16
Jun 15

Password Manager LastPass Warns of Breach

LastPass, a company that offers users a way to centrally manage all of their passwords online with a single master password, disclosed Monday that intruders had broken into its databases and made off with user email addresses and password reminders, among other data.

lastpassIn an alert posted to its blog, LastPass said the company has found no evidence that its encrypted user vault data was taken, nor that LastPass user accounts were accessed.

“The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,” the company said. “We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”

Parsing LastPass’s statement requires a basic understanding of the way that passwords are generally stored. Passwords are “hashed” by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse. 

The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash. To make matters worse, there are plenty of tools capable of very rapidly mapping these hashes to common dictionary words, names and phrases, which essentially negates the effectiveness of hashing. These days, computer hardware has gotten so cheap that attackers can easily and very cheaply build machines capable of computing tens of millions of possible password hashes per second for each corresponding username or email address.

But by adding a unique element, or “salt,” to each user password, database administrators can massively complicate things for attackers who may have stolen the user database and rely upon automated tools to crack user passwords.

“What a salt does it makes it hard to go after a lot of passwords at once as opposed to one users’ password, because every user requires a separate guess and that separate guess is going to take a considerable amount of time,” said Steve Bellovin, a professor in computer science at Columbia University . “With a salt, even if a bunch of users have the same password, like ‘123456,’ everyone would have a different hash.”

More concerning in this particular breach, Bellovin said, is that users’ password reminders also were stolen.

“I suspect that for a significant number of people, the password reminder — in addition to the user’s email address — is going to be useful for an attacker,” he said. “But password reminders are useful for targeted attacks, not massive attacks. That means that if your password reminder or hint is not particularly revealing to someone who doesn’t know you, it probably doesn’t matter much. Except in the case of targeted phishing attacks,” which might try to leverage data known about a specific target (such as a password hint) to trick the user into giving up the answer to their password reminder. 

So what’s the takeaway here? If you entrust all of your passwords to LastPass, now would be a terrific time to change your master password.

Tags: , , ,

120 comments

  1. Wondering how Dashlane compares here https://www.dashlane.com . I know they don’t use a “forgot password” method for this reason. I’m sure they are being targeted just as much as Lastpass. So what is the word, are these still the best way to protect online identities/accounts/passwords?

      • While KeePass is great, my understanding is Lastpass is more user-friendly. I use KeePass.

        KeePass’s advantage in this situation is that it is open source and you manage your own password database, so there’s no central server that could be compromised to gain access to everybody’s encrypted/hashed passwords at once.

        KeePass offers a synchronization feature, which you can use to keep your databases on several devices updated using an FTP server or a Dropbox or Google Drive account to hold the encrypted database.

        Of course, this all means that if you lose your KeePass master password, you lose the whole database. There is no recovery option.

    • Hm, I wonder the same about Sticky Password – https://www.stickypassword.com – since they pretty small, they’re not the target of hackers luckily. So I’ll just stick with them 🙂

      • EVERYONE is a target of hackers. It doesn’t matter how small the company is, it doesn’t matter where the company is located. If you’ve heard of them, then hackers have heard of them and are actively attempting to breach their security.

      • They were PC Mag Editor’s Choice, man.

        I’d bet a thousand dollars they’re being probed by attackers daily.

        • This.

          There’s so much computing power and publicity involved, I guarantee you they are subject to being breached.

          Also, bear this in mind- you say “they’re so small, they must be secure”..

          If they’re so small- are you sure they have enough people on staff to crosscheck and ensure noone is gundecking their work?

    • Dashlane does not record your master password or any hash/derivative anywhere. Plus they have the best user-interface, UX & app experience on mobile.

      https://www.dashlane.com/security

      • Neither does LastPass. Without the Master Password, there is no way to access your vault. As far as the password reminder, that is created by the user himself in order to help jog his memory of what was used for the master password. As I recall (since I haven’t gotten myself into that predicament) there is no recovery available if you can’t remember your password, even with the reminder. No password reset, so another entity (aka hacker) can’t just waltz in and send a message to LP that they “forgot their password” and have the company send a reset. You lose that master, you are screwed. And if you set your password reminder to be something like “the password is ‘password'” then you are a clueless fool!

