LastPass Breach Fiasco - IMPORTANT if you ever were a LastPass user.

Discussions of applications and operating systems and any problems, tips or suggestions. Win XP, 9x/2k, Linux, NT, photo editing, Virus/Spyware help
Post Reply
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

LastPass Breach Fiasco - IMPORTANT if you ever were a LastPass user.

Post by FlyingPenguin »

If you use, or ever used LastPass, or have any friends, family or clients using it, you should a) Get you or them off that service, and b) change any passwords for really important accounts like banking.

Mainstream news really hasn't been covering this very well, probably because everyone just hears the phrase 'data breach' now and and tunes out, but this is pretty bad as this is a widely used service, and it's not only the breach, but apparent mistakes in securing the data, that will cause serious problems for a lot of people and companies.

Steve Gibson goes into the latest ramifications in his last Security Now podcast 905: https://twit.tv/shows/security-now/epis ... tart=false

Show notes if you prefer reading (page 5 gets to the meat of it): https://www.grc.com/sn/sn-905-notes.pdf

If you're totally in the dark on LastPass, he covered the two data breaches themselves in detail in the previous episode 904: https://twit.tv/shows/security-now/epis ... tart=false


But the bullet points are:

- Early adopters, with old accounts, may have very weak encryption on their data, because when LastPass increased their encryption strength over the years, they did not seem to apply it to at least some older existing accounts. Of real concern is the number of PBKDF2 iterations. In the early days this was set to 1 which was adequate at the time. It was later increased to 100, 500, 5000, and most recently 100100 (Bitwarden also uses around 100,000 iterations, but Steve things you should change it to 300,000 - 1,000,000). The concern is that Data encrypted with 1 iteration, is brute force crackable in a minute with modern GPU computing. Even 100000 iterations could be cracked in around 70 days (depending on the password strength). People have looked at their iteration settings and many people have found they were still on lower numbers, many even set to 1.

- Most password services use PBKDF2 iterations, so even if you've never used LastPass, you should check your iteration settings and I would recommend cranking it up. This could have a performance hit on older, slower hardware, but modern phones and PCs are pretty powerful. A higher iteration count will take longer to decrypt your passwords.

- Even if your iteration count was high, we don't know what the date of the backup was that was stolen. If this is an old backup, it could have a lower iteration count.

- The strength of your master password matters. Even a high iteration count doesn't help if your password was monKey123. Again, it also matters what your password was at the time the stolen backup was made, and Lastpass has said nothing about that. If you used to have a weak master password at one time, it's possible that's the one that got loose.

- If you EVERY used LastPass (even if you don't use it now), assume your data is out there, so change any important passwords. Changing your iteration now only helps you in any future breach. If you were ever a LastPass customer, your data could be part of this breach that came from a LastPass backup server. If you had a weak master password and/or a low iteration at the time of that backup, your accounts are most likely compromised. Even if you closed the account, LastPass has not told us if they delete your data from backups upon closing an account, so don't assume so.

- There were hundreds of millions of accounts compromised (LastPass has corporate customers also). One has to assume hackers will go through the huge amount of stolen data and decrypt the easy ones first (weak passwords, low iterations). Don't assume your passwords aren't at risk because nothing has happened yet. No one may get around to decrypting YOUR passwords for a while.

- Good LastPass alternatives are Bitwarden, 1Password, and Dashlane. Steve Gibson has confirmed that you can export your Last Pass data to a .CSV file and directly import it into Bitwarden. While Bitwarden has a premium version, the free version is probably all you need. Bitwarden also supports self-hosting your own server instead of using their cloud service.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
Executioner
Life Member
Posts: 10133
Joined: Wed Nov 22, 2000 11:34 am
Location: Woodland, CA USA

Re: LastPass Breach Fiasco - IMPORTANT if you ever were a LastPass user.

Post by Executioner »

Wow. I quit using LP about 2 years ago when they went to a charging model, and now use Bitwarden.
User avatar
Executioner
Life Member
Posts: 10133
Joined: Wed Nov 22, 2000 11:34 am
Location: Woodland, CA USA

Re: LastPass Breach Fiasco - IMPORTANT if you ever were a LastPass user.

Post by Executioner »

Now since I'm using BW for password management, I think it stores the master password in the cloud. I rather have it stored locally on a portable flash drive. Wonder if that is a possibility.
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: LastPass Breach Fiasco - IMPORTANT if you ever were a LastPass user.

Post by FlyingPenguin »

Password managers don't work that way. No one has your master password. It's not stored anywhere. When you provide your master password to the local system, it creates a key based on the password and other info (referred to as 'Salt'). If the key is correct, then your password vault is readable, if not it's gibberish.

The only thing stored in the cloud is a 'blob' of gibberish that is unreadable without the correct key.

This strength of the security of your data is, however, completely dependent on the strength of your master password. It has to be really good and really long. Nowadays 16 characters is recommended, avoiding words, with liberal use of punctuation characters.

There is some meta data in the blob that's clear text. In the case of LP maybe too much. Gibson was disappointed they didn't encrypt the website URLs.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
Executioner
Life Member
Posts: 10133
Joined: Wed Nov 22, 2000 11:34 am
Location: Woodland, CA USA

Re: LastPass Breach Fiasco - IMPORTANT if you ever were a LastPass user.

Post by Executioner »

Mine is 15 characters with:
1 symbol
2 caps
5 numbers
7 lower case
User avatar
Losbot
Almighty Member
Posts: 4991
Joined: Sun Jul 13, 2014 8:59 am
Location: South Florida

Re: LastPass Breach Fiasco - IMPORTANT if you ever were a LastPass user.

Post by Losbot »

My iterations on LP have been set to 100100 since day one. Bumped that to 1,000,000 for now.
------------------------------------------

Image
User avatar
psypher
Golden Member
Posts: 884
Joined: Sun Nov 02, 2014 1:05 pm
Location: Marietta

Re: LastPass Breach Fiasco - IMPORTANT if you ever were a LastPass user.

Post by psypher »

For those of you that think you can just tweak your password or settings, let me warn you. I can not emphasize enough, get off LastPass, or at least change all your passwords. But I really wouldn't trust LastPass so I recommend doing both.

A friend of mine lost close to $500,000 worth of crypto. How? The 24 word recovery phrase (which should be stored offline anyways, but that's a whole thing) that's required to recover your ledger\private keys in case you lose your hardware wallet was being stored in LastPass.
The logs show it hasn't been accessed since the day it was stored in LastPass.

His password was increased to 15+ characters and his iterations were also increased, but that was too late. All the old data that was never changed\updated can be retrieved.
Post Reply