LastPass says no passwords were compromised following breach scare

Okatis said:
Whether consciously or not I think it's a coping mechanism. Wouldn't be a pleasant feeling having vaults obtained by those eager to gain access to accounts, particularly since URLs weren't encrypted, so they'd be likely prioritized according to high value sites.

Someone on another site cited stats that 69-85% of hashed passwords in past (general) leaks have been cracked via brute force/rainbow tables/etc. Not a very encouraging figure for the strength of password the average user might use for the master password.

One could always change every password pre-emptively but should a leaked vault be compromised it'd still likely contain sensitive info that otherwise wouldn't be desirable to out there.
Click to expand...

This is an extremely big deal and the people who are putting their head in the sand are foolish. Even though I expect a fair number of the master passwords to be brute forced, let's assume they aren't and ignore that part of the problem. Just the amount of data that was unencrypted but included with the vaults is scary. How many sensitive and internal URLs for businesses are now exposed? How many of those internal URLs are considered "safe" and may have less protections than something public facing? Now the bad guys have a desire to breach said businesses because of the soft gooey insides.

Stuff like this is why I self-host a Bitwarden instance which is not public facing in any way. My passwords and everything surrounding them are only safe with one person: me.
 
I've used Last Pass for years, paid sub even. This hack had me leave. I'm on bitwarden now, working on changing all my passwords. Anyone who was in LP should change all passwords at the least.

When I left they asked me why, I told them because they were hacked.
 
Vermillion said:
This is an extremely big deal and the people who are putting their head in the sand are foolish. Even though I expect a fair number of the master passwords to be brute forced, let's assume they aren't and ignore that part of the problem. Just the amount of data that was unencrypted but included with the vaults is scary. How many sensitive and internal URLs for businesses are now exposed? How many of those internal URLs are considered "safe" and may have less protections than something public facing? Now the bad guys have a desire to breach said businesses because of the soft gooey insides.

Stuff like this is why I self-host a Bitwarden instance which is not public facing in any way. My passwords and everything surrounding them are only safe with one person: me.
Click to expand...
I agree, but sensitive urls shouldn't be stored on an uncontrolled server anyway, encrypted or not...
 
Nobu said:
I agree, but sensitive urls shouldn't be stored on an uncontrolled server anyway, encrypted or not...
Click to expand...
I don't disagree but the people who will have weak master passwords and no 2FA are the same people who will be doing such a thing.
 
Is there a way to check to see how strong (relatively speaking) our master passwords are? Say for example a 14 character password with numbers, letters, and a few special characters thrown on to the end? Edit: I found a website that's a password entropy calculator that says my password is 85 bits. It says that's a secure password but with the advancements of distributed hash cracking I'm not sure how accurate is. For example, how long would it take to crash a pw with 85 bits of entropy if you were using a network containing 32x 4090s?
 
Last edited:
DarkStar02 said:
Is there a way to check to see how strong (relatively speaking) our master passwords are? Say for example a 14 character password with numbers, letters, and a few special characters thrown on to the end? Edit: I found a website that's a password entropy calculator that says my password is 85 bits. It says that's a secure password but with the advancements of distributed hash cracking I'm not sure how accurate is. For example, how long would it take to crash a pw with 85 bits of entropy if you were using a network containing 32x 4090s?
Click to expand...
You're thinking about it all wrong if you're looking at "bits of entropy". Read up on 256-bit AES encryption.
 
I think the useful thing to know would be how slowed down an attacker is which each attempt, if guessing offline. Some older accounts had less iterations, while newer had more, by default. The open source, reverse-engineered, offline Lastpass vault extraction script can appear near-instantaneous to the user when provided the correct credentials but may be slow enough in raw computer time to slow down each guess. Of course multiple systems could be guessing a copy of the same file in parallel.

Then it's just whether a password is weak to dictionary attacks (existing/common passwords or phrases known to used historically, to speed up the likelihood of matches) or brute-force (usually only feasible for passwords short and weak enough). I'm not sure what the threshold of length is these days is to be feasibly safe.

