The LastPass Breach of 2015


Another day, another massive data breach. I woke up, checked my emails, and saw a message titled: LastPass Security Notice. My first thought was “urgh, another phishing email!”. I was wrong, very wrong. LastPass released an email and published a blog post covering an intrusion detected on their network. The details still seem a little scarce, but I believe we have enough information to make an educated guess. I can almost hear the click-baiting, over hyped, blog posts being created so thought I’d try provide a realistic take on events.

It seems fairly obvious that LastPass are still investigating the incident due to the vague language used during disclosure:

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. – Joe Siegrist, LastPass blog

I would hazard a guess at a formal investigation by the likes of the F.B.I is under way so details will trickle out as suspects are apprehended. The post goes on to state their confidence in how they operate, as one would expect.

So, do we believe them? Does it matter? TL;DR: Yes and no…

What’s the risk?

broken lock photo

Photo by Pitel

LastPass is incredibly secure — if used correctly, but… If your LastPass “master password” is used anywhere else then all passwords stored using their service could be at risk. Scary comment aside, let me justify it and explain why it’s easy to fix.


I have recommended, and use, this password manager due to the way it correctly implemented well known security techniques and best practices. It’s one of very few password managers that do security correctly. The code has been audited several times, but most notably by the security industry expert I trust most…

This thing is secure every way you can imagine. And it’s simple. I’ve completely switched my entire solution for managing passwords, after spending days researching it and testing it and playing with it, over to LastPass. I mean, I don’t see a single problem with this.” Steve Gibson, Security Now

The whole point of using a password manager is to make sure all passwords are strong, unique, and secure. This includes your master password. If a hacker can brute force (guess) your master password, they can access any account to which it is linked. A secure master password is imperative.

How can we fix it?

Your master password is used to access all the data stored by LastPass. So, it should go without saying that it requires a strong password. If yours current master password is weak, there is a very simple way of making it stronger — make it longer. It doesn’t need to be more difficult, just longer. Every extra character will effectively double it’s entropy (synonymous with password strength). Let’s use an example password of “Passw00rd” and make it stronger:

Our Password:
Passw00rd
Becomes:
+++Passw00rd+++
Or:
///Passw00rd///

This only makes the password 75% longer but more secure by orders of magnitude, going from 1.5 days to crack to 1.49 billion centuries at one hundred billion guesses per second. No small feat. As with a breach of any service being used, it’s recommended to change your password immediately. So, if your password is a little too easy to guess or on our list of 25 Worst Passwords, take the opportunity to increase it’s strength by following the example above!


Nerdy stuff

Lastpass uses an algorithm known as PBKDF2-SHA256 (Password-Based Key Derivation Function 2 with SHA256). It is a key derivation function using salting to reduce the ability to use precomputed hash attacks (a.k.a a rainbow table attack). It uses a random salt and 100,000 rounds of iteration on the server and a default of 5,000 client side iterations. This largely prevents data exfiltration of the local or remotely stored blob.

Posted in:
About the Author

Adam Davies

Adam is an internet developer with 17 years programming experience. He learned to program by reverse engineering protection algorithms of well known software, where he developed a passion for security. He can be found working as an SEO consultant for Judd Associates and completing numerous freelance projects in his spare time.

11 Comments

  1. This is one of the risks you run by letting an online service keep track of your passwords.

    One of the worst ideas ever, why? because EVERYTHING on the internet no matter how secure one thinks it MIGHT be is available for the taking, it all just depends on who wants it and how badly.

    Don’t be so naïve, store you passwords OFFLINE in a secure place that only YOU know about.

  2. Hi Edward. LastPass uses pre-egress encryption (commonly called Pre-Internet Encryption) based on industry standards and best practices. That means the data sent to their site is encrypted before it leaves your machine and is stored as a pseudo-random blob in their database.

    The risk is far lower than simply keeping passwords stored locally, in a text file or browser, as that is susceptible to malware, rootkits, trojans and the like.

