EnochDec 25, 2022
Jeremi M Gosney 

Many of you have been asking for my thoughts on the #LastPass breach, and I apologize that I'm a couple days late delivering.

Apart from all of the other commentary out there, here's what you need to know from a #password cracker's perspective!

Your vault is encrypted with #AES256 using a key that is derived from your master password, which is hashed using a minimum of 100,100 rounds of PBKDF2-HMAC-SHA256 (can be configured to use more rounds, but most people don't). #PBKDF2 is the minimum acceptable standard in key derivation functions (KDFs); it is compute-hard only and fits entirely within registers, so it is highly amenable to acceleration. However, it is the only #KDF that is FIPS/NIST approved, so it's the best (or only) KDF available to many applications. So while there are LOTS of things wrong with LastPass, key derivation isn't necessarily one of them.

Using #Hashcat with the top-of-the-line RTX 4090, you can crack PBKDF2-HMAC-SHA256 with 100,100 rounds at about 88 KH/s. At this speed an attacker could test ~7.6 billion passwords per day, which may sound like a lot, but it really isn't. By comparison, the same GPU can test Windows NT hashes at a rate of 288.5 GH/s, or ~25 quadrillion passwords per day. So while LastPass's hashing is nearly two orders of magnitude faster than the < 10 KH/s that I recommend, it's still more than 3 million times slower than cracking Windows/Active Directory passwords. In practice, it would take you about 3.25 hours to run through rockyou.txt + best64.rule, and a little under two months to exhaust rockyou.txt + rockyou-30000.rule.

Keep in mind these are the speeds for cracking a single vault; for an attacker to achieve this speed, they would have to single out your vault and dedicate their resources to cracking only your vault. If they're trying 1,000 vaults simultaneously, the speed would drop to just 88 H/s. With 1 million vaults, the speed drops to an abysmal 0.088 H/s, or 11.4 seconds to test just one password. Practically speaking, what this means is the attackers will target four groups of users:

1. users for which they have previously-compromised passwords (password reuse, credential stuffing)
2. users with laughably weak master passwords (think top20k)
3. users they can phish
4. high value targets (celebs, .gov, .mil, fortune 100)

If you are not in this list / you don't get phished, then it is highly unlikely your vault will be targeted. And due to the fairly expensive KDF, even passwords of moderate complexity should be safe.

I've seen several people recommend changing your master password as a mitigation for this breach. While changing your master password will help mitigate future breaches should you continue to use LastPass (you shouldn't), it does literally nothing to mitigate this current breach. The attacker has your vault, which was encrypted using a key derived from your master password. That's done, that's in the past. Changing your password will re-encrypt your vault with the new password, but of course it won't re-encrypt the copy of the vault the attacker has with your new password. That would be impossible unless you somehow had access to the attacker's copy of the vault, which if you do, please let me know?

A proper mitigation would be to migrate to #Bitwarden or #1Password, change the passwords for each of your accounts as you migrate over, and also review the MFA status of each of your accounts as well. The perfect way to spend your holiday vacation! Start the new year fresh with proper password hygiene.

For more password insights like this, give me a follow!

Dec 24, 2022 at 8:06pmWeb
Show threadJon 404Dec 24, 2022
@epixoip +1 on Bitwarden!
Show threadAlex CoventryDec 24, 2022
@epixoip 100,100 rounds is a new default. Many old accounts have the rounds set to 5,000.
Show threadJeremi M Gosney Dec 24, 2022

@alx Incorrect. It was 5000 *client side* iterations plus 100,000 server-side iterations. See my comments on the 2015 LastPass breach for reference:

https://arstechnica.com/information-technology/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/

Hack of cloud-based LastPass exposes hashed master passwords

Users: Change your master password and enable 2-factor authentication immediately.

Ars Technica
Show threadAlex CoventryDec 24, 2022
@epixoip Ah, that is a relief. Thanks for the info.
Show threadChris HammondDec 25, 2022
@epixoip @alx are we sure about the additional server-side iterations? The announcement from LastPass the other day didn’t mention anything about that, and it sounded very much like the iteration count you have in your account settings is how many they use.
I checked mine and it was still set to 5000, so that along with the unencrypted metadata made me abandon ship to 1Password.
Show threadAlex CoventryDec 25, 2022
@HamAndChris @epixoip's link from 2015 quotes a LastPass blog post claiming "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side." So it's a pretty explicit claim, and despite their security failures it seems unlikely they would have weakened that setting since. FWIW.
Show threadRichard LawlerDec 25, 2022
@alx @HamAndChris @epixoip that sounds right, but what threw me off is that Fridays blog post links only to the spec for client iterations, without mentioning the server side / client side split at all
Show threadWladimir PalantDec 25, 2022

@rjcc Their “server-side iterations” never worked in the first place, they weren’t implemented correctly. I wrote about it here: https://palant.info/2018/07/09/is-your-lastpass-data-really-safe-in-the-encrypted-online-vault/. These findings are what prompted them to change the default to 100,100 iterations in 2018. Not sure whether LastPass still does it, but they know that it serves no purpose. Hence not mentioning it.

@alx @HamAndChris @epixoip

Is your LastPass data really safe in the encrypted online vault?

LastPass fanboys often claim that a breach of the LastPass server isn't a big deal because all data is encrypted. In reality, somebody able to compromise the LastPass server will likely gain access to the decrypted data as well.

Almost Secure
Show threadRichard LawlerDec 25, 2022
@WPalant @alx @HamAndChris @epixoip ah, I see, this is awful! But good to have the clarity LastPass isn't intent in providing
Show threadNeil MaddenDec 25, 2022
@alx @HamAndChris @epixoip hmm… their docs say that the salt is not random, it’s your username: https://infosec.exchange/@neilmadden/109570603420250703 But those docs don’t mention anything about a client/server-side split.
Neil Madden (@[email protected])

An interesting detail about #lastpass is that apparently the PBKDF2 salt is your username, so entirely possible to precompute hashes prior to compromise. Source: https://support.lastpass.com/help/what-makes-lastpass-secure-lp070015

Infosec Exchange
Show threadNeil MaddenDec 25, 2022
@alx @HamAndChris @epixoip