Impacts of the LastPass Hack
This week was a particularly tough week for those that depend and promote the use of password managers. Unfortunately, not because of the compromise itself, but because of the loss of faith in such technologies that it undoubtedly introduced into the market. The sad reality is that the only reason it’s news is for no other reason than the fact it was a very popular service – LastPass – and had the words compromise and hack in the title.
Yes – LastPass was Compromised
The impacts however are not as severe, all things considered, as it might appear at face value.
LastPass, functions as a vault of sorts for a variety of things, including username and passwords, credit cards, secure notes and so much more. They make it easily accessible to people around the world via your browser, desktop and mobile devices. In my opinion, it does a phenomenal job in streamlining the password creation / management process.
On June 15th, 2015, they made public that they had indeed suffered a security incident. The information that was compromised, according to their post consisted of: LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
This means that the vaults, which so many of us depend on were not compromised. What I found most intriguing however are the details they provide around how they store and manage the information we provide – i.e., our master passwords:
We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database.
In case you’re wondering what you just read, this is a pretty hard core approach and not easy to crack at all.
You don’t have to trust me, but take it from the guys that do it for a living. Jeremi Gosney, who owns and operates a password guessing company – Stricture Group – spoke with ArsTechnica in which he provided great context to the real impact of such a hack; specifically it’s impacts to everyday users:
On an NVIDIA GTX Titan X, which is currently the fastest GPU for password cracking, an attacker would only be able to make fewer than 10,000 guesses per second for a single password hash. That is proper slow! Even weak passwords are fairly secure with that level of protection (unless you’re using an absurdly weak password.) And this doesn’t even account for the number of client-side iterations, which is user-configurable. The default is 5,000 iterations, so at a minimum we’re looking at 105,000 iterations. I actually have mine set to 65,000 iterations, so that’s a total of 165,000 iterations protecting my Diceware passphrase. So no, I’m definitely not sweating this breach. I don’t even feel compelled to change my master password.
The fact that someone got into the LastPass network, sucks, but doesn’t concern me at all.
Regardless of the controls you have in place, you must always assume your network is compromised. The real important thing you should be accounting for is how you manage the information / data you’re responsible for. Remember, security is about several controls working in unison with each other.
What impresses me more than anything is the fact they were able to identify and track the impacts. I’m further impressed by the controls they have in place, their process for storing information / data and how things are functionally isolated from each other – i.e., the fact that my vaults were not, at least don’t appear to be, threatened.
Just because a company hasn’t reported they’ve been compromised doesn’t mean they haven’t been or aren’t at this moment. In fact, it often means two things: 1) they’re sweeping it under the rug, or 2) they don’t even know they’re hacked (which happens more than most care to admit).
Reduce Your Risk – Improve your Security Posture
While the threat is minimal to most of the users, it still poses a significant threat to those that don’t follow the basic steps to good password creation. If your master password was weak, and by weak that means it followed one of the various simple configurations you so often read about:
And so many more, then the odds are not in your favor, and you’re in grave danger as those will be the first of a series that will inevitably be tried. If you’re doing that, it also undoubtedly means you likely use those same passwords for other accounts – i.e., Facebook, Banks, Twitter, etc… either way, it’d behoove you to update your passwords using the recommendations below.
A few recommendations I’d offer regarding the password creation process specifically for your master passwords.
- Remember you’re not as unique as you believe yourself to be, so randomly generate if you can.
- You should not be using your master password on any other system (i.e., Social Accounts like Facebook, Email, etc..);
- It’s ok if it’s something you have to store in another system (i.e., like PGP or another Password Manager);
- Enable multi-factor authentication for your master passwords. LastPass has one of the more complex lists of possible MFA options I’ve seen – from use of RSA SecureID, to DuoSecurity, to YubiKeys. They even have complex grids you can you print out and manually use. There really isn’t an excuse for why you can’t employ one of these technologies.
If you have time, I highly encourage you to read this beautiful research by the folks at WPEngine, in which they analyzed 10 million passwords and presented their findings in a magnificent research paper – Unmasked: What 10 Million Passwords Reveal About The People Who Use Them. It really helps you appreciate and understand the psychology behind password creations, and will hopefully help you think through the process as you go through it.
I still wholeheartedly believe in password managers, and I still use and recommend LastPass.
Thank you Tony.
Great post Tony. The reality is that these types of services are always going to be the motherlode for hackers, and as such, they are likely to be under constant attack. I use 1password and expect they have a similar approach. These services are the safest way to use the web – at least when it comes to passwords. It’s crucial that people are made aware that the reason they are under constant attack is precisely because they are so good at what they do. Nothing is ever going to be 100% secure, but this is as close as you can get.
LOL – “close as you can get”… you do know this is the SECOND time they got hacked, right?
You don’t need to be a rocket scientist to work out that you can *obviously* get closer to “100% secure” than this…
This article is massively misleading. English-language entropy is only 1.1 bits per character, and massive password-dictionaries exist that cut that entropy right down: all that crazy talk about numbers and rounds is hiding the fact that well more than half of all users are going to have their passwords cracked in under 1 day. Yes, the 10% or so of users who have a crazy-long fully random password are safe – but the VAST majority of everyone else is NOT.
That is why they told you to change your password. No matter what their damage-control PR releases say, you know when they tell you “change your password”, that they know your old password is not *really* safe.
I have been using Roboform for years now. Is it as secure as LastPass or 1password?