LastPass Gets Hacked – Time for Passwordless Logins?

Password manager service LastPass announced last week that they experienced a data breach that exposed users' email addresses, encrypted passwords and cleartext password reminder hints.

Following the good advice to never use the same password twice, and to choose passwords that are difficult to guess (and remember), many people use password management sites such as LastPass. But the problem with using a Web-based third party to store your passwords is that they can get hacked, too.

LastPass certainly took many security precautions, and some of them worked. For example, LastPass never had access to customers' master passwords in cleartext. But they did store other information about users in cleartext, and it's this compromised information that can be used to guess weak master passwords.

LastPass's blog announced explains that server-per-user salts and authentication hashes were also compromised. Employee Joe Siegrist wrote in a follow-up blog to customers:

“An attacker could try to guess your master password, then use your per-user-salt and authentication hash to determine if their guess was correct. […] If your master password is weak or if your password reminder makes it easy-to-guess, then the attacker could significantly reduce the number of attempts needed to guess it correctly.”

When Is Enough Enough?

The cryptocurrency world has been relatively quick on the uptake of passwordless Web logins. It began when Satoshi Labs offered users Trezor Connect, which allows you to log in to participating websites simply by plugging in a hardware wallet.

The cryptocurrency community also showed great excitement recently at the world's first Secure Quick Reliable Login (SQRL) that utilizes QR codes and the public-key cryptography behind Bitcoin to achieve passwordless login.

These two developments alone prove that usernames and passwords are far from necessary in achieving secure client-server relationships online.

But will either of them take off? Will another approach entirely prove to be more appealing? It'll all come down to how many data breaches consumers are willing to put up with.