By comparing the hash values they generated with the stolen hash value, they could guess a password. Given enough computing power, an attacker could compute hash values for many different random letters and numbers. This gives an attacker a way to compromise the hash.
However, when you hash a password, if someone else uses the same password the hash value will be the same for both. Given the hashed value, there’s no mathematical way to transform it back into the original value. A properly designed hashing algorithm cannot be reversed. Hashing applies a similar algorithm to scramble data. When you encrypt data you can decrypt it using a key. Unlike encryption, the hashing used by LastPass is a one-way operation. In other words, a piece of random data is added to the password before hashing it to make it harder for an attacker to compromise. Passwords are salted as an additional security measure. Master passwords are hashed before they leave the user’s computer using PBKDF2-SHA256. LastPass users login to their accounts using a master password, which gives access to the passwords stored in the vault hosted by LastPass. Before we dive into those numbers, what does the breach mean for the average LastPass user? First, while the breach is a wake up call for the industry, the average user is likely not to be impacted. We analyzed exposure to the LastPass breach across over 18 million McAfee (formerly Skyhigh Networks) users. Many even recommended LastPass as a secure way to remember all of these complex, unique passwords. The breach comes at a time when many security writers have been recommending that people use strong, unique passwords for all the websites and cloud services they use to minimize the damage of a password breach of one service.
While the password vaults that contain users passwords are not believed to have been compromised, cyber attackers gained access to users’ email addresses, password reminder questions, server per user salts, and hashed master passwords. Many LastPass users found out on social media or on news sites earlier this week that LastPass experienced a significant security breach.