High impact, low likelihood security incidents are hard to prevent, but you can still prepare
May 31, 2015
Politically correct justifications for addressing insider employee security threats
July 27, 2015

LastPass password manager gets hit – nobody is immune, but this is about as good as you can hope for

Yesterday, the online password management system known as LastPass announced that they had detected an attack on their service's client data which appears to have been partially successful...

Yesterday, the online password management system known as LastPass announced that they had detected an attack on their service’s client data which appears to have been partially successful. This is a system that I use, but I’m not really concerned (although I recommend that all LastPass users read the following and change their master password ASAP). Here’s why…

What happened to LastPass?

Attackers were apparently able to break into the LastPass website, and obtain at least a portion of their client database including information about:

  • User email addresses – the method used to determine which database entry contains a user’s password information
  • Security reminder questions – the hints used to remind users of their master password
  • Authentication hashes – the one-way encrypted value that represents a user’s master password, which can only be determined by taking the real password and running a non-reversable function on it 100,000 times. This makes it very hard to make use of the hash, except if you have the computing power to try millions of guesses and run the functions on them to see if you can get a hash that matches what was in the database
  • Per user salts – a random value that gets added to a user’s password just before it is run through the 100,000 iteration hash function; making it even harder to break more than 1 password at a time

LastPass reports that there is no evidence that any user password vault data was accessed by attackers at this point.

How does this affect LastPass users?

The compromised information could let the attackers run some “off-line” programs to try to crack the master passwords. It’s not that hard these days for attacker to pool the resources of thousands of computers to work on cracking password hashes. So, there is a slight chance that some individual LastPass users may have their LastPass accounts compromised. However, LastPass is taking some precautions to mitigate this risk.

Any login attempts from new IP addresses (different from a user’s most recent logins) will require verification by email. This means that unless an attacker already has access to the victim’s email account, they will not be able to log in, even if they have guessed a user’s correct master password.

LastPass will most likely require anyone logging in from an unknown device (i.e. not previously used by that user) to change their LastPass master password immediately. This will completely rewrite the user’s stored hash and salt, making the information obtained by the attackers useless.

What should you do if you are a LastPass user?

I recommend that you change your LastPass master password anyway. If you do this before LastPass has fully prepared their response, you may be asked to change it again sometime soon. However, this is not a major inconvenience for me. So, I’m changing my LastPass password now anyway, as well as my password reminder, which is pretty cryptic anyway, in my case (i.e. not useful to an attacker). The password reminder contains information that reminds people about aspects of your current password, so it needs to change if you change your master password.

What lessons can we learn from this breach?

1- Nobody is immune. You should always use good, strong passwords, especially as your master password in a password manager program. The longer your password is, the more difficult it becomes for an attacker – exponentially.

2- Don’t use easy security reminder questions. This can be a difficult thing to do. But here’s a tip when setting your reminder question. Don’t use your password itself as the reminder. I doubt that LastPass would let you anyway. But I recommend being vague in your reminder, in a way that gives you key information about your password that nobody else could interpret.

For example, if my password was “Lolee4%8pop”, I might choose a reminder of “Candee 38765 foure perc eighte“. I would know what candy I used, and that I didn’t use the 5 digits at all, but the four and eight are clues to the numbers used in the password; the extra “e” on each is just added vagueness. The “perc” reminds me of the special character.

3- LastPass has consistently demonstrated good transparency and timely guidance in cases where they even suspect that an attack may have been succesful. So, I have no problem at this point, continuing to recommend LastPass as a good way to securely manage user passwords.

Please let me know if you have any questions or comments.

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com

Not sure if our services are right for you? Why not ask for a free consultation?

We can even ’test drive’ a demo during our first call to try out any options that are of interest to you.