If Eulogy wants to fill in any clarifications I'd be interested.
 
Not to be rude, but, encryption is a pretty lengthy subject to try to write about in a succinct manner on a forum reply. I'd have to touch on symmetric key cipher, block cipher, substitution-permutation networks, key expansion / round keys, and more. Massively over simplifying here to give you a jumping point if you want to go read further... here's what AES "does" sequentially:
- takes your data (plaintext) and divides it up into 4x4 arrays, totaling 16 bytes (4 bytes per element), called blocks
- the initial key is fed into a key expansion, which generates all the round keys (Edit: I may be conflating this with something else -- I can't recall exactly, at 2am, when AES derives the round keys. It may be during each round and use the previous round key to generate a new one)
- the initial key is added to the blocks using XOR
- each byte of data is subbed via a table
- each row of the block is shifted (second row is shifted "left" 1 space, third row "left" by 2 spaces, fourth row "left" by 3 spaces)
- columns are mixed, combining the 4 bytes in the coumn
- round key is added to the block, and we being the 2nd round (AES-256 has 14 rounds total, same process each time, but a new key each round)

So a lot of the strength happens in the row shifts and column diffusion sequences. If whoever all ends up with these vaults try to brute force AES-256, they're in for a long, long, long wait.

So where's that initial key come from? Getting to that, lastpass didn't just plaintext use your master password for the key. They first ran it through PBKDF2-SHA256 with 100100 iterations (as of 2011, apparently before that it was 5000). This is where your bits of entropy could come into play and slightly better chances of brute forcing, but, if you had a reasonable master password complexity (14 was the example asked of, anything >=12 is sufficient for the foreseeable future), that would still be a bad time (decade+, barring big leaps in computing). Attackers have to unwind all 100100 iterations before they can try the key against the vault. Fail, then wait for another unwind and try again. Slows the process down a good bit.

LastPass still sucks for getting breached and folks should move off of them out of spite or to just tell them that this is not acceptable stewardship of critical information. But, it isn't an urgent thing you have to do today, or even next year, if your master password was sufficient. I'd still rotate any creds you had in there as you're moving them off lastpass, starting with emails and financials. Plus, as you go through the credentials in there, you can probably find accounts at places that you can close down, slightly minimizing your risk envelope online at the same time.

Edit: this is all also assuming lastpass at least had their cryptography systems setup properly (and if they were truly "zero-knowledge"). All evidence so far points to that being true, but only time will tell.
 
Last edited:
I mean, tbf, the user was just after some general idea :p It's still essentially that the only foreseeable way an attack would be done is attempting passphrase guesses (running it through the key derivation function) rather than brute forcing the AES-256 key itself. Enough PBKDF2 iterations slows down each guess to where putting more compute power for guessing in parallel becomes less practical, cost and time wise.

It's a bit hard to tell with 100k iterations figure how widespread it is, as there are reports from various users with older accounts—including those created after 2011—that were still on 5k and not retroactively changed, even right up to this breach. Here a user changed theirs to 300k, LP confirmed it had re-encrypted the vault, yet recently they discovered it was still 5k.
 
Okatis said:
I mean, tbf, the user was just after some general idea :p It's still essentially that the only foreseeable way an attack would be done is attempting passphrase guesses (running it through the key derivation function) rather than brute forcing the AES-256 key itself. Enough PBKDF2 iterations slows down each guess to where putting more compute power for guessing in parallel becomes less practical, cost and time wise.

It's a bit hard to tell with 100k iterations figure how widespread it is, as there are reports from various users with older accounts—including those created after 2011—that were still on 5k and not retroactively changed, even right up to this breach. Here a user changed theirs to 300k, LP confirmed it had re-encrypted the vault, yet recently they discovered it was still 5k.
Click to expand...

Stuff like that is what scares me about keeping my password vault in someone else's environment.

