Mastodawn

PJ Sliney Dec 22, 2022

LastPass: "We got hacked (again), and pretty sure they got encrypted customer vaults, metadata, phone numbers and our source code & network maps. But it would take *millions* of years to crack. Also, they're likely brute-forcing your vaults with any previous leaked creds."

Reporters: Is that true? "Millions" of years??

Cryptographers: AHAHAHAHAHAHAHAHAHAHAHA
*inhales deeply, holds ribcage that are aching from exertion* AHAHAHAHAHAHAHA. No.

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Security Incident December 2022 Update - LastPass

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.

The LastPass Blog

Ari Cohn Dec 22, 2022

@kennwhite what's a more realistic timeline

Jacob Christian Munch-Andersen Dec 23, 2022

@AriCohn @kennwhite The timeline depends mainly on the user's chosen password. A weak password could be cracked in less than a second, whereas for a very strong password it is a lot more than a million years. So what happens is that they will try millions of likely passwords for each account, and that will likely give them the data in some 10 to 20% of the cases. They could spend more computing power to get even more data unlocked, but returns diminish quickly.

Simon Zerafa Dec 22, 2022

So what sort of resources would be needed to reverse encrypted password data? 😕🤷‍♂️

spikebike Dec 22, 2022

@simonzerafa @kennwhite Well a true reversing isn't typically infeasible. However you could take say the most popular 10,000 passwords and encrypt them to see if you have a match. With lastpass's poor security record not sure if they even use cryptographic salts. If they don't a encrypt encrypted password could attack all lastpass password. With a salt they would have to separately encrypt each attempt.

Kenn White Dec 22, 2022

@spikebike @simonzerafa not 10K - try top 100M. Past breach corpa are so ubiquitous, NIST actually recommends adding them to the user creation onboarding. And 100M+ is viable, depending on the gear & parallelization, in minutes or seconds.

Peter Bindels Dec 22, 2022

@kennwhite @spikebike @simonzerafa Also depending on how the encryption was designed. But they most likely didn't use anything like argon for key derivation I'll bet.

spikebike Dec 22, 2022

@kennwhite @simonzerafa Possible you'd hope a password vault company would make good security decisions like requiring a decent amount of computation per uniquely salted password. However with good security decisions you wouldn't expect so many issues.

Simon Zerafa Dec 22, 2022

@spikebike @kennwhite

It seems that they use a PBKDF2 function with a customizable number of rounds though the defaults to 100,100

https://support.lastpass.com/help/about-password-iterations-lp030027

About Password Iterations - LastPass Support

To increase the security of your master password, LastPass utilizes a stronger-than-typical version of Password-Based Key Derivation Function (PBKDF2). At its most basic, PBKDF2 is a “password-strengthening algorithm” that makes it difficult for a computer to check that any 1 password is the correct master password during a compromising attack.

ares Dec 22, 2022

@simonzerafa @spikebike @kennwhite

lastpass recently increased the number of rounds to 100100

if your account was created a long time ago, it's far less

you can check your account to see how many rounds it's using

Simon Zerafa Dec 22, 2022

@ares @spikebike @kennwhite

Mine seems to be using 100,100 and was never the earlier lower default value. I manually increased it.

spikebike Dec 22, 2022

@simonzerafa @ares @kennwhite Sounds good, but when LastPass has so many discovered problems, makes me wonder what other issues exist. Especially since they mentioned they detected a compromise, but not when it happened. Seems far from clear they even know.

Kenn White Dec 22, 2022

@simonzerafa @ares @spikebike right, but that won't matter for users who reused credentials -- it just moves the throughput needle from a few microseconds to a few hundred milliseconds, which is irrelevant if you're working with known cleartext. Attackers literally have all the PRF input information. Extra iterations just make the confirmation a (tiny) bit slower.

spikebike Dec 22, 2022

@simonzerafa @ares @kennwhite I was on a thread elsewhere and 3 LastPass users saw the encryption iterations at 5000. A two generation old GPU managed 300,000 password attempts per second with 5000 iterations, and 15,500 attacks per second for the 100,100 iterations. I suspect that a decent fraction of vaults could be cracked quickly with those kinds of rates, even if your hardware is 2 generations old.

