Another day, another massive data breach. I woke up, checked my emails, and saw a message titled: LastPass Security Notice. My first thought was “urgh, another phishing email!”. I was wrong, very wrong. LastPass released an email and published a blog post covering an intrusion detected on their network. The details still seem a little scarce, but I believe we have enough information to make an educated guess. I can almost hear the click-baiting, over hyped, blog posts being created so thought I’d try provide a realistic take on events.
It seems fairly obvious that LastPass are still investigating the incident due to the vague language used during disclosure:
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. – Joe Siegrist, LastPass blog
I would hazard a guess at a formal investigation by the likes of the F.B.I is under way so details will trickle out as suspects are apprehended. The post goes on to state their confidence in how they operate, as one would expect.
So, do we believe them? Does it matter? TL;DR: Yes and no…
What’s the risk?
LastPass is incredibly secure — if used correctly, but… If your LastPass “master password” is used anywhere else then all passwords stored using their service could be at risk. Scary comment aside, let me justify it and explain why it’s easy to fix.
I have recommended, and use, this password manager due to the way it correctly implemented well known security techniques and best practices. It’s one of very few password managers that do security correctly. The code has been audited several times, but most notably by the security industry expert I trust most…
This thing is secure every way you can imagine. And it’s simple. I’ve completely switched my entire solution for managing passwords, after spending days researching it and testing it and playing with it, over to LastPass. I mean, I don’t see a single problem with this.” Steve Gibson, Security Now
The whole point of using a password manager is to make sure all passwords are strong, unique, and secure. This includes your master password. If a hacker can brute force (guess) your master password, they can access any account to which it is linked. A secure master password is imperative.
How can we fix it?
Your master password is used to access all the data stored by LastPass. So, it should go without saying that it requires a strong password. If yours current master password is weak, there is a very simple way of making it stronger — make it longer. It doesn’t need to be more difficult, just longer. Every extra character will effectively double it’s entropy (synonymous with password strength). Let’s use an example password of “Passw00rd” and make it stronger:
This only makes the password 75% longer but more secure by orders of magnitude, going from 1.5 days to crack to 1.49 billion centuries at one hundred billion guesses per second. No small feat. As with a breach of any service being used, it’s recommended to change your password immediately. So, if your password is a little too easy to guess or on our list of 25 Worst Passwords, take the opportunity to increase it’s strength by following the example above!
Lastpass uses an algorithm known as PBKDF2-SHA256 (Password-Based Key Derivation Function 2 with SHA256). It is a key derivation function using salting to reduce the ability to use precomputed hash attacks (a.k.a a rainbow table attack). It uses a random salt and 100,000 rounds of iteration on the server and a default of 5,000 client side iterations. This largely prevents data exfiltration of the local or remotely stored blob.