LastPass is (or should be) Toast
LastPass, a product that I've used for a long time and have recommended freely to friends and other notable ne'er-do-wells alike, has been hacked. Again. This time it might spell doom for the company. With apologies to Glen Hansard, I'm both mad AND disappointed.
Introduction
So. It's important to note that LastPass doesn't have a great track record when it comes to security incidents. It's significant enough that 'Security Incidents' is the largest part of the LastPass Wikipedia page. Each of these incidents has been met with insistence by the company that while damage was done, no customer information was compromised. They kinda say that about this December incident, but, as you will see, nobody believes them.
So What Happened?
Let's restrict our lens to just the last six months. NOTE: The fact that we have to do that is in itself a problem. For more information, consult the Wikipedia article linked above.
Two things happened in a relatively short period of time.
First, in August of 2022, Lastpass, by most analyst's reckoning the most used password manager on the planet, suffered a significant security breach. This breach was described at the time as a 'loss of source code.' So that's bad.
Second, December 22, 2022 saw another press release posted by the company. This notice highlighted ANOTHER breach. This time the company admitted that their cloud storage had been breached, leading to every single customer's vault being exfiltrated.
And I quote:
" The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. "
So... that's worse. In their press release LastPass admits that it's possible to use this information to crack master passwords using brute force techniques, although they insist this would be 'extremely difficult.'
What Did The Hackers Get?
In short, they got everything outside of Credit Card data. This is based on LastPass's press release- CC data was kept on a separate infrastructure. This is ironic to me personally because this is the only part of LastPass I've never felt comfortable enough to use.
But aside from CC data, they got everything else. They got vaults, hashes, notes, and unencrypted metadata, for every single user of LastPass. All 33 million of us.
LastPass's Security Model
So why do they think cracking the passwords would be so difficult as to be a total non-issue? Their security model uses something called PBKDF2 to create the hash of your password. In short, the master password gets hashed 100,100 times (by default, this is actually changeable in settings- although I doubt most people knew that) and then that hash is strengthened by a final round of a different algorithm (the aforementioned PBKDF2.)
Two problems here.
First, one of the things that makes this more effective is the length of the password. A 100-character password will take an exponentially longer time to crack than a 12-character password. Chances are most people's master password is far closer to 12.
Second, the default number of iterations is way short of recommended standards. OWASP, for example, recommends 310,000 iterations.
Neither of these things bodes well for how long a master password hash from LastPass will stand up to a concerted brute force attack.
Something else that was discovered (summarized neatly here on Mastadon from user Jeremi Gosney): LastPass rolled their own implementation of AES. And it's a crap implementation. This makes the passwords all the weaker and even more susceptible to brute force attack. Outstanding. Insert "Orson Welles clapping like an insane person" gif here.
Takeaway: Your Vault Is Identifiable
One thing that LastPass has always maintained is that even if vaults were stolen, they would be completely anonymous- a hacker would have no idea who's vault was who's. Well, that wasn't true. Because of the unencrypted metadata, it is exceedingly likely that an attacker can differentiate one vault from another.
This is particularly troubling because it gives attackers all over the world an incentive to buy these vaults- now they can determine who's vault is who's and build a list of high-value targets to start brute-forcing. Previously they would have to pick one at random out of 33 million possible users and just roll the dice that they were worth the effort.
What Do I Do Now?
- Every single password in your vault should be rotated ASAP.
It's important to note that the damage LastPass caused cannot be undone by simply changing your master password - your vault is in someone else's hands now. And if they choose to, they will eventually crack your password. And, if there's any sensitive information in the private notes section of your vault - banking information, backup codes, crypto keywords, security phrases, etc., you have to assume that at some point they're going to become compromised too.
- Migrate to Another Password Manager
Frankly (and speaking exclusively in "I" statements here) this should have happened a while ago. Like I said, LastPass has had enough security issues that it shouldn't have been trusted already. Based on what's come out over the last few months though they absolutely should not be trusted now. I don't think there's any way to assume a degree of competence will suddenly overwhelm the company- they haven't even issued an actual apology yet.
There are a lot of options out there- Bitwarden, Keeper, and 1password all come to my mind- for you to choose from, and there are a lot of good sites that sift through the pros and cons of each offering. One thing to look for in a new password manager is the ability to migrate. Some will do it more easily than others.
Is All This Fuss Absolutely Necessary?
That's a tough question. There might actually be a silver lining in this whole debacle. As I said earlier, the unencrypted metadata means that vaults can be matched up with individuals, leading to a list of 'high value targets.' So what would make someone a high value target?
[...] attackers will target four groups of users:
- users for which they have previously-compromised passwords (password reuse, credential stuffing)
- users with laughably weak master passwords (think top20k)
- users they can phish
- high value targets (celebs, .gov, .mil, fortune 100)
If you are not in this list / you don't get phished, then it is highly unlikely your vault will be targeted.
To emphasize again: if your password is sufficiently complex (aka, not on any rainbow lists, significantly longer than 12 characters) it might still take a loooong time to break. If you're not a high-target individual, attackers might just not think it's worth the effort.
So it depends on your risk tolerance. For me, it feels a lot like security through obscurity to risk it. I personally am not anyone's version of a high-value target, and my master password is, in my humble opinion, unimpeachably excellent.
For me though it comes down to trust in the company. To wit: when it comes to LastPass, I have none left.
Conclusion
I know that saying any password can be cracked 'eventually' can be construed as a non-answer- how long does that mean, really?? Well, it depends. This article from Hive Systems talks about password cracking from a hash in general terms. Two takeaways.
First, the more complex the better. According to their testing, a supremely complicated 18-character password would take approximately 4 quadrillion years to crack. So that's good. If you have that kind of master password, you are in great shape.
HOWEVER
Second, just by upgrading from a 2020 graphics card to a 2022 graphics card, the Hive testers were able to cut those times down substantially. That 4 quadrillion years example? In 2020 that would have taken 7 quadrillion years. And the gains in speed for less secure passwords are even more extreme. To quote them directly:
"Complex 8-character passwords that once took 8 hours to crack now only take 5 hours!"
There's no reason to think that improvements in speed will keep coming. There are even specialty accelerator cards in active development that purport to do the kind of calculations necessary to do this even faster than today's state of the art GPUs. The Hive Systems article even goes into the details of how much more efficient these cards are (and how they're already available to cloud customers. It's worth reading in its entirety as it also discusses the various encryption algorithms that are out there and how they might affect the estimated time to crack a password under certain conditions. But even Hive admits that they're still just estimates.
So, like I said... even for the supremely complicated passwords? They'll be able to be cracked.. eventually.