  2. Fortunately, the password reminder is linked to the master password itself. If the password was unique and is changed, the reminder isn’t much good.

    Security questions drive me crazy. They’re usually the same questions from one site to another, so a breach on one site affects many others. One can get around it by using fake answers (Q. What’s the name of the high school you attended? A. purple), but then you are in the same situation of trying to remember something you wouldn’t otherwise have in your head.

    • LastPass has a Notes section for each Web site stored and a random password generator. These can be used to record each security question for a Web site and the answer given, which is 40+ chars of random gibberish provided by the password generator. When you need to answer a security question, just copy and paste the gibberish answer from LastPass to the Web page.

      • I agree that password hints should really never be offered–that’s a lesson we should have learned from the grandaddy of all breaches: Adobe. I think my LastPass hint was set to “Password hints are bad for security.” Take that, attacker!

        Re: LastPass and the “security” questions. With a little bit of extra work, you can add those fields so they can be auto-filled in addition to the typical username/password. See the “Save All Entered Data” documentation here: https://helpdesk.lastpass.com/adding-a-site/#Manually+Saving+a+Site+with+Save+All+Entered+Data

    • My password reminder for LastPass is now “We don’t need no steenkin’ reminder!’

    • What I do with security questions is I answer them correctly, but always add a standard set of numbers to the end.

      Say I selected 5718, my old house number. I add this to the end of every security question. So, if the security question was, What’s your high school mascot? My answer would be Ram5718. This way I can remember, but even classmates couldn’t guess my answer.

  3. @Brian:

    > … a a [sic] theoretically …

  4. Lastpass has two factor authentication available. I’ve been using it for about six months. Even with a password they still can’t get in without your phone. I’m still changing my master, but with two factor, I’m staying with Lastpass.

    • Isn’t the two factor for login authentication. Anyone who has stolen the database doesn’t need to login.

      • This is incorrect. They got encrypted blobs of information and must login correctly to correctly decrypt the blob and see the contents.

  5. I’ve never had any interest in these types for systems, for just this reason.

    Nothing I can’t do myself, stored on an encrypted hard drive…

    • With Keepass you get an encrypted database file that you can store any way you like, it would be double encryption in your case.

    • The problem with personal password managers is your vault can only be on one storage device and if you don’t backup your really screwed if your vault gets deleted or corrupted. I’ll take my chances with services like Lastpass.

      • Yes I was caught by something like this. While TNO security is the best, for normal people a safe ability to recover is pretty important. Definitely use 2 factor and have a long, complex master pw for best results.

      • You can make as many copies of a Keepass database file as you like but this will, admittedly, cause you problems keeping them all up to date.

      • Hmmm… I have my LastPass vault on 3 separate devices AND via a browser… they all sync perfectly… no single source disaster scenario for LastPass.

      • FKA Curmudgeon

        I use pwsafe on all my devices, and use dropbox to distribute the password database. So anytime I change anything in the database (frequent), it automatically gets propagated to all my devices. Yes, dropbox could get hacked, but they would still just get the encrypted passphrase protected database. And the hackers would have to recognize what they had before they could even attempt to crack it open.

      • Guess I should consider myself lucky since I use a single password manager that works on Windows, Mac, iOS, and Android. All they need to do is add Linux support and I’d have the same password database everywhere.

        Direct (system to system) synchronization sure as hell beats cloud-based synchronization.

    • But do you do it? And do you use unique passwords for every site you have an account with?

      • I have a unique password for every site that I log into. It consists of a formula that I can easily remember, but any hacker would have to tackle each and every password to try and get into my sites. So far, so good.

