On June 15, LastPass disclosed that it had been hacked, and I think by now just about everyone has heard about it. I know I received questions because I have recommended LastPass often, and my advice has been to stay with them. What I want to do now is explain exactly why this was not quite the big deal it was made out to be in some quarters, and that anyone telling you to stop using password vaults is only asking you to lower your own security.
The LastPass blog post is titled LastPass Security Notice and was posted on their site June 15, 2015. In addition, e-mail went out to every LastPass user advising them to change their Master Password. This is good advice, but pretty standard in these cases. But in the very first paragraph of their blog post they say:
“As expected, we work tirelessly to make sure that your data is safe. That’s why we quickly detected, contained, evaluated the scope of the incident, and secured all user accounts. We want to assure our users that our cyberattack response worked as designed.”
Now it is one thing to make these claims, and quite another to back them up. I think they are valid claims, and I want to explain why.
What the hackers got
According to the security notice:
“In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
This is not trivial, but the real point is that the safeguards LastPass put in place worked as designed. First, they clearly had segmented their network to keep key data in different areas, so that getting into one area does not get you into everything. This is one of the big mistakes Sony made. When hackers got inside, they got everything. At LastPass, getting into one network segment did not give access to the other segments, and key security info was split up. This really is a best practice for network security, and is one of the reasons this hack is not the big deal some people claim. None of your actual password data was accessed. But to see why this is not such a big deal, we need to look at how LastPass secures your passwords.
How LastPass does it
The idea of LastPass is to create a password vault that is secured by a strong Master Password. As we have discussed previously, strong passwords have both length and entropy. A really good password might be one that has 20 characters, including upper case and lower case letters, numbers, and special characters, all put together in a random jumble. The problem with that is that such passwords are really hard for people to remember. And with every site in the world requiring you to create a password, it gets impossible really quickly. But LastPass lets you create all of the strong passwords you need, store them in your LastPass vault, and you can then copy them as needed, or set LastPass to automatically fill in passwords on Web sites using their browser plugin. I do this, and it is very convenient. I only need to memorize my Master Password and use the to open the vault, and I only need to do that once after a reboot. For my purposes that gives me all of the security I want. Yes, if someone got physical access to my computer while LastPass was open they could read my passwords, but once anyone gets physical access it is game over for security. The threat I am trying to guard against is internet bad guys, and this does the trick.
When you create your LastPass vault, you create your secure Master Password. This is then combined with your user name, and this is hashed multiple times using SHA-256, and excellent hashing algorithm. The default is to hash 5,000 times, but in the Advanced Settings you can change this to another number. They advise you to not go over 20,000 rounds because of performance problems, but try it and see. You may not find it that much of a problem. As I said, I only need to go through opening my database once when I reboot, so it is not such a big deal, and it doesn’t really take long. And if you want to add to the entropy, use a number that is not round. I would advise anyone to change form the default since that adds one roadblock in the way of a hacker, and making it a non-round number adds another.
This process creates your key, which is then hashed another time and then sent to the LastPass server. There, they add a salt (a different random number for each user), and do another 100,000 rounds of hashing, before storing that resulting binary blob or random data in a database. So LastPass does not have your Master Password anywhere in their system, it only exists in your mind. All they have is a random binary blob that was generated from your Master Password, but is computationally difficult for even the best computers to get at. What they do need to store is the salt since that is essential to decrypting your data, but note that they stored the salt on different database in a different network segment from the database that actually has your data. That is exactly what you want them to do.
A Side Note
LastPass really does not have your password, and I have run into this. I once changed my Master Password to something that was more secure, and wrote down a hint about it. But my hint was either too obscure, or I did it wrong, because I could not open my vault. The only thing LastPass could do was let me open a version from before I changed the Master Password.
