When I do Security Lite with Allison as part of our Chit Chat Across the Pond segment I often tell people that there is no need to set your hair on fire. This is one of those times. Before I explain what happened and why it’s not a catastrophe, I want to start with a simple list what LastPass users should do now:
- Change your master password
- When setting your new password, make sure that your password hint is as cryptic as possible
It should not be possible to determine your password from your hint!
So, what happened?
The short version is that attackers were found to have accessed LastPass’s user authentication database, and that gave them access to email addresses, password hints, and very well protected master passwords. It’s important to note that people’s encrypted password databases were not in the breached database.
So, what of value did the attackers actually get?
The reason is that LastPass did a great job designing their architecture, so people’s data is very safe, even when attackers gain access to such a sensitive-sounding database. The reason people like Steve Gibson recommend LastPass is that their design is robust. The system was designed to keep your data protected, even if the LastPass servers were breached. Given that sooner or later every system gets hacked, that was very much the right thing to do.
Lets dig into the specifics – LastPass never store your actual master password, instead, they store an irreversibly encrypted version (more on how they do that later). When you need to prove you are who you say you are, the password you submit is irreversibly encrypted, and then that encrypted version of your password is compared to the encrypted version on file. Since LastPass don’t actually have your password, they can’t lose it!
The only thing the attackers can do with the protected passwords they have is guess what the password is, run it through the encryption process, then check if the encrypted version of their guess matches what was in the database they stole.
To make this as hard as possible, LastPass got two very important things right.
Firstly, every single LastPass users’s password is one-way-encrypted using a different random number known as a salt. This means that the password ‘open123’ encrypts to a different value for every user, so attackers have to re-do all their work for each user. Passwords protected in this way are referred to as hashed and salted.
Secondly, they did not just store the plain salted hashes, they ran them through a process designed to be computationally hard. A legitimate user doesn’t need their password validated often, so it’s not a problem that it takes a lot of CPU power each time. Attackers have to test trillions and trillions of password guesses, so the extra computational complexity really adds up for them.
This kind of password inflating is known as password based key derivation, and LastPass run the salted hashes of users passwords through 100,000 iterations of a password based key derivation known as PBKDF2. This is ten times more than the currently accepted best-practice of 10,000 iterations of PBKDF2.
Basically – LastPass were not just doing things by the book, they were doing things even better than that!
What this means is that even weak passwords will stand up to a lot more of an attack than you might expect.
Finally, once you change your password, the data the attackers have becomes useless, so, the inflated salted hashed passwords only have to stand up to attack for the short time window between the breach happening, and users resetting their passwords. So, if you are a LastPass user, go rest your password NOW as a precautionary measure.
Let’s talk about password hints
I do want to draw your attention to one subtle detail – the attackers got users’ password hints. We have seen from past breaches that some users do very silly things with password hints – there is the infamous example from the Adobe breach where some clown used the password hint ‘rhymes with assword’. The only people who need to panic here are those with dumb password hints. Given that a hint is shown whenever you can’t remember your password, those accounts were ALWAYS in danger, and they have been made even more vulnerable by the breach.
To me the biggest take-away from this is that LastPass have been tested, and they have not been found wanting – their good design has paid off, and protected their users. Secondary to that, this breach serves as a reminder to be very careful when setting password hints on anything – if you make the hint too obvious, you have effectively published your password!
For more details, see this excellent Naked Security article: https://nakedsecurity.sophos.com/2015/06/16/bad-news-lastpass-breached-good-news-you-should-be-ok/