Today, LastPass issued a security notice on their blog explaining that they detected some suspicious activity on their network. They believe that “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised” but also that the encrypted passwords (the vault) was not accessed.
What does all this really mean? I found the security notice a little vague and I thought that it is worth writing a post about what the breach exactly means and what the attackers can do with the stolen data.
Based on the LastPass notice, attackers have the following:
- Email addresses
- Password reminders
- Server salts
- Authentication hashes
Let’s break it down and see what kind of attacks are possible…
Email addresses
Email addresses can be used to launch a phishing campaign. The easiest thing to do here is to forge a convincing email talking about the actual compromise and invite the victim to update his master password by clicking on a malicious link. Given that LastPass went public and is asking users to change their master passwords, unexperienced users may fall for this and hand the master password to the attackers.
If you receive any email from LastPass, be mindful of this and do not click on any link.
Password reminders
This one is straightforward and probably the most powerful piece of information the attackers have stolen. While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as “My password is correct horse battery staple” are possible. While unlikely, other more common passwords reminders such as “My dog’s name” can help attackers guess your master password. Remember that they have your email which leads to your Twitter, Facebook, etc where that information may be found.
Don’t use obvious password reminders or better yet, just don’t use password reminders at all.
Server salts
Server salts are used to protect your authentication hash. When you log in, an additional 100k rounds of SHA256-PBKDF2 are applied to the hash and that is what is stored in LastPass databases.
Salts are not meant to be a secret, they just need to be random and unique per user. It seems to be the case and that prevents attackers using rainbow tables to crack the encryption key.
Authentication hashes
First of all, what is an authentication hash? One of LastPass’s claims is that they do not know your master password nor can they decrypt your data. How does it work?
Encryption key derivation
The encryption key with which all your passwords are encrypted is derived from your username and password. Specifically, SHA256-PBKDF2 is applied to your password, using the username as a salt and 500/5000 rounds are applied by default (depending on how old your account is).
Authentication hash
In order to authenticate to LastPass without giving away your encryption key, one additional round of SHA256-PBKDF2 is applied. This time, the salt is the master password and the data is the encryption key.
This is what is sent to LastPass but not what is stored in the database. As explained above, LastPass applies an additional 100k rounds to this hash to further protect your encryption key.
Attack vectors
So, what can they do with the authentication hash? They have two possibilities:
- Crack the master password: This means that the attackers would have to bruteforce a 500/5000 rounds PBKDF2 hash in order to obtain the encryption key, add an extra round with the master password as salt, and finally apply 100k rounds more with the stolen salt to be able to compare it to the stolen hash.
- Crack the encryption key: Bruteforce a SHA256 hash by applying a round of PBKDF2 and then 100k more as explained above.
Still, attackers did not get access to the encrypted vault so they would have to log in to LastPass successfully in order to obtain it. Therefore, 2 factor authentication is key here as it will prevent this from happening in the already unlikely almost impossible case that the attackers did bruteforce the master password or encryption key.
What you need to know
LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority. You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass.
Shakacon talk
In 3 weeks, I will give the talk “Breaking Vaults: Stealing LastPass protected secrets“ about how to steal the master password in different ways, and overall how secure LastPass is. It is interesting that the breach happened now (I promise it was not me) but I am happy that it was right before the talk. I will definitely add a couple more slides about the incident and will provide more information to the audience. I think it will be recorded in case you can’t make it to Hawaii :)
What if the encrypted vault data were stolen? The hacker would have unlimited time to decrypt the data. They would have all the ingredients needed. How can Lastpass let such a breach happen? I know people can change the master password this time. But if user data (vault) were stolen, then there is nothing the user can do. Many things can’t be changed overnight (bank acct#, ss#, private secure note, etc). What is Lastpass doing to protect “export” of the vault database?
Hi Connor,
That is not exactly correct. While your are right saying that if the attackers got hold of the vault they have unlimited time to try to decrypt it, the funny thing is that unlimited time is still not enough :)
The encryption system in place, how the encryption key is derived and how it is protected before it gets stored in LastPass makes cracking the key impossible (as of today and many years to come at least).
I am not trying to defend LastPass just because, but the reality is that they did a good job adding enough protection layers that even when hacked, your vault is still safe. As I mentioned in the post, just double check your password hint, don’t fall for phishing emails and do update you master password. In that order ;)
Best post about the breach I’ve found on the whole Internet. Finally somebody really tells us what’s going on and gives some technical details. If you read about it in the media, it sounds like we are all doomed, but if you look at the actual facts, the risk is actually very low. The computation power required to reveal just a single master password is extremely high and even if an attacker with a large super computer was able to do that after long period of time, it was all for nothing if it turns out that this account has two factor authentication enabled or the user changed the master password in the meantime as then he won’t even get access to the encrypted data.
Thanks Markus! That was the whole reason while I wrote the post. I realized that all I was reading was about how you need to change your master password ASAP because LastPass was hacked. The reality is that LastPass followed best practices and thanks to that, our accounts are still pretty secure and we have room to act accordingly
I read your article. It is the best one I have found so far.
I still do not understand why it would be necessary to change my master password. No one is ever going to guess it. And if I change it, I would never remember it. I have no password hints or anything like that for the hacker to follow.
From what I know, my concern is now, and always has been, the possibility of password resets. Little is said about this. If I or someone forgets the password, it is often reset? Am I correct? I found nothing inside Lastpass what I could do to prevent a Password reset from being done or what options are available with my existing setup. ie. Emergency access is a password setup.. It has to be because it decrypts it.
Please help.
Thanks.
One other note.. I do have one time passwords. That tells me there can me numerous passwords to decrypt Lastpass. If I change one password, there will still be other passwords …right? Or will changing the Master password remove emergency access and remove all other passwords that can decrypt Lastpass?