    • I use to have all my unique and long complicated site passwords stored in an encrypted disk image but it really became a major hassle to refer to it each and everytime I needed to login. Also, my encrypted disk couldn’t tell me if any of the sites I visit were breached so warnings on when to change my passwords for that now risky site could never happen without my own discovery. Furthermore, unless you keep the encrypted drive backed up multiple times while ensuring it doesn’t get put at risk by natural disaster or theft is another burden that could leave you with down time if such events occur. I took the plunge a few years back and carefully decided LastPass is but one of the best choices out there, and as Steve Gibson will remind you, it is TNO.

    • Of course, the flipside of such a password storage system is that the store box is locked in whatever machine that hard disk is installed. So you need to guard against the possibility of that hard disk failing at some point (you *are* backing up regularly anyway, right?)

      And if, like me, you’ve got other devices that you occasionally have need to log into sites from, having to go back to your computer to retrieve the password – or else make those particular passwords easier to remember, which potentially makes them easier to crack – is going to be a pain in the posterior.

    • If your password file is a plain text file on an encrypted hard drive of a PC, it is still at risk…upon authentication (to the encrypted drive), the drive automatically decrypts info asked of it…so if your PC were to be infected by something that could transfer files while you were logged on, AFTER drive authentication, it may be able to transfer a password file…and if THAT file is plain text…trouble.

      Of course, if you are using a program that keeps the password file encrypted (something like Keepass), no big deal then…hopefully you are not keeping a password file as plain text, even if on an encrypted drive…

      • If your PC is compromised when you have access to your passwords, you’re toast. This applies to all password managers, even your brain, assuming you type the password in.

        For instance, if you have LastPass running on a compromised system, the attacker simply needs to replace LastPass with a version that sends them the decrypted password database without your knowledge. Not too hard.

        So a plaintext password file on an encrypted drive isn’t particularly less secure than an encrypted database on the same.

        Now a plaintext password file on an unencrypted hard drive (or one encrypted with the drive’s built-in encryption) can be a problem if an attacker gets physical posession of your computer.

    • Unless you have a password to get into your system, and I am talking about something more than hardware encryption – like you did PGP on your system, having an encrypted hard drive is probably futile if someone gets the system.

      Single user mode or any variety of utilities to reset the Windows admin account and there goes that line of hope.

      Just give me a sufficiently encrypted file or flash drive and I’m good. I use keepass and keep that on an encrypted flash drive.

  6. Following is taken from an email I rec’d some hrs ago from Last Pass: “To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.”

    Nice to see them taking a proactive and immediate approach, rather than offering excuses and one year of credit monitoring.

    My password reminder is meaningless to anyone else (and to me, as well) since my master password is a nonsensical string of letters, numbers etc. For a password this important, I use 18 characters.

  7. I only use LP for sites that is not super critical like my credit card company, ebay, etc. any site that has real $$ behind it, I will only commit it to my brain. NO password manager is 100% foolproof. As for those p/w recovery questions, I hope LP will give you option not to have it. If you forgot your password, you kiss your password list goodbye. Remember, LP is a convenience for you to have complex password for each site you visit giving you a easy way to generate complex password and it will remember it for you. You can use LP without LP storing a copy of your LP on their server. I guess it is a tradeoff between convenience vs security.

    • The ‘copy of LP’ that is stored on their server is just encrypted blobs. Not worth much imo.

  8. You forgot to mention why the high number of iterations is important.

    Basically, the idea is that if you do hash( password + salt ), it will take for example one millisecond. Now, to check if a possible password is correct, an attacker needs to spend one millisecond per possible password per password hash to check if hash(possible password + salt) equals the stolen hash; if so, he knows the password = the possible password.

    Functions like PBKDF2, bcrypt and scrypt allow one to increase the amount of time required to calculate the hash of a password (and a salt). Now, an attacker may – for example – have to spend ½ of a second per possible password per hash.

    • Algorithms like SCrypt not only increase the amount of CPU time required to crack a single hash, they operate flexibly with parameters that also control the amount of memory required too. The bad guys can user super-fast h/w to help overcome the CPU issue but now you also force them to pile on the RAM if they want to do a lot of parallel crunching.

