Parsing LastPass’s statement requires a basic understanding of the way that passwords are generally stored. Passwords are “hashed” by taking the plain text password and running it against a a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse.
The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash. To make matters worse, there are plenty of tools capable of very rapidly mapping these hashes to common dictionary words, names and phrases, which essentially negates the effectiveness of hashing. These days, computer hardware has gotten so cheap that attackers can easily and very cheaply build machines capable of computing tens of millions of possible password hashes per second for each corresponding username or email address.
But by adding a unique element, or “salt,” to each user password, database administrators can massively complicate things for attackers who may have stolen the user database and rely upon automated tools to crack user passwords.
“What a salt does it makes it hard to go after a lot of passwords at once as opposed to one users’ password, because every user requires a separate guess and that separate guess is going to take a considerable amount of time,” said Steve Bellovin, a professor in computer science at Columbia University . “With a salt, even if a bunch of users have the same password, like ‘123456,’ everyone would have a different hash.”
More concerning in this particular breach, Bellovin said, is that users’ password reminders also were stolen.
“I suspect that for a significant number of people, the password reminder — in addition to the user’s email address — is going to be useful for an attacker,” he said. “But password reminders are useful for targeted attacks, not massive attacks. That means that if your password reminder or hint is not particularly revealing to someone who doesn’t know you, it probably doesn’t matter much. Except in the case of targeted phishing attacks,” which might try to leverage data known about a specific target (such as a password hint) to trick the user into giving up the answer to their password reminder.
So what’s the takeaway here? If you entrust all of your passwords to LastPass, now would be a terrific time to change your master password.