This week was a particularly tough week for those that depend and promote the use of password managers. Unfortunately, not because of the compromise itself, but because of the loss of faith in such technologies that it undoubtedly introduced into the market. The sad reality is that the only reason it’s news is for no other reason than the fact it was a very popular service – LastPass – and had the words compromise and hack in the title.
Yes – LastPass was Compromised
The impacts however are not as severe, all things considered, as it might appear at face value.
LastPass, functions as a vault of sorts for a variety of things, including username and passwords, credit cards, secure notes and so much more. They make it easily accessible to people around the world via your browser, desktop and mobile devices. In my opinion, it does a phenomenal job in streamlining the password creation / management process.
On June 15th, 2015, they made public that they had indeed suffered a security incident. The information that was compromised, according to their post consisted of: LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
This means that the vaults, which so many of us depend on were not compromised. What I found most intriguing however are the details they provide around how they store and manage the information we provide – i.e., our master passwords:
We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database.
In case you’re wondering what you just read, this is a pretty hard core approach and not easy to crack at all.
You don’t have to trust me, but take it from the guys that do it for a living. Jeremi Gosney, who owns and operates a password guessing company – Stricture Group – spoke with ArsTechnica in which he provided great context to the real impact of such a hack; specifically it’s impacts to everyday users:
On an NVIDIA GTX Titan X, which is currently the fastest GPU for password cracking, an attacker would only be able to make fewer than 10,000 guesses per second for a single password hash. That is proper slow! Even weak passwords are fairly secure with that level of protection (unless you’re using an absurdly weak password.) And this doesn’t even account for the number of client-side iterations, which is user-configurable. The default is 5,000 iterations, so at a minimum we’re looking at 105,000 iterations. I actually have mine set to 65,000 iterations, so that’s a total of 165,000 iterations protecting my Diceware passphrase. So no, I’m definitely not sweating this breach. I don’t even feel compelled to change my master password.
The fact that someone got into the LastPass network, sucks, but doesn’t concern me at all.
Regardless of the controls you have in place, you must always assume your network is compromised. The real important thing you should be accounting for is how you manage the information / data you’re responsible for. Remember, security is about several controls working in unison with each other.
What impresses me more than anything is the fact they were able to identify and track the impacts. I’m further impressed by the controls they have in place, their process for storing information / data and how things are functionally isolated from each other – i.e., the fact that my vaults were not, at least don’t appear to be, threatened.
Just because a company hasn’t reported they’ve been compromised doesn’t mean they haven’t been or aren’t at this moment. In fact, it often means two things: 1) they’re sweeping it under the rug, or 2) they don’t even know they’re hacked (which happens more than most care to admit).
Reduce Your Risk – Improve your Security Posture
While the threat is minimal to most of the users, it still poses a significant threat to those that don’t follow the basic steps to good password creation. If your master password was weak, and by weak that means it followed one of the various simple configurations you so often read about:
And so many more, then the odds are not in your favor, and you’re in grave danger as those will be the first of a series that will inevitably be tried. If you’re doing that, it also undoubtedly means you likely use those same passwords for other accounts – i.e., Facebook, Banks, Twitter, etc… either way, it’d behoove you to update your passwords using the recommendations below.
A few recommendations I’d offer regarding the password creation process specifically for your master passwords.
- Remember you’re not as unique as you believe yourself to be, so randomly generate if you can.
- You should not be using your master password on any other system (i.e., Social Accounts like Facebook, Email, etc..);
- It’s ok if it’s something you have to store in another system (i.e., like PGP or another Password Manager);
- Enable multi-factor authentication for your master passwords. LastPass has one of the more complex lists of possible MFA options I’ve seen – from use of RSA SecureID, to DuoSecurity, to YubiKeys. They even have complex grids you can you print out and manually use. There really isn’t an excuse for why you can’t employ one of these technologies.
If you have time, I highly encourage you to read this beautiful research by the folks at WPEngine, in which they analyzed 10 million passwords and presented their findings in a magnificent research paper – Unmasked: What 10 Million Passwords Reveal About The People Who Use Them. It really helps you appreciate and understand the psychology behind password creations, and will hopefully help you think through the process as you go through it.
I still wholeheartedly believe in password managers, and I still use and recommend LastPass.