⁂ Fish Id Wardrobe Dec 22, 2022

@kennwhite Just don't trust your passwords to someone else, folks. Isn't that kind of obvious?

Stephen Fierbaugh Dec 22, 2022

@kennwhite https://bitwarden.com/

Best Password Manager for Business, Enterprise & Personal | Bitwarden

Bitwarden is the most trusted password manager for passwords and passkeys at home or at work, on any browser or device. Start with a free trial.

Bitwarden

mcc Dec 22, 2022

@sfierbaugh @kennwhite Something I've been trying to figure out: Does BitWarden's P2P nature mean that the information nabbed from LastPass (the encrypted vaults) were already publicly available for all BitWarden users, or does BitWarden have a level of protection on the P2P features that I wasn't previously aware of?

Stephen Fierbaugh Dec 23, 2022

@mcc @kennwhite BitWarden isn't P2P per-se, which would probably be a poor architecture for a password manager. It's open source and can be self-hosted or hosted securely (zero knowledge) online. Functionality is similar to LastPass but LastPass's commercial business model and architecture has an inherent tension which BitWarden's doesn't.

Tomasz Kontusz Dec 23, 2022

@sfierbaugh @kennwhite would Bitwarden be more resistant to offline brute forcing?

I know 1Password uses an additional "secret key" the user needs to migrate between devices.
I think Passbolt would be more resistant too, it uses GPG keys.

Is there something like this in Bitwarden?

Stephen Fierbaugh Dec 23, 2022

@ktosiek @kennwhite Offline brute forcing like LastPass users are now facing is a nightmare scenario because the attacker can try repeatedly as fast as they can without rate limiting or anything, and using preassembled password tables, recent advances, and other tools. Your safety is dependent upon choosing a truly strong password that has not been reused on any other system.

Tomasz Kontusz Dec 23, 2022

@sfierbaugh @kennwhite I understand that offline cracking of human generated password is a pretty effective way of breaking them. But some systems (like 1Password and Passbolt, mentioned earlier) use extra data, not just the user's password, for encryption key.

I wonder if Bitwarden does that too? I've only found mentions of salting the master password with user's email.

Stephen Fierbaugh Dec 23, 2022

@ktosiek @kennwhite Short answer: Yes. Absolutely.

Long answer: See
https://en.wikipedia.org/wiki/Salt_(cryptography)
https://en.wikipedia.org/wiki/Rainbow_table
https://en.wikipedia.org/wiki/Password_cracking

Exhaustive answer: See
https://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/1119096723

Salt (cryptography) - Wikipedia

Kenn White Dec 23, 2022

@sfierbaugh @ktosiek better answer is @epixoip 's exhaustive explanation here: https://twitter.com/jmgosney/status/1141613611087007744 (spoiler: rainbow tables haven't been a thing for KDFs, real world password recovery, or really, much of anything, for 10+ years).

Jeremi M Gosney on Twitter

“@therealjoetesta @TychoTithonus @thorsheim @Sc00bzT @Bitweasil @quelrods @veorq And that's why rainbow tables are wholly and utterly irrelevant in 2019. And 2018. And 2017. And 2016. And 2015. And 2014. And 2013.”

Twitter

Peter Bindels Dec 22, 2022

@kennwhite It's like physical lock adverts versus LockPickingLawyer. Bad locks open if you sneeze wrong. Great locks take a minute. Safes are made to take minutes (plural).

Millions of years? That's funny.

varx/tech Dec 23, 2022

@dascandy42 @kennwhite Are you basing that skepticism on their use of PBKDF2, or are you saying that more generally you can't protect something that well?