Threat model
As you know if you have followed my series I am a big fan of Bruce Schneier, and use what I call the Schneier model to evaluate threats and counter-measures. I took this from his book Beyond Fear, and you can read what I wrote about it here. The idea is to identify the threat you are guarding against, and then evaluate your proposed counter-measures in terms of how well they work against that threat. As I said above, the threat I guard against by using LastPass is that some Internet bad guy will get my logins and maybe do an identity theft on me, clean out bank account, and so on. But what LastPass is not going to entirely protect me from is a scenario where the government has decided I am a “person of interest” and is directly targeting me. If that is your problem you will need to take a look at other possible measures, and you could do a lot worse than to carefully follow the example of Edward Snowden in his interactions with Glenn Greenwald and others. But for me, right now I am not particularly interesting to my government, and I have simpler needs. So how safe am I?
Suppose someone actually got ahold of the database that has my encrypted binary blob of data, and also got the database with the salt and things that they actually did get in this attack. Is that game over? I say no. First, they do not have my Master Password. That means they would have ot actually crank through a lot of computation. If my password is not very good, they might get somewhere using a dictionary attack. That means they would have to take my user name and combine that with every password in their dictionary, and hash it. Worst case scenario here is that I never changed the default setting, so they hash it 5,000 times using SHA-256, then hash it again, combine it with the salt they got from the other database, hash it 100,000 times more, and see if they got a match. If it does not match, try the same thing again with another potential password, rinse and repeat. And this is the worst scenario for most of these options: you have a password that is in the dictionary, and you left the default alone for the hashes on your computer. Now, if this is the NSA and they think you are the next Edward Snowden, they have the computing power to do this, and they will eventually get in. But as I said, I am not trying to guard against that threat. An internet bad guy is not targeting me specifically, but is trying to get a bunch of passwords and logins they can use or sell. If they can crack half of the ones in the database that is a success for them, and I need to make sure I am not in that half. This like why you put a dead-bolt lock on your door. It won’t stop anyone determined to get into _your_ house, but it will make a burglar move along to another house that is less-well protected.
If you understand everything we have discussed above, you can see why this particular attack is less serious than it seems. LastPass really thought about security, did it right, and the result is that your passwords continue to be safe. If you listened to people who advised you to stop using LastPass, where would you be? Probably using insecure passwords that are less protected. Your security would actually go down unless you are an Edward Snowden level genius. So I advise you to stay with LastPass, but to make sure you are using it properly. So here are some things you should do.
LastPass Best Practices
- Never use your LastPass Master Password on any other site. If someone can crack that other site they would then get your password, and you no longer have any security. LastPass is built around the principle of keeping all of your eggs in one basket and guarding that basket very carefully. You need to have this one very secure password, and then let LastPass manage all of the others. It really works well.
- Make your Master Password highly secure. This means a combination of letters, numbers, and special characters. If possible, choose from all 95 of the characters available on a standard keyboard (or whatever that is for you). If you can memorize it all the better, but writing it down and putting it in your wallet is not a bad idea. Again, what is threat you’re guarding against? If you get arrested and they find that in your wallet they can get in, but that is not the threat I am guarding against. And you could write down the first part and have something you can remember that you add on the end if that concerns you. If for some reason you didn’t have a secure one before, consider this a wakeup call to make it secure now.
- Change the default setting (Go to Settings, Advanced Settings) for how many hashes LastPass does locally on your machine. Make it some random number, not a round number, and increase the number of rounds of hashing to as high as you can live with. Even if it takes a minute to load as a result, you only need to do this once when you reboot, and then it stays open for the rest of your session.
- Enable Two-Factor authentication for added security. Go to Settings, Multifactor Options, and there are a number of options. The one I use is Duo Security, and that is available for free accounts, though I pay for a Premium account. Duo Security has an app on my phone and when I try to login it sands a message to my phone and I have to authorize the login on my phone before it lets me in. BTW, I also use this Duo Security app to protect my WordPress web sites.
Listen to the audio version of this post on Hacker Public Radio!