As you may have heard, LastPass had a significant data breach last year. LastPass first published news about the breach in August, but didn’t reveal the full extent of the damage until December 22. Attackers were able to capture the encrypted vaults that held the passwords for LastPass users. Ouch.
The good news is that the vaults are encrypted. Unless the encryption is broken or the master password is used to decrypt them, the content inside the vaults are safe. LastPass says they’re safe for “millions of years” in their blog post about it, assuming users protected their vaults with strong master passwords. Other good news is that even if these passwords are compromised, you can always change them to something different. It’s certainly a hassle to do that for all of your passwords, but it’s not the end of the world.
There’s lots of bad news about this however. A few of my my major concerns:
- I suspect that many (most?) users do not have a sufficiently complex master password to survive brute force cracking attempts. I completed an incident handling bootcamp from SANS (SEC 504 – highly recommended if you’re into this sort of thing) where we leveraged the free and open source tools for cracking passwords. It’s remarkably cheap and easy to crack the simple passwords I see people use all the time.
- Our encryption technologies are evolving as we discover weaknesses in today’s methods and computers get more powerful. I don’t have a crystal ball, but I suspect in 5-10 years, if not sooner, our technology advancement will make cracking these passwords trivial. In no way do I believe even the strongest passwords will survive the “millions of years” test LastPass claims because it ignores technological progress.
- LastPass is used not only for storing passwords, which are easily changed, but also other important information, like social security numbers and related identify documents. Once that information is out in the wild, you can’t make it private again.
To make matters worse, LastPass URLs are not encrypted with the vault. This makes it pretty easy for attackers to determine what you’ve got stored in LastPass to potentially prioritize cracking higher value vaults first.
I hope that LastPass (and other companies that manage this sort of sensitive information) implement the changes necessary to prevent this type of breach in the future. I like 1Password’s approach of storing a secret key on your device to be used in combination with the master password. In the event they get breached, the encrypted vault cannot be opened without cracking the master password AND obtaining the secret key.
You can read more about the incident here:
And 1Password’s use of a secret key:
If you’d like some help navigating this situation with LastPass, just drop me a line.