As Eulogy said users should leave LastPass. Not out of spite though. Out of the fact that LastPass has not been fully honest with their customers. The "vault" was always claimed to have been fully encrypted, yet we find out it isn't. Then we have these findings like Okatis posted. LastPass can no longer be trusted to protect your passwords.
 
Eulogy said:
Not to be rude, but, encryption is a pretty lengthy subject to try to write about in a succinct manner on a forum reply. I'd have to touch on symmetric key cipher, block cipher, substitution-permutation networks, key expansion / round keys, and more. Massively over simplifying here to give you a jumping point if you want to go read further... here's what AES "does" sequentially:

*SNIP*
Click to expand...

I appreciate the detailed answer. I had reading conflicting information from users on Reddit which is why I was wondering if there's a way to determine password strength. This user seems to think their encryption is garbage. When I logged into LastPass it's showing me 100,100 iterations but I've been a user for several years and never changed it so I'm skeptical that it was actually set to that when the breach occured. I'm still debating whether I need to go through and change the 800+ passwords stored in my Vault.
 
DarkStar02 said:
I appreciate the detailed answer. I had reading conflicting information from users on Reddit which is why I was wondering if there's a way to determine password strength. This user seems to think their encryption is garbage. When I logged into LastPass it's showing me 100,100 iterations but I've been a user for several years and never changed it so I'm skeptical that it was actually set to that when the breach occured. I'm still debating whether I need to go through and change the 800+ passwords stored in my Vault.
Click to expand...
Yeah. I was trying to generally speak about AES-256 and PBKDF2-SHA256. Like a lot of systems, it comes down to implementation though... if the implementation is wrong or half-assed, that can effectively make it worthless. I don't know the details of what LastPass did for their systems... and like NIZMOZ 's article points out, if your master password is weak, the the time to crack will be minimal. I'd wager that folks who embrace a password manager are more inclined to not have weak credentials, but, that's an unsafe assumption for a provider to make.
 
A recent article by the security researcher who pushed to have LastPass update users to 100k client-side iterations in 2018, clarifies the '100k' timeline confusion. LastPass were using 100k iterations prior to 2018 only as part of their server-side authentication hash stored on their servers, based on the vault's encryption key derived from 5k iterations. This was until the researcher wrote about how weak that is for the scenario of a vault breach (which has now occurred).

From their linked 2018 article said:
For each guess one has to derive the local encryption key with 5,000 PBKDF2 iterations, hash it, then apply another 100,000 PBKDF2 iterations which are normally added by the LastPass server. Only then can the result be compared to the authentication hash stored on the server.

But that protection only works if the attackers are stupid enough to verify their master password guesses via the authentication hash. As mentioned above, the local encryption key is derived from your master password with merely 5,000 PBKDF2 iterations. The LastPass server stores these encrypted pieces of data without any additional protection. So a clever attacker would guess your master password by deriving the local encryption key from a guess and trying to decrypt some data. Worked? Great, the guess is correct. Didn’t work? Try another guess. This approach speeds up guessing master passwords by factor 21.
Click to expand...

Despite the researcher's public disclosure they found LastPass didn't in fact migrate all users to 100k vault key iterations as they'd told him. Additionally they found since the recent breach some users with as low as 1 (!) iteration set by default, who like others were never migrated to higher iterations.

They also touch on how entropy for the master password does matter considerably given such scenarios as the time to brute force differs exponentially depending on both the iterations and entropy. As their 2018 article points out attackers would be using dictionary attacks first though to shortcut the process:

So, what kind of protection do 5,000 PBKDF2 iterations offer? Judging by these numbers, a single GeForce GTX 1080 Ti graphics card (cost factor: less than $1000) can be used to test 346,000 guesses per second. That’s enough to go through the database with over a billion passwords known from various website leaks in barely more than one hour. And even if you don’t use any of the common passwords, it is estimated that the average password strength is around 40 bits. So on average an attacker would need to try out half of 2⁴⁰ passwords before hitting the right one, this can be achieved in roughly 18 days.
Click to expand...
 
You must log in or register to reply here.
Back
Top