-conscious company suffers a hit, everyone feels a little bit of shame.
If you were affected by the LastPass hack, however, you might be feeling other emotions after the company's recent intrusion. Namely, the fear that comes when you realize not one, but all of your passwords — at least the ones stored via the service — may be at risk.
The good news? That particular flavor of anxiety appears to be unfounded, at least for the foreseeable future. While the uber-popular, cloud-based password storage service hasn't been specific regarding the factors behind the hack, it's been incredibly forthcoming about the data intruders managed to snag: "Account e-mail addresses, password reminders, server per user salts and authentication hashes were compromised," the company's blog states.
It's the last item on that list that could've potentially given attackers access to user accounts — with emphasis on "could've." Thanks to some strong, smart encryption practices, the authentication hashes (i.e., the way the service confirms users are who they say they are) stolen in the LastPass hack are neigh impossible to crack, raising a collective sigh of relief from the service's userbase.
That isn't to say all users are shielded from the attacks, however. Those employing predictable or otherwise weak account passwords left gaping holes in a secure perimeter, upping the chances of attackers accessing all their stored passwords. The same goes for users who declined two-factor authentication, though it is worth noting the company has something of a solution to that issue. Finally, there's the off chance their encryption could be cracked, at least on a per-user level, though password security experts at sites such as Ars Technica claim that outcome isn't likely.
"You will suffer a security breach." That's how Forrester opens its "Planning for Failure" whitepaper, and it's the absolute truth. With so many variables, vectors and ways for attackers to get their toes in the door, suffering some sort of breach is unavoidable these days — and your ability to respond is a crucial factor in your company's overall security success.
The reaction to the LastPass hack shows the company's commitment to this basic idea. Besides the crazy-strong encryption it employs — a good example of the preventative measures preached in "Planning for Failure" — its after-the-fact efforts are nothing short of impressive at the conceptual level. Because security is an "ongoing back-and-forth," as the company's blog says, the security game can resemble an arms race, and this most recent incident has clearly convinced it to respond in kind.
Disclose and Harden
The first step in the wake of the LastPass hack: good old-fashioned disclosure. By making good-faith efforts to frankly and thoroughly inform users of the breach, the service didn't just regain goodwill from the start; it immediately hardened against the possibility of larger-scale thefts at the individual level, not to mention all the horrible PR that would come with it.
The rest of the response shows the practical creativity needed to react swiftly when data breaches occur. Since the encrypted authentication hashes were released into the wild, so to speak, and since that left a potential opening to user accounts without two-factor authentication, the service required users without the feature to verify via e-mail before granting new devices (or logins from new IP addresses) access. This drastically lessened the chance of unknown attackers gaining access without some extra technical trickery, adding layers of safety the moment anyone tries to log in.
The service now also requires users to update their master passwords (i.e., the passwords used to access the main LastPass account), and has updated the timetable for a new, presumably optional hardware security module program. The latter adds yet another layer of physical security alongside existing two-factor authentication that essentially ensures account safety except in situations where attackers have physical access to the victim's hardware. Physical breaches are a concern, to be sure, but removing pure digital attacks from the equation is still an impressive feat, and it's one security-conscious users are bound to appreciate.
A short time removed from the event's disclosure, it's clear companies such as LastPass understand the basic principles outlined in "Planning for Failure" and other preparation- and recovery-minded pieces. By working a solid combination of preparation and reaction, the company didn't just save its users from the horrors of having all their passwords exposed — it showed that, while breaches are a bad thing, the things you can learn from them (not to mention the procedures and tech implemented in their wake) is what security is all about. In a world where attacks are a certainty, that's a bright spot indeed.
Want to learn more about how you can best prepare for, and respond to, a breach? Download Forrester's whitepaper.
Photo Source: Flickr