The Real Lessons from the LastPass Breach

Didn’t think I’d be writing back-to-back posts regarding breaches, but that’s the world we live in now. And the LastPass breach is interesting on many levels.

In warning users of the breach, LastPass disclosed that their investigation into the breach showed “that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised”. This news has obviously given the people that were against cloud-based password managers (like LastPass) the ammunition they needed to say “see, we told you this was a bad idea”. The less thoughtful simply call foul without offering any suitable alternative. The more thoughtful ones go after the cloud aspect of this and suggest using desktop-based alternatives like KeePass. KeePass is a good alternative, but when you put it into the context of your usage, your devices, and your work patterns, it has quite a few usability limitations. That forces users to either do additional work to make it usable or (more likely) work around those limitations in ways that negate the security benefits.

Are Cloud-Based Password Managers Still Effective?

Yes, but there’s a big caveat.

By all accounts, the architecture LastPass built worked exactly as intended. In a previous post I described in detail how LastPass and most of the big password managers go about protecting your application passwords. Because they don’t store your actual master password and derived encryption key on the server, the hackers didn’t get those, just the hash of the “generated password” (as I described it in the previous post). Because part of the data the hackers got includes the salt used in hashing, they could use a brute force attack to figure out the actual master password from the data they took away. This post by Robert Graham does a good job describing how the effort to crack a well-formed password is so high as to make any automated cracking of the entire set of authentication hashes nearly useless.

What this means is that the real threat is a targeted effort. Because the data set includes account email addresses, the hackers could search through to find email addresses of known high-value targets (like ‘kevin.feige@marvelpictures.com’; note: not a real email address), and then try to crack just that individual master password. Depending on the complexity of the master password, this goes anywhere from easy to near impossible (as described in Robert’s post). And this is where some key points come in:

  • The LastPass encryption algorithm slows down the cracking process significantly. So if everyone follows their advice and resets their master password, then the hacker obtaining your master password becomes irrelevant because they can’t log into your account. Especially with the counter measures they put in place against new IPs and devices, and ESPECIALLY if you have 2 factor authentication set up on your LastPass account (A must-have even without the breach occurring).
  • When setting your master password, remember that length is king, and avoiding dictionary words is crucial.
  • However, if you committed the sin of reusing your LastPass master password somewhere else (maybe it is your preferred strongest password, so you only used it for your LastPass account and your online banking account), then those accounts are now susceptible. Go change them now.

And for gosh sake, don't reuse your passwords!

The Big Caveat

The changing of your LastPass master password will stop the hacker from getting into your account and retrieving your application passwords. But since the master password and the other compromised data is the basis for your individual encryption key, it will be a very different problem if the hackers have also gotten the encrypted password vaults. In their security notice, LastPass says that “we have found no evidence that encrypted user vault data was taken”. We all know that absence of evidence is not evidence of absence. If the hackers actually do have the encrypted passwords vaults, then in a targeted fashion, they can take all the time they want to crack an individual master password, generate the encryption key and then decrypt that individuals vault. This is where you’re safe if your master password was really and truly strong, and not so much if it wasn’t.

And why I like that password managers are adding functionality to automatically rotate your account passwords, making a compromised password vault that much less valuable.

Password Reminders. Huh, Yeah. What Are They Good For?

No, the answer is not “absolutely nothing”. They are good for helping hackers compromise your account.

Let’s face it, if a password reminder can help you remember what the password is, then it can also help a determined hacker figure out what the password is. Reminders like “Yankees First Baseman”, “Honeymoon Location”, “Sons DoB”, “Taxi Driver Quote” and “Who the Hell is Bucky?” basically give the hacker all the information they need to just guess what the password is. And if it isn’t that straightforward (because you were smart enough to make it “Th3W1nt3rS0ld13r” instead of “The Winter Soldier”), it still reduces down to an extremely manageable set the universe of possible passwords they need to run through using a cracker like oclHashcat.

So the fact that the LastPass security notice says that password reminders were compromised is bad. That it doesn’t refer to them as “encrypted password reminders” seems really bad (because if they weren’t encrypted, then I call bad on the LastPass team for that). And it once again points out that no matter how much we teach end-users about password strength and hygience, the vulnerabilities that exist in all of the supporting services surrounding passwords (just as I outlined in analyzing the Mat Honan attack) continue to mean that we can’t move fast enough into a post-password world.