The LastPass disclosure of leaked password vaults is being torn apart by security experts
Last week, just before Christmas, LastPass dropped a bombshell announcement: as the result of a breach in August, which lead to another breach in November, hackers had gotten their hands on users’ password vaults. While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager.
LastPass’ December 22nd statement was “full of omissions, half-truths and outright lies,” reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent it’s being; he accuses the company of trying to portray the August incident where LastPass says “some source code and technical information were stolen” as a separate breach when he says that in reality the company “failed to contain” the breach.
“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie.”
He also highlights LastPass’ admission that the leaked data included “the IP addresses from which customers were accessing the LastPass service,” saying that could let the threat actor “create a complete movement profile” of customers if LastPass was logging every IP address you used with its service.
Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. “LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” he says, alleging that the company has “about as much knowledge as a password manager can possibly get away with.”
LastPass claims its “zero knowledge” architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. While Gosney doesn’t dispute that particular point, he does say that the phrase is misleading. “I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no — with LastPass, your vault is a plaintext file and only a few select fields are encrypted.”
Palant also notes that the encryption only does you any good if the hackers can’t crack your master password, which is LastPass’ main defense in its post: if you use its defaults for password length and strengthening and haven’t reused it on another site, “it would take millions of years to guess your master password using generally-available password-cracking technology” wrote Karim Toubba, the company’s CEO.
“This prepares the ground for blaming the customers,” writes Palant, saying that “LastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didn’t follow their best practices.” However, he also points out that LastPass hasn’t necessarily enforced those standards. Despite the fact that it made 12-character passwords the default in 2018, Palant says, “I can log in with my eight-character password without any warnings or prompts to change it.”
LastPass’ post has even elicited a response from a competitor, 1Password — on Wednesday, the company’s principal security architect Jeffrey Goldberg wrote a post for its site titled “Not in a million years: It can take far less to crack a LastPass password.” In it, Goldberg calls LastPass’ claim of it taking a million years to crack a master password “highly misleading,” saying that the statistic appears to assume a 12 character, randomly generated password. “Passwords created by humans come nowhere near meeting that requirement,” he writes, saying that threat actors would be able to prioritize certain guesses based on how people construct passwords they can actually remember.
Of course, a competitor’s word should probably be taken with a grain of salt, though Palant echos a similar idea in his post — he claims the viral XKCD method of creating passwords would take around 25 minutes to crack with a single GPU, while one made by rolling dice would take around 3 years to guess with the same hardware. It goes without saying that a motivated actor trying to crack into a specific target’s vault could probably throw more than one GPU at the problem, potentially cutting that time down by orders of magnitude.
“They essentially commit every ‘crypto 101’ sin”
Both Gosney and Palant take issue with LastPass’ actual cryptography too, though for different reasons. Gosney accuses the company of basically committing “every ‘crypto 101’ sin” with how its encryption is implemented and how it manages data once it’s been loaded into your device’s memory.
Meanwhile, Palant criticizes the company’s post for painting its password-strengthening algorithm, known as PBKDF2, as “stronger-than-typical.” The idea behind the standard is that it makes it harder to brute-force guess your passwords, as you’d have to perform a certain number of calculations on each guess. “I seriously wonder what LastPass considers typical,” writes Palant, “given that 100,000 PBKDF2 iterations are the lowest number I’ve seen in any current password manager.”
Bitwarden, another popular password manager, says that its app uses 100,001 iterations, and that it adds another 100,000 iterations when your password is stored on the server for a total of 200,001. 1Password says it uses 100,000 iterations, but its encryption scheme means that you have to have both a secret key and your master password to unlock your data. That feature “ensures that if anyone does obtain a copy of your vault, they simply cannot access it with the master password alone, making it uncrackable,” according to Gosney.
Palant also points out that LastPass hasn’t always had that level of security and that older accounts may only have 5,000 iterations or less — something The Verge confirmed last week. That, along with the fact that it still lets you have an eight-character password, makes it hard to take LastPass’ claims about it taking millions of years to crack a master password seriously. Even if that’s true for someone who set up a new account, what about people who have used the software for years? If LastPass hasn’t issued a warning about or forced an upgrade to those better settings (which Palant says hasn’t happened for him), then its “defaults” aren’t necessarily useful as an indicator of how worried its users should be.
Another sticking point is the fact that LastPass has, for years, ignored pleas to encrypt data such as URLs. Palant points out that knowing where people have accounts could help hackers specifically target individuals. “Threat actors would love to know what you have access to. Then they could produce well-targeted phishing emails just for the people who are worth their effort,” he wrote. He also points out that sometimes URLs saved in LastPass could give people more access than intended, using the example of a password reset link that isn’t properly expired.
There’s also a privacy angle; you can tell a lot about a person based on what websites they use. What if you used LastPass to store your account info for a niche porn site? Could someone figure out what area you live in based on your utility provider accounts? Would the info that you use a gay dating app put your freedom or life in danger?
One thing that several security experts, including Gosney and Palant, seem to agree on is the fact that this breach isn’t proof positive that cloud-based password managers are a bad idea. This seems to be in response to people who evangelize the benefits of completely offline password managers (or even just writing down randomly-generated passwords in a notebook, as I saw one commenter suggest). There are, of course, obvious benefits to this approach — a company that stores millions of people’s passwords will get more attention from hackers than one individual’s computer will, and getting at something that’s not on the cloud is a lot harder.
But, like crypto’s promises of letting you be your own bank, running your own password manager can come with more challenges than people realize. Losing your vault via a hard drive crash or another incident could be catastrophic, but backing it up introduces the risk of making it more vulnerable to theft. (And you did remember to tell your automatic cloud backup software to not upload your passwords, right?) Plus, syncing an offline vault between devices is, to put it mildly, a bit of a pain.
As for what people should do about all this, both Palant and Gosney recommend at least considering switching to another password manager, in part because of how LastPass has handled this breach and the fact that it’s the company’s seventh security incident in a little over a decade. “It’s abundantly clear that they do not care about their own security, and much less about your security,” Gosney writes, while Palant questions why LastPass didn’t detect that hackers were copying the vaults from its third-party cloud storage while it was happening. (The company’s post says it’s “added additional logging and alerting capabilities to help detect any further unauthorized activity.”)
LastPass has said that most users won’t have to take any action to secure themselves after this breach. Palant disagrees, calling the recommendation “gross negligence.” Instead, he says that anyone who had a simple master password, a low number of iterations (here’s how you can check), or who’s potentially a “high value target” should consider changing all of their passwords immediately.
Is that the most fun thing to do over the holidays? No. But neither is cleaning up after someone accessed your accounts with a stolen password.
Update December 28th, 7:39PM ET: Updated to include comments from 1Password, which published its own rebuttal to LastPass’ claims.