Say It Ain't So LastPass!

   There are so many data breaches happening each week that it's easy to become numb to all the announcements.  Sometimes one or two dominate the news because of the size or importance of the breach.  Sometimes there is confusion in the media about the breach or the significance.  Sometimes the experts don't agree.

   I think most people have heard about the OPM - Federal (US) Office of Personnel Management - breach in which personal information on over 4 million people, including security clearance information, possibly dating back to 1985 was stolen in attack on federal computers.  Everyone agrees that this one was big and bad.  But also in the news was the breach of information at LastPass, and there is far less consensus on the impact.

   LastPass is a password vault - a program that lets you store all your passwords in an encrypted "safe".  I've talked about password vaults many times in the past.  I have always recommended the use of a password vault and I still do.

   First, let's discuss what happened.

Rhymes with Assword

   Here we go again with more password-related problems.  You can't make this stuff up.  Well, you can but the truth is stranger.

   By now, most people have heard about the Adobe website breach.  I won't go into too many details but you can read Adobe's summary here, and here is a detailed review by Sophos.

   And, after I wrote this post I see that the This Week In Tech (TWIT) show on the great Twit TV network did a show of the same name (go to 1:56:20 in the show). Great minds think alike!  If you read the Sophos report you will see that someone used the phrase "rhymes with assword" as their password hint.

   There are a few key points to review:

• A new record!  This breach has now set the new record for largest number of compromised accounts, 152,000,000, beating previous noteworthy large breaches including those from Sony, TJX and Heartland.

How crackers ransack passwords - Sort of...

   I am not trying to make this the password rant blog.  But we just can't go a full week without more news about password problems!

   Last week the excellent tech new site, Ars Technica, did a feature article in which they had first a journalist, then three different password hacking experts, try to decrypt passwords from an encrypted password file.  They were all quite successful... frighteningly so.
   Steve Gibson discussed this for a bit in Security Now episode 406.

   But, I think there were some critical flaws in the test.  And there were also some excellent lessons.

   I'll comment on the article using the sandwich method, starting with what was good...