On December 22, 2022, popular password manager LastPass issued a notice of a recent security incident. A threat actor obtained information from LastPass backups that contained personally identifiable information (PII) in plaintext, as well as encrypted copies of customer password vaults. This incident is a continuation of the August 2022 incident, where an unauthorized party gained access to the LastPass development environment through a compromised developer account. The scope of the incident has continued to escalate since August leaving many users concerned about their data.
The question on everyone’s mind: “Are my passwords safe?”
The answer is complex; user data is only as secure as the master password used for vault protection. LastPass utilizes a zero-knowledge security model, which means plaintext master passwords are not known by LastPass, as all master passwords are stored with encryption. LastPass uses a strong encryption method that is equivalent to other industry leaders in password management. Encrypted fields are secured with 256-bit AES encryption that is decrypted with the unique key derived from each user’s master password.
Users who did not implement unique and complex passwords are at risk of compromise and should be concerned about the breach. Upon password creation, LastPass lays out their recommended password requirements that would make a password extremely difficult to crack.
- Use a minimum of twelve characters, but the longer the better.
- Use upper case, lower case, numeric, and special character values.
- Make it pronounceable and memorable, but not easily guessed (e.g., a passphrase).
- Make sure that it is unique.
- Never use personal information.
In addition, it is best practice to prevent password reuse, and to use separate unique passwords for each individual account. Using a password generator can help take the guess work out of creating unique complex password.
Above is a quick guide from Hive Systems to estimate how long it would take to crack a password. Notice the impact small changes in password complexity can have on the time to brute force. Simply increasing to twelve characters from eleven under the upper and lowercase letter column shifts the brute force time from five months to twenty-four years.
Unencrypted Data
The plaintext information exposed in the breach also poses a significant security risk and should not be discounted. Although the exposed plaintext items listed below include common information that is available online, the aggregate of this information can be used to provide greater detail for phishing attempts. Website URLs provide context for what the usernames and passwords log in to, allowing for highly customized phishing attempts.
Plaintext customer information exposed in the breach includes the following data types:
- Company names
- Usernames
- Billing addresses
- Phone numbers
- Email addresses
- IP addresses that customers used to access LastPass
- Website URLs from customer password vaults
Recommendations
Although it is too late to alter the master password since the attackers have offline encrypted versions of customer vaults, it is still important to ensure your current vault password maintains high complexity. Users that have particularly weak master passwords should change the passwords stored inside their vault. If the master password hash is cracked the passwords stored in the offline vault copy held by the attackers will be invalid, thus providing protection. Accounts that are most sensitive should be prioritized for password changes, followed by accounts with the weakest passwords. Be sure to also have multifactor authentication enabled on as many accounts as possible for an added layer of security.
It should be noted that not all LastPass accounts were encrypted with the latest encryption standard. Older accounts may be encrypted with fewer interactions and are not as secure if the master password has not been changed recently. If a user’s master password is several years old, it is recommended to change all passwords stored in the vault.
Should you still use LastPass?
Many media outlets are urging users to stop using LastPass due to its recent security issues. Over the years, many password managers have experienced security problems, but these issues have been too quickly forgotten. There is no doubt that a data breach is particularly impactful to customers, and that the user information stored in plaintext is a security failure by LastPass. However, their encryption is formidable if users have maintained a strong master password, their platform is still user friendly, convenient, and it comes at a competitive price point.
Below, several security issues that add context to the password manager security environment are listed. No solution is without flaws, but some shortcomings are certainly more egregious than others. There are password manager options available with better security track records than LastPass and zero recorded breaches. It will be difficult for LastPass to rebuild consumer trust, and it is reasonable to consider transitioning to another password manager if you are looking for the best password security solution.
Recent Password Manager Security Incidents
- In 2021, Team Password Manager was found vulnerable to password reset poisoning, allowing a remote attacker to reset a user’s password.
- In this same year, Kaspersky’s password manager was found vulnerable. The password manager was using system time as its password generation method, allowing attackers to narrow passwords down to a few hundred options.
- In 2020, it was discovered that Keeper, Dashlane, and 1Password did not limit the number of login attempts while entering the master password, making the password managers susceptible to brute force attacks.
- In 2019, it was revealed that Dashlane, LastPass, and KeePass could leak unencrypted credentials while running in the background.
- In 2018 numerous high profile password managers would at times keep passwords stored in clear text in computer memory.
- Numerous password managers have been susceptible to phishing from illegitimate third-party applications where the autofill function was tricked into filling in passwords.
- Several password managers have had leaks into PC memory that disclosed user login credentials. If a user’s machine were then infected with malware, a hacker could see this sensitive data.
What is LastPass doing about the breach?
LastPass’s communication regarding the breach has been vague and infrequent so far, causing customer confidence in the brand to waver. Upon suspicion of a security event, LastPass immediately launched an investigation, engaging the cyber security firm Mandiant and informing law enforcement and regulatory authorities. In the wake of the breach, they have added additional logging and alerting capabilities, eradicated access to the development accounts, and hardened those machines. They are supplementing endpoint security and analyzing every account with signs of suspicious activity. As they continue to investigate, they are committed to keeping customers informed.
Users should expect changes to the way plaintext data is handled by not only LastPass, but the entire password manager market. This has been a valuable lesson for the industry to ensure all customer data remains confidential, and that master passwords have enforced complexity upon creation.
Sources