  9. Well the mastet password is hashed with salt but the managed passwords has to be encrypted and not hashed as users need to retrieve them
    so unless the master password itself is used to calculate the encryption key, this breach is still very disturbing and i would suggest replacing all passwords and not only the master to be on the safe side

  10. The bad thing here, Brian, is not the stolen master passwords but the fact that we cannot know for sure if they stole the encrypted data. I don’t know if we can trust any for-profit company to reveal all the truth right away. They obviously will try to mitigate it, to soften the blow to their “business model.” There were too many examples in the past when the true details of the breach that were revealed later were much worse than what was originally announced. It look LastPass people 3 days to announce this breach. (Remember they claim it happened last Friday and we learned about it on Monday.) So the question is, what else did they not tell us?

    So going back to the “bad thing.” If the encrypted data blob with customers data was compromised this means that it has a tremendous payoff for the hackers to crack at. Maybe not today, maybe not tomorrow, but some time in the future. In that case they potentially have unlimited time at their disposal.

    So why would they want to do it? For starters, because they know that people store a lot of sensitive data in there — driver’s licenses, passports, SSNs, and other private info besides passwords.

    What I will be doing today (without waiting for someone to tell me to do it) is resetting all my email and bank account passwords to start with. Unfortunately though, I won’t be able to do anything with a screenshot of my passport & driver’s license that I kept in LastPass.

    The lesson from now on for me and for everyone else who trusted LastPass security — DON’T!!! So much for their security checks if they didn’t do it for themselves 🙂

    • So are you still trusting them with all of your data. Seems like if you have a strong master password, there really is not much to worry about. We have a long way to go before it becomes viable to crack the encrypted blobs.

  11. Why would anyone store crucial information in the cloud? There is no perfect solution with passwords, but 1Password is the best I’ve used so far.
    BTW, the same can be said of Dropbox and other online storage. Not for me.

    • Clark Venable

      +1 on the 1Password. I decide where to store the data file.

    • This is the question…. why save password data in the cloud? No argument can tell me otherwise that is is a bad idea.

  12. Meh.
    In reality, anyone using a strong enough master password has nothing to worry about. A conservatively small 16-character password is still going to take ages even for a cracking cluster because of the number of SHA256 iterations we’re talking about here.

    I’m not saying don’t change your password, I’m just saying that if LastPass getting (very mildly) pwned disrupts your life in any way, you may want to consider offline alternatives or a much stronger master password.

  13. I use fake reminders and encrypt my passwords to disk, not worried about that, but I will change my master password…its getting hard to safely store anything online… So I encrypt everything that’s important

  14. I know that plenty of people use things like this but then most people seem to think they need to pay a cellular company to access the internet so they can make voip calls via an app when at home.

    It all seems rather pointless to me. It’s all just various components of a much bigger problem. It’s that flashing 12:00 that no one wants to deal with.

  15. The big one I’m waiting for is the breach of a major identity theft protection provider such as a LifeLock or an AllClearID. When I signed up for the AllClearID from Home Depot, they actually wanted me to call them so they could record my voice for a voiceprint. Uh, no thanks.

    • Children do social engineering calls to LifeLock for targeted attacks already. Not sure exactly what they’re able to get out of it, but I’ve heard them do SSNs before.

      Lucky for you, LifeLock protects you from abuse of what they just handed out to the 13 year old on the other end of the phone!

    • If I recall correctly, the guy from LifeLock that tauted their effectiveness by advertising his SSN had his identity stolen multiple times. If you listen carefully to their ads, they don’t claim to prevent identity theft, they’ll notify you when it happens – not the warm-fuzzy they sell.

  16. this is a great example of how two factor authentication protects you. Even if an adversary steals the password reminder, having the google authenticator app or toopher app prevents them from accessing your encrypted vault.

  17. A quote from this link;

    http://www.csoonline.com/article/2936105/data-breach/lastpass-suffers-data-breach-again.html#tk.rss_news

    This activity resulted in the exposure of a user email addresses, password reminders salts and authentication hashes…..

    I do agree, its a fast acting incident response and notification feature, but if your in the security realm and you fall victim of a breach, something is wrong somewhere.

