Mastodawn

Samboy Dec 23, 2022

Graham Sutherland / Polynomial

if you run into anyone trying to discount the severity of the lastpass breach by saying the master keys are impossible to crack, ask them how lastpass' key derivation works, what a credential stuffing attack is, and how well PBKDF2 scales on GPUs.

given the details, it looks like anyone whose data was in the breach and who also reused their master password elsewhere is in imminent danger of having all their passwords compromised, as is anyone who used a relatively common password.

Graham Sutherland / Polynomial Dec 22, 2022

they're using 100100 rounds of PBKDF2-SHA256, which is generally acceptable for that algorithm, but since it's not a memory-hard password function (like Argon2id) it's still quite feasible to perform a stuffing dictionary attack on a GPU cracking rig with the most common passwords that meet the complexity requirements.

Graham Sutherland / Polynomial Dec 22, 2022

if I were working at lastpass I'd be calling my security contacts at AWS, GCP, and Azure, and begging them to keep an eye out for new accounts signing up for GPU instances, just in case the people who stole the data decide to leverage a heap of cloud GPU time to bust the keys.

Graham Sutherland / Polynomial Dec 22, 2022

back of the napkin maths says a single RTX 4090 can test around 100,000 of lastpass' KDF hashes per second using Hashcat. so it wouldn't take long to spray the top ten thousand passwords across all the leaked accounts.

Canageek Dec 22, 2022

@gsuberland I'm glad my Lastpass password is very long and very random

Graham Sutherland / Polynomial Dec 22, 2022

@Canageek and, I hope, fully unique to LP.

Canageek Dec 22, 2022

@gsuberland Yeah, one of the only ones I bother making truly unique.

nasi Dec 22, 2022

@gsuberland A relative of mine works for Microsoft and told me lately that company accounts get stolen for renting VMs/GPU instances. It takes a while until someone notices. At least one company credit card has been charged several thousand € per day. IIRC it was MS itself suspending the account after a few days and informing the customer.

Graham Sutherland / Polynomial Dec 23, 2022

@nasi yeah, super common on most cloud platforms, and also on VPS hosts.

there are forums where you can buy access to compromised hosts for just a few dollars

@gsuberland
I don't think most cloud providers have the customer insights to differentiate machine learning use from password cracking use.... But I could be mistaken

Richard Brockie Dec 23, 2022

@rx13 @gsuberland and if they did, that would be its own security problem.

Graham Sutherland / Polynomial Dec 23, 2022

@rx13 it's more related to the billing pattern than the workload. typically it's a new customer on a credit card, only interested in a large GPU instance, and then never does any more work. possibly followed by a chargeback / fraud report.

@gsuberland
I don't disagree, I'm just offering that cloud providers may not even be able to easily flag that relatively benign set of events without some significant effort

Michael Robinson Dec 23, 2022

@gsuberland I wonder if the people behind the LassPass attack are based in a very large country that used to dominate bitcoin mining until bitcoin mining was recently banned there.

Graham Sutherland / Polynomial Dec 23, 2022

@michael_robinson there's no information that would point to attribution so far.

Michael Robinson Dec 23, 2022

@gsuberland True, but the shortlist of usual suspects isn't that large, and whoever it was, presumably they had reason to believe they'd be able to do something useful with the exfilled bits.

Graham Sutherland / Polynomial Dec 23, 2022

@michael_robinson It's a high value target for anyone.

finagle Dec 23, 2022

@gsuberland This would already have happened, right? Since August.

Scott Piper Dec 23, 2022

@gsuberland AWS is extremely unlikely to do anything, as they'd either need to restrict new accounts from using GPUs (ie turn down legit business) or inspect the workloads on the instances (ie cause riots because AWS has never done that and this would not be a reasonable circumstance for them to start).

Jonty Wareing Dec 23, 2022

@gsuberland Lastpass claims to use 100,000 rounds but was using < 5000 before 2013 and some platforms were still using 5000 in 2020: https://blog.elcomsoft.com/2020/04/breaking-lastpass-instant-unlock-of-the-password-vault/

Also you can ...manually set the number of rounds?! https://support.lastpass.com/help/how-do-i-change-my-password-iterations-for-lastpass

Anyone want to guess how many rounds are in use on accounts that haven't logged in for a long time?

