When asked what type of security software to use, my answer always starts with: “Find a good password manager and use it.”
And I keep hearing the same questions and objections on the subject, most of which make perfect sense and need to be answered. And very often it comes to LastPass.
What happened to LastPass?
Among online services that help you organize your passwords, LastPass was an early leader. And remains an important player. The LastPass brand was valuable enough that LogMeIn bought the company eight years ago for $110 million. A few years later, LastPass became a company in its own right, while remaining under the control of the private equity firms that owned LogMeIn. In reporting on the sale, PCMag noted that these companies “specialize in maximizing the value of an asset for later sale.”
This was not very reassuring regarding an IT security company. The result was therefore predictable. In 2021, LogMeIn announced that it would spin off LastPass into a separate company. Astute observers of the software industry know that this scenario, too, rarely produces good results. At best, your employees are distracted from their tasks by reorganizations in the context of mergers and acquisitions. Worst case scenario…here we go.
Why was the latest LastPass hack so catastrophic?
LastPass has been the victim of several hacks since at least 2011. But the two intrusions in 2022 were particularly serious. The official notification of a LastPass blog post from December 2022 was simply titled “Notice of Recent Security Incident,” but the content of that post was a nightmare scenario for customers paying for an online service that promises to keep their secrets safe.
We recently informed you that an unauthorized party had accessed a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.
This attack occurred after another successful intrusion into LastPass networks in August 2022. In this incident, the attackers obtained information that they used to target a LastPass employee and were able to obtain credentials and keys which they used to access and decrypt files in Amazon’s AWS S3.
And that’s not all.
To date, we have determined that once the cloud storage service access key and dual storage container decryption keys were obtained, the attacker copied customer account information and related metadata, including company names, end user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers accessed the LastPass service.
The hacker was also able to copy a backup of customers’ vault data from the encrypted storage container, which is stored in a proprietary binary format containing both unencrypted data, such as website URLs, and Fully encrypted sensitive fields, such as website usernames and passwords, secure notes and data filled in forms.
If you want to know the technical details about the stolen data, read this detailed summary of the case by Lawrence Abrams at Bleeping Computer.
The bad news is that a lot of customer data has been stolen. The good news is that the password vaults were encrypted using 256-bit AES technology with a unique encryption key derived from the user’s password, which was never shared with LastPass , meaning it would take an extraordinary amount of time and computing resources to crack them.
(Side note: the word one never wants to read after such a paragraph is However. Alas…)
However, LastPass has not applied the same level of encryption to other customer data, including website URLs and “email addresses.” This information proved extremely valuable, as it allowed attackers to determine which password vaults would be most useful. According to security expert Brian Krebs, this targeting could explain the wave of attacks against cryptocurrency wallets that began shortly after the LastPass hack:
Best practice has long been to store passphrases either in an encrypted container – such as a password manager – or inside a special-purpose offline hardware encryption device, such as a Trezor or Ledger wallet.
The passphrase is essential,” says Nick Bax, director of analytics at Unciphered, a company specializing in cryptocurrency wallet recovery. “If you have my passphrase, you can copy and paste it into your wallet , and then you can see all my accounts. And you can transfer my funds.”
Security researchers have identified a unique signature that links the theft of more than $35 million in cryptocurrency to more than 150 victims, with approximately two to five large-dollar thefts each month since December 2022. The only obvious commonality Among the victims who agreed to be interviewed is that they had stored the passphrases for their cryptocurrency wallets in LastPass.
Could what happened to LastPass happen to another password manager?
All indications are that LastPass has been incredibly negligent for years. The targeted employee was one of four DevOps engineers with access to AWS decryption keys. You would think that anyone accessing the most sensitive customer data would use a dedicated PC running on a secure network. But no.
The engineer accessed this data from a personal computer that also ran a third-party media server, which itself was compromised, almost certainly by the same attackers. They in turn used this exploit to steal the employee’s master password for their LastPass accounts and steal encrypted notes containing the keys to access and decrypt LastPass customer data.
LastPass had previously increased the required length of its customers’ master passwords, from 8 to 12 characters, and had also increased the number of iterations used to generate private keys from these new passwords. Unfortunately, the company had not required users to change their existing passwords, meaning that any long-time customers who used an older password were using weak encryption that was much more vulnerable to attacks by brute force.
As a follow-up to the incident, LastPass announced a long list of changes to its security policies. But the damage was already done.
These were not the first attacks against LastPass. In 2017, researchers revealed an embarrassing flaw in how the company handled 2FA credentials. The flaw followed multiple previous exploits over the previous year, which led Tavis Ormandy of Google’s Project Zero to ask incredulously, “Are people really using LastPass?”
No other well-known password manager (and there are many) has such a track record.
Wouldn’t putting all your passwords in one place cause problems?
Yes, in theory.
But a specialized password manager remains the only practical way for humans with ordinary memories to create and remember strong, unique, random passwords for every secure service they use.
To use an analogy: if you had 10,000 euros in cash, would you rather store each hundred euro note in a cheap piggy bank with a plastic lock, or would you prefer to put that wad of notes in the bank, in a safe – very strong? What LastPass did was to leave the keys to the safe on the counter and forget to lock the front door.
Anyway… If you put your passwords in an encrypted vault, the challenge is protecting that vault.
And here’s the most important thing: strong encryption really works! All modern password management services, including LastPass, use a zero knowledge model, meaning the service does not have access to your private encryption key or password. principal that you use to access your account.
It took a combination of a very determined attacker and gross negligence at LastPass to enable the theft of these encrypted files. To my knowledge, no other password service has lost this type of customer data. If this had happened, it would have made headlines.
If you’re really concerned about the possibility of someone stealing your encrypted passwords, you can choose a password manager like KeePass, which allows you to store the vault in a separate location. But a well-run password management service (not LastPass) should be able to handle this task as part of its daily business.
If someone steals my master password, don’t they have access to everything in my password vault?
Not if your password management service is doing its job and requiring additional authentication on a new device, as would be the case if an attacker stole your credentials and then tried to use them from their own device.
A hacker who stole your master password would not be able to access your encrypted vault because they would not be able to provide this key.
Additionally, most password managers allow you to set up two-factor authentication, which requires you to use a trusted device to approve any new logins before allowing access to your account and password data. safe. Here too, a hacker who has your master password will not be able to use it without having obtained your authorization – and without having alerted you first.
Can I just use a browser-based password manager?
For as long as I can remember, every browser manufacturer has offered password filler functions. A few years ago, these functions were rudimentary and it made sense to choose a third-party option.
In recent years, however, all modern browsers (Apple, Google, Microsoft and Mozilla) have made huge strides in their authentication solutions, making them equivalent to the basic feature set of a good password manager. And since they’re all free and use well-managed cloud storage, they’re perfectly acceptable options.