I haven't done the math recently, but argon2id + a strong passphrase seems like it would take millions of years for a 50% chance of a guess, even on high-end hardware.

Peter Bindels Dec 23, 2022

@varx @kennwhite Practical security relies a lot more on your actual input to authenticate than we want to admit. If your password is "Password1!" there's only so much you can do to keep that safe - anyone with that password will be slowed down by about as much as you yourself would be - sub-second times.

If people could remember good passwords it would be fine - but that is *exactly* what lastpass does for you, because people are bad at good passwords.

Peter Bindels Dec 23, 2022

@varx @kennwhite And if you wonder "why Password1! ?" - Passwords have to have a capital letter, a number and a special character nowadays, and have to be 10 characters long.

See also "password requirements do not increase password strength". The odds of the first letter being the capital, and the number and special char being post-fixed is too dang high, as are the odds of it being the '1' and the '!'.

varx/tech Dec 23, 2022

@dascandy42 @kennwhite Yeah. If you choose a bad master password, there's only so much technology can do to help you. :-)

But the master password is basically the *one* strong password you *have* to have, and I think people can handle that, if they're not lazy about it.

(My preferred memorable-passphrase generator these days makes suggestions like "petty-report-cherish-overwritten-solvent", which I use for master passwords, hard drive encryption, etc. For actual websites, I use one that makes stuff like "aWoXEH%K*lFNr}" since I don't have to memorize or even type it.)

Emanuele Dec 22, 2022

@kennwhite @YourAnonNews I will never understand the #security model behind a #password database stored on the #cloud.

George William Herbert Dec 22, 2022

@emanuele @kennwhite @YourAnonNews long-term usability in a world where people in reality lose devices due to permanent failures, drive corruption, and theft.
I Am Not A Cryptographer, but I think that the issue is that you have a single master key across many individually encrypted fields, some of which may be known (therefore master key reversible), versus big opaque padded blob encrypted once, in which individual leaked content is harmless to whole.

ares Dec 22, 2022

not to mention user emails, ip addresses, billing addresses, and *urls and other unspecified info all stored in plaintext in the vaults*

this is what lastpass calls their "zero knowledge architecture"

what a #clusterfuck

Natanael ⚠️Dec 22, 2022

@ares @kennwhite all the annotations *and stored data with password reset info for other accounts*, etc, could be really bad just by themselves. Like all the shared password vaults containing passwords for intranet stuff with associated documentation...

Mr Huffle Dec 22, 2022

This is bad. I mean really bad. Awfully bad.

"Hey, give me your passwords! I will store them better and more secure than you ever be able by yourself."

"Trust us, we know what we're doing!"

"This is just a scratch."

"If you did not follow best practices, it's your own problem..."

Come on #LastPass, die quickly and silently!

Richard S. Westmoreland

Dec 22, 2022

@kennwhite We really need to move back to just writing passwords on sticky notes again

John Minnihan Dec 22, 2022

yeah, kinda hooky assertion.

i wrote my own password manager but decided not to to use it.

https://jbminn.com/posts/password-manager/
https://jbminn.com/posts/passwords-part-two/

Password Managers

I’m exploring password managers. I want to test my current opinion & biases against what actually works. To do this, I’m designing and implementing my own password manager. What exactly is a password manager? In its simplest online form, a password manager is a scheme that automatically retrieves & presents to its associated website a password to satisfy a login challenge. A typical implementation involves storage of passwords mapped to users maintained in a commercial service which itself requires an authenticated login to utilize.

Cwnidog Dec 22, 2022

@kennwhite: This info might be handy, if you're thinking of jumping from LastPass. You'll need to change them all anyway, but this will at least let you get a record of what you'll need to change.

https://support.lastpass.com/help/export-your-passwords-and-secure-notes-lp040004

How do I export my LastPass vault data? - LastPass Support

You can export your LastPass vault data (including passwords, secure notes, form fills, Wi-Fi passwords, etc.) as a CSV or XML file, then print your data if you'd like to keep a copy for your own records. If you have set up vault identities, you can export data for all or individual identities.

