LastPass is a service that claims it will “remember your passwords so that you can focus on the more important things in life.” In the modern age, it’s hardly surprising that LastPass and other similar “password managers” have gained popularity. After all, according to a study recently completed by Cyber Streetwise, the average person has 19 total passwords. These passwords are in turn scattered across many different social media sites, email accounts, web communities, banking websites, online shopping outlets, and other sites—making it difficult to remember which password coincides with which site. Programs like LastPass remember your passwords so that your accounts stay secure, but are still easy to access on your personal computer.
The LastPass Security Breach
Unfortunately, even password protection systems have their foibles. In June of this year, LastPass suffered a major security breach. According to PC World, hackers breached the system and “got away with user email addresses, password reminders, server per user salts, and authentication hashes.”
If you use LastPass, chances are that you already know a fair amount about the system’s June data breach. LastPass went into lockdown mode following the hack, requiring extra verification steps in cases where “a new login comes from an unknown device or new IP address.” In other words, if someone tries to access your LastPass account using anything other than the devices or networks that you use on a day-to-day basis, you were likely alerted about it.
A Word on Encryption
The good news, in this case, is that hackers failed to snag the most valuable information that LastPass monitors: users’ actual password vaults. When you use LastPass or another password manager, the program creates a password vault or password chain of the different logins you use on your computer. The system can automatically enter these logins for you in order to log you into the various sites and services you use around the web. Of course, your password vault is locked down itself by a master password that—ideally—is stronger than all of the other passwords you use.
In addition to being locked by a master password, each user password vault is also encrypted. So, while hackers did gain access to the LastPass system, and while they did steal user email addresses and several other pieces of information, they were unable to access any passwords because the passwords were encrypted.
So what information did the LastPass hack reveal? Email addresses and password reminders are self-explanatory, but what are “server per user salts” and “authentication hashes”? In cryptography, passwords that are “salted” and “hashed” can be stored safely on a database and used for ongoing authentication. When a password is “hashed” in a database, it is not displayed as plain text, but rather into a random string of characters called a fingerprint. This fingerprint is then “salted,” which means that another random string of characters is added to reduce the likelihood that hackers can reverse the encryption and find the original password.
In other words, when the LastPass hackers got their hands on hashes and salts, what they essentially accessed were jumbled and misleading versions of the actual user passwords. While there is a possibility that hackers could break this cryptographic encryption, the likelihood of that actually happening is statistically extremely low.
Using Encryption to Protect Your Other Digital Assets
As you can see, encryption is a hugely important defense to have in place when it comes to any type of digitally hosted data. Encryption is what made the LastPass data breach merely a “close call,” instead of an all-out internet security disaster. Even with hackers on their system, LastPass was able to keep their customers’ passwords generally protected thanks to smart cryptographic encryption.
That being said, the LastPass data breach should be a wake-up call to users everywhere that even systems that preach internet security and password protection can’t always avoid becoming the victims of cyber crime. The bottom line is that if you or your business is hosting a substantial amount of secure, sensitive data in a digital or online system, you should take steps to ensure that your files are protected by encryption. Encryption could be the last line of defense for your data, just as it was for the user password vaults at LastPass.
That’s where eFileCabinet comes in. A sophisticated document management system, eFileCabinet is ideal for protecting your business’s confidential data. Most companies use our software to digitize all of their files—from financial records to project proposals and other paperwork. More than simply a place to deposit your files in the digital space, eFileCabinet is also a collaborative piece of powerful software that allows multiple team members to access and edit the same documents.
As you might expect, we at eFileCabinet take cyber crime and cyber security very seriously. We’ve taken extensive steps to ensure the safety of all client data, including 256-bit AES-standard encryption. Unlike some Cloud-based storage services, we encrypt data both when it is in transit (being sent from one place to another) and at rest (being stored on a desk). With SSL (Secure Socket Layer) and TLS (Transport Layer Security) encryption, you can rest assured that your documents are safe even when they are being transferred across a network.
Are you interested in trying out eFileCabinet for yourself? Fill out the form on the side of the page to receive a free 15-minute preview of the software.