    • “The risk is far lower than simply keeping passwords stored locally, in a text file or browser, as that is susceptible to malware, rootkits, trojans and the like.”

      I didn’t say to keep your passwords stored “locally” did I?

      There are other ways of storing your passwords. I have never stored my passwords online or locally and luckily I have never had to worry about breaches in security whether it by on my end or some online service that I had to scramble and either change my master password or passwords for sites I use.

      Whether you think LastPass is infallible or not , even IF your passwords are stored as a pseudo-random blob in their database, like I said before, it all depends on who wants it and how badly they want it because I am sure if the NSA showed up at LastPass with a warrant of the password to some criminals bank account they would more than likely be able to “decrypt” that information without a problem, so don’t fool yourself about the security of your stored passwords.

      What would happen to your passwords in the event of a fired or disgruntled LastPass employee?

      Say what you want, storing information like that online is never safe, even if encrypted, encryption just gives criminals all the more reason to try and crack it because if it wasn’t encrypted it wouldn’t be worth anything.

      • I completely agree with you there, Edward. No solution, local or remote, is infallible. LastPass employees can’t access the data though as they don’t have access to the private keys. Even a warrent couldn’t give the NSA access as the data directly isn’t retained in that way. They would still need to crack the individual user master passwords due to local hashing / pre-egress encryption.

        I have no doubt that hackers will try to crack the passwords and will get a low success rate, simply due to hash collision. We will see this data sold on a hacker site at some point. But it will be the result of poor password management, which is ironic as that is what this program aims at solving.

        The downside here is that the data will, in the future, be crackable as computing power increases and makes brute forcing easier. I am also pretty sure that the NSA has a way of cracking them already based on their influence in the RSA code debacle (www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331).

        That’s the big caveat. Computers always get faster. What’s secure today won’t be in 5 years, let alone 10. We need to be proactive rather than reactive.

        • Well, my motto is, don’t put out there anything they’ll want to take and it won’t get taken.

          Call me silly but being reactive on something like this is better than being proactive. This breach, whether passwords were breached or not is serious, online lives could have depended on it for some lives could have been ruined, lives that PAY LastPass to secure their info and being as this is not the first time this has happened to LastPass, they are not doing a real good job of it.

      • So what is your method of storing passwords that:

        (a) doesn’t involve you typing or copying/pasting them in each time, thus exposing them to any keylogging malware that’s gotten onto a device you’re using

        (b) works for over 300 passwords, which anyone who works online is likely to have

        (c) doesn’t involve storing them in the cloud

        I await your response. It sounds tremendous, and I really want to hear about it.

      • Edward,

        You seem to be making a difference between “offline” and “locally”. Can you explain further (without telling us specifically where to find your passwords)?

  3. An excellent article Adam and whilst I don’t understand the jargon, I get the message.
    I feel confident with Roboform however and whilst Edward suggests saving passwords locally, I got so tired of trying to remember so many that just having to remember one helps enormously.
    The master password tip is not to be ignored.
    Cheers.

    • Roboform works in a similar way to LastPass. The same rules apply: “one password to rule them all” works both ways. Always worth making sure it’s a good one 🙂

      Thanks for your feedback Marc!

  4. I always have and always will use only locally stored password managers. In fact, I don’t use online apps of any kind. Behind the times, am I? Thankfully, yes. 🙂

  5. I’ve been using LP for some time now, and after news of this breach, decided to try KeePass, which is supposed to be the best, not to mention most secure open-sourced password manager available.

    Switching from LP to KP was nearly impossible. I tried for an hour, implementing different plugins, changing my imported LP CSV file to try to meet KP’s requirements–no dice. I even read a couple reputable articles on how to switch from LP to KP and followed them to the letter without positive results.

    I think I will stick with LP. Security experts recommend the program, they are very transparent when breaches occur, and even if hackers got ahold of my passwords, there’s no way they would be able to decrypt them. Not for a few million years anyway. They (and I) expect breaches to occur; whether or not the thieves can use what they take is the deciding factor for me.