Breaking LastPass: Instant Unlock of the Password Vault

Password managers such as LastPass are designed from the ground up to withstand brute-force attacks on the password database. Using encryption and thousands of hash iterations, the protection is made to slow down access to the encrypted vault that contains all of the user’s stored passwords. In this

ElcomSoft blog

Jonty Wareing Dec 23, 2022

@gsuberland Confirmation some historical accounts still have 5000 rounds: https://news.ycombinator.com/item?id=34098873

*To further increase the security of your master password, LastPass utilizes a s... | Hacker News

Matt Kane Dec 23, 2022

@gsuberland the default now is 100100 rounds, but it used to be 5000 and they didn't upgrade old accounts to the new default. I wonder what proportion are still using 5000.

truelai ╪ͥͥͥͥͥͥͥͥͥͥͥ Dec 23, 2022

@gsuberland they're NOW using 100100 rounds. But only if you changed your password since the change, right? Otherwise, you have 5000 rounds. And this is 20 times weaker?

@gsuberland I know we're a ways off...but a quantum computer will likely crack all of this in minutes...they just need to sit on the data till a stable one is built

Graham Sutherland / Polynomial Dec 22, 2022

@cenobyte I'm pretty sure that QC doesn't have a suitable algorithm for optimising this type of hash cracking. Grover's algorithm is about the closest thing, but that's for keyspace searches not password cracking, so the computational complexity of the conventional approach would remain significantly lower even if we had an ideal QC implementation.

Mark Levison Dec 22, 2022

@gsuberland ok but isn't this a massive hint they provide never reuse your master password anywhere else.

Moritz Meißner Dec 22, 2022

@gsuberland --> @tmz

v̾i̾t̾r̾i̾o̾l̾i̾x̾Dec 22, 2022

@gsuberland I shudder at the thought that anyone would reuse a password for the master password but you know it's true

Jeffrey Goldberg Dec 22, 2022

I will take the opportunity to post out what 1Password does differently. While we don't plan _on_ being breached, we have to plan _for_ being breached.

We've designed the system so that if data is stolen from us, it remains uncrackable. Your account password is combined client side with a Secret Key that lives only on your devices.

For details see https://blog.1password.com/what-the-secret-key-does/ for more on this design.

Secret Key: What is it, and how does it protect you? | 1Password

The Secret Key is a unique feature that protects you if 1Password’s servers were to be breached. Read here to learn more about the benefits of the secret key.

1Password Blog

@jpgoldberg @gsuberland Do you have a shorter version that shows message flows with too many greek letters :) between an existing device of mine and a new device of mine?

Jeffrey Goldberg Dec 23, 2022

@adamshostack @gsuberland Sure, you can expect that "any day now."

At least I have graduated from graphviz to Tikz. But still haven't hit common ground with our design team.

@jpgoldberg @gsuberland And people wonder why no one shares their threat model. :)

john r red-horse Dec 22, 2022

@jpgoldberg @gsuberland
This and the fact that 1Password doesn't monitor your data via 3rd party is exactly why I switched to it over LastPass. (This is something that you had to opt out of in the LastPass settings pages, a step that I don't know worked anyway.)

viq Dec 22, 2022

@jpgoldberg
I was about to ask, but that post indeed does nicely answer questions I had :)
That is a nice design. I wonder how others fare in that regard (looks in direction of BitWarden)
@gsuberland

viq Dec 23, 2022

@jpgoldberg
To answer my own question, after reading https://bitwarden.com/help/bitwarden-security-white-paper/ same as LastPass "simply does stuff" (very similar stuff) to your password to get encryption key. No additional protections (from side of encryption). Though it does have the bonus of potentially being self hosted with VaultWarden.
@gsuberland

Bitwarden Security Whitepaper | Bitwarden

The Bitwarden Security Whitepaper highlights the security and compliance program, elaborating on security principles like password hashing and key derivation.

Bitwarden

Jeffrey Goldberg Dec 23, 2022

@viq @gsuberland, hmm. that is disappointing.

But I think I understand. BitWarden was never really designed for data synching. It has a much more "local" security model. We were the same until 2016. Just as our Secret Key does nothing for you against local attacks, something designed in a "synching is an add on" approach is not really going to have a place to plug in a mechanism like ours.