Fonz Dec 22, 2022

@kennwhite The US Government should really stop giving them contracts. It's negligent at this point. https://www.fpds.gov/ezsearch/fpdsportal?indexName=awardfull&templateName=1.5.3&s=FPDS.GOV&q=Logmein&x=0&y=0

@kennwhite all #centralized #SingleVendor / #SingleProvider solutions are bad.

Espechally those holding credentials...

dr 🛠️🛰️📡🎧

blobfoxcomputer

@kennwhite Shout out to everyone that laughed at me when I doubted the wisdom of giving some company all my passwords! Happy Hackadays!

Harold Smith III Dec 22, 2022

I’d be more curious what % they can crank instantly due to credential stuffing. I’d bet 70%.

varx/tech Dec 23, 2022

@harold @kennwhite Experience indicates that on a regular web service, roughly 20% of active accounts are using passwords that have already been leaked elsewhere. I'd expect that a straight credential stuffing attack on LastPass master passwords would have a lower success rate than that, since people would probably be a *little* more principled. Call it maybe 10%?

Ian Volante Dec 23, 2022

@kennwhite I wonder if this might correlate with the huge increase in phishing spam I've seen recently. I've had Lastpass as a backup for a while to my main service, thinking I should dispose of it and get updating...

Valentin Goșu Dec 23, 2022

@kennwhite bruteforcing is probably not good use of their money if they have plain text URLs. It's just a map for potentially reuses passwords.

René Mayrhofer

🇺🇦Dec 23, 2022

@kennwhite @joebeone "Zero knowledge" is just so misleading here, and I would argue even plain wrong. If they had zero information, you wouldn't need the cloud service/storage at all. So that doesn't match as a term.

Now the attacker has all that information as well and _only_ lacks the user password, which is typically not at the 128 Bit entropy level...

René Mayrhofer

🇺🇦Dec 23, 2022

@kennwhite @joebeone @rene_mobile Password based key derivation is insecure without effective brute force slowdown. And that currently means secure hardware for the password check / key derivation.

Phillip Hallam-Baker Dec 24, 2022

@rene_mobile @kennwhite @joebeone No, it is unconditionally insecure.

It is unnecessary.

René Mayrhofer

🇺🇦Dec 24, 2022

@hallam @kennwhite @joebeone I'm not sure I understand. There are still some scenarios where we can't (yet) get rid of passwords for very practical reasons. Bootstrapping, protecting the root of trust in any system, knowledge factor device unlock, etc. come to mind.

These require brute force mitigations, as the human brain is not really good at storing entropy. And for that, secure elements (server and client side) seem the most reasonable approach so far. What am I missing?

Phillip Hallam-Baker Dec 24, 2022

@rene_mobile @kennwhite @joebeone You are missing threshold cryptography.

Lastpass knew there are better designs, they just can’t be bothered to use them. Just like the company that makes the garage door opener still uses the TI rolling codes chips from the 1970s that were cracked in the 1980s.

If you use public key end to end, the key used to encrypt the passwords presents a work factor of 2128 regardless of the user actions. There is no master password to choose.

This isn’t their first breach, they are breached repeatedly.I sent a note to their CEO 18 months ago after their breach then. Zero interest in fixing their product.

https://mathmesh.com/

The Mathematical Mesh

The Mathematical Mesh

René Mayrhofer

🇺🇦Dec 24, 2022

@hallam @kennwhite @joebeone What about e.g. firmware signing keys or screen unlock? At some point, master keys need to be unlocked in an offline setting.

Lazy Man and Money Dec 23, 2022

@kennwhite Oh, hacked AGAIN, time to change my passwords :(.

Jano Dec 24, 2022

@kennwhite probably an awesome time to change those Lastpass master passwords and maybe make them a little more complex. ;)