    Ok, so if some one evil has this data and decides to target an individual with an authentic looking email from the would be company with a link to reset their password.

    I am wondering how much more convincing it will be for people to semi-trust and knee jerk and click on that link, and be served up something like cryptolocker V3 or Angler Exploit Kit.

    Oh Joy. (interject a huge load of sarcasm)

    =\

  18. I applaud LastPass for their transparency and the speed that they got the information out there. I use two factor and still changed my password but without their quick notification I would have done nothing.

  19. The problem I see with 2 factor authentication is if you do not have your phone with you or you lost your phone. What then? It is not perfect but I believe you will have to be prepared with the smartphone in hand !!!

    • For me, using a Yubikey makes more sense than Google Authenticator on my phone for two-factor. I have the Yubikey on the keyring with my car keys, so it is always close at hand. I can’t leave it at home, like I can my phone. 🙂

    • And the problem with 1-factor authentication is that people forget passwords. 🙂

  20. Nothing new in this article but a good read anyway

  21. Yeah Brian… We all got that familiar email when a company screws up.

  22. It seems these password databases are like a honey pot for hackers trying to get in. I wonder if you keep your password file on your computer with software like KeePass it would be out of the way from mass data breaches. The downside is they may know whose computer they are hacking. I use such a system and keep the password file on an SD card separate from the laptop when not actually being used. Its easy to pop it in and out of the drive.

  23. Personally, I use pwsafe with a YubiKey, where the safe is never stored in the cloud. The same yubikey works for the PC (via USB) and with the phone (via NFC).

    The only tricky bit is that every once in a while I need to collect all of the different vaults and merge them so they are all in sync again. And at the end of the process I need to “redeploy” the vaults back to various PCs and back to my phone.

    I have thought about using a ‘personal cloud’ of some sort (mycloud, owncloud, etc) to synchronize the vaults without them ever being stored on some server that I don’t control, but I haven’t gotten around to actually doing it.

    • +1 for Owncloud. Took me no time at all to set it up on my home server behind an HTTPS connection, sync it to two other machines and my phone. Incidentally, I use FolderSync for Android so everything I do is instantly replicated back to my home server. Phone stolen and I wipe it? Nothing lost and only I have my data (no thanks, Verizon Cloud).

  24. I have not been notified by LastPass yet and there is nothing on their website. If it wasn’t for this blog, I would not have know to change my master password. They need to work on their transparency and trust. Thanks.

  25. Been using PasswordSafe for years. Decided to try LastPass about a year ago although I was wary of the idea and only put in non-important sites. If this can happen once, even if “minor,” it can happen again. And who knows what really happened — it’s probably worse than they’re admitting. I’m going back to a locally controlled password manager thank you. Good-bye LastPass.

  26. I never save a password reminder. For LastPass, which requires it, I just put something like blah or no in the reminder.

    I also always use bogus answers for any secret questions. These answers are in my encrypted folder, not LastPass, which is also backed up locally.

    I use dual factor as well. My password is long, complex, and will not show up in any rainbow table. I still changed my password.

    • I generally put something insulting in the password hint box, since the only ones who’ll see it are people who are doing something wrong.

  27. Richard Turnbull

    It would be great to suggest encryption methods usable only by ethical and freedom loving people — but of course that’s absurd.
    Anything can be hacked. Brian does a fantastic job, should win a Pulitzer, for educating the rest of us.

  28. Do we know how they were hacked? Was this an insider or some other attack. I would sincerely hope that a password storing company has some of the best security in the business. Target and Home Depot were more understandable. The hackers targeted the low hanging fruit on their network. A company that disrtibuted has had hard time even keeping their software patched, let alone employing more broad security practices.

    @Krebs, any idea how they were breached?

  29. Use KeePass boys!

  30. LastPass works with the YubiKey, but the nice thing about the Yubi is that you can get one that is also NFC so it will work with the high end Androids and the newer iPhones. Yea its a pain but when things like this come out it makes you feel good…

    thanks for all you do Brian!