So we, and something like Tarsnap, can use the kind of thing we are doing. But that happens when you are designing a remote service.

viq Dec 23, 2022

@jpgoldberg
That's an interesting perspective, thank you
@gsuberland

Jeffrey Goldberg Dec 23, 2022

@viq @gsuberland I believe that BitWarden makes use of "key files" to get a similar effect. But it is a long time since I looked closely.

viq Dec 23, 2022

@jpgoldberg
I may be missing it, bit so far from my reading all the encryption keys they mention after either generated from password, or stored on the servers encrypted using keys generated from password.
Meanwhile 1password uses password as salt when generating encryption keys 🤣
@gsuberland

seph Dec 23, 2022

@jpgoldberg I’m a huge 1P fan, but I wonder how this fits with the enterprise account recovery stuff. As I understand it, the cloud stuff can generate new secret keys.

Jeffrey Goldberg Dec 23, 2022

@seph, we (1Password) do not have the keys needed to perform those recoveries or anything that we could "crack" to get those keys.

But an enterprise that has both control of members email and does have the recovery group keys can take over the accounts of individual members in that enterprise. (This is documented.)

But a breach of the data we hold would not help in such a thing.

seph Dec 23, 2022

@jpgoldberg I think I've heard that, but I've always been unclear where they're stored. Are they somewhere in one of the enterprise admin vaults?

seph Dec 23, 2022

@jpgoldberg Ah ha. It's in the white paper. https://1passwordstatic.com/files/security/1password-white-paper.pdf

Section Recovery Groups

Pierre-Yves Maunier

@jpgoldberg @gsuberland This is the main reason I prefer 1password over other alternatives alongside with the better UI/UX imho. Also your security design white paper is one of the best written document I ever had to read.

Jeffrey Goldberg Dec 23, 2022

@pym @gsuberland thank you. I really should get back to filling in some of the many missing sections.

Peter Sterne Dec 23, 2022

@jpgoldberg @gsuberland Does 1P encrypt metadata as well or just the passwords (like LastPass did)?

Jeffrey Goldberg Dec 23, 2022

@petersterne @gsuberland One person's metadata is another person's data.

1Password encrypts, among other things, URL, username, the title you give to the item, the title you give to your "vaults". But things like modification times, the item category (passport, secure note, login item, etc) is not encrypted.

Christian Bolstad Dec 24, 2022

@jpgoldberg @petersterne @gsuberland Wait, what. The ”secure note” IS NOT encrypted?

Lennart Koopmann Dec 24, 2022

@bolstad @jpgoldberg @petersterne @gsuberland I think he meant the category type, not the content of a secure note :)

Peter Sterne Dec 24, 2022

@_lennart @bolstad @jpgoldberg @gsuberland Yeah, the secure note itself is encrypted. The fact that it is a secure note is not.

Jeffrey Goldberg Dec 24, 2022

@petersterne @gsuberland @bolstad, the contents of item is encrypted. The type of the item is not.

So a secure note is encrypted. The fact that it is a secure not is not.

Christian Bolstad Dec 25, 2022

@jpgoldberg @petersterne @gsuberland Ok! Still metadata leakage, but far better; thanks for clarifying

Metalhead84 Dec 23, 2022

@jpgoldberg @gsuberland If a hacker wants my porn he only needs to ask 🤣

ocdtrekkie Dec 23, 2022

@jpgoldberg @gsuberland If the lesson people learn from this is to move their passwords from one company's cloud to another company's cloud, they didn't learn the lesson, and will need to later.

Might not be 2023 or 2024, but creating the most tempting central target for an attacker will lead to a breach.

Brian Moakley Dec 23, 2022

@jpgoldberg @gsuberland I've been using LastPass for a couple of years now and I really like them. Whenever I feel lonely, I can count on getting an email from them letting me know they've been hacked yet again.

My work uses 1password and it's pretty solid. Will most likely switch in the summer.

Scott Lougheed Dec 23, 2022

@vegetarianzombie bonus: if your company is using 1Password business, you can get your own, totally separate 1Password Families account for free 😉

(you’d have to take over payment of the Families account should you leave your employer, of course)

Brian Moakley Dec 23, 2022

@scottlougheed Wow - that's great - thanks for the heads up. I'll take a look!

Scott Lougheed Dec 23, 2022

@vegetarianzombie for whenever the time is right to make the move 😊:

https://support.1password.com/link-family/

Get a free 1Password Families membership when you use 1Password Business | 1Password Support

Learn how to redeem your free 1Password Families membership, so you can stay as safe at home as you are at work.

1Password