Today, LastPass issued a security notice on their blog explaining that they detected some suspicious activity on their network. They believe that “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised” but also that the encrypted passwords (the vault) was not accessed.
What does all this really mean? I found the security notice a little vague and I thought that it is worth writing a post about what the breach exactly means and what the attackers can do with the stolen data.
Based on the LastPass notice, attackers have the following:
- Email addresses
- Password reminders
- Server salts
- Authentication hashes
Let’s break it down and see what kind of attacks are possible…
Email addresses can be used to launch a phishing campaign. The easiest thing to do here is to forge a convincing email talking about the actual compromise and invite the victim to update his master password by clicking on a malicious link. Given that LastPass went public and is asking users to change their master passwords, unexperienced users may fall for this and hand the master password to the attackers.
If you receive any email from LastPass, be mindful of this and do not click on any link.
This one is straightforward and probably the most powerful piece of information the attackers have stolen. While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as “My password is correct horse battery staple” are possible. While unlikely, other more common passwords reminders such as “My dog’s name” can help attackers guess your master password. Remember that they have your email which leads to your Twitter, Facebook, etc where that information may be found.
Don’t use obvious password reminders or better yet, just don’t use password reminders at all.
Server salts are used to protect your authentication hash. When you log in, an additional 100k rounds of SHA256-PBKDF2 are applied to the hash and that is what is stored in LastPass databases.
Salts are not meant to be a secret, they just need to be random and unique per user. It seems to be the case and that prevents attackers using rainbow tables to crack the encryption key.
First of all, what is an authentication hash? One of LastPass’s claims is that they do not know your master password nor can they decrypt your data. How does it work?
Encryption key derivation
The encryption key with which all your passwords are encrypted is derived from your username and password. Specifically, SHA256-PBKDF2 is applied to your password, using the username as a salt and 500/5000 rounds are applied by default (depending on how old your account is).
In order to authenticate to LastPass without giving away your encryption key, one additional round of SHA256-PBKDF2 is applied. This time, the salt is the master password and the data is the encryption key.
This is what is sent to LastPass but not what is stored in the database. As explained above, LastPass applies an additional 100k rounds to this hash to further protect your encryption key.
So, what can they do with the authentication hash? They have two possibilities:
- Crack the master password: This means that the attackers would have to bruteforce a 500/5000 rounds PBKDF2 hash in order to obtain the encryption key, add an extra round with the master password as salt, and finally apply 100k rounds more with the stolen salt to be able to compare it to the stolen hash.
- Crack the encryption key: Bruteforce a SHA256 hash by applying a round of PBKDF2 and then 100k more as explained above.
Still, attackers did not get access to the encrypted vault so they would have to log in to LastPass successfully in order to obtain it. Therefore, 2 factor authentication is key here as it will prevent this from happening in the already
unlikely almost impossible case that the attackers did bruteforce the master password or encryption key.
What you need to know
LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority. You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass.
In 3 weeks, I will give the talk “Breaking Vaults: Stealing LastPass protected secrets“ about how to steal the master password in different ways, and overall how secure LastPass is. It is interesting that the breach happened now (I promise it was not me) but I am happy that it was right before the talk. I will definitely add a couple more slides about the incident and will provide more information to the audience. I think it will be recorded in case you can’t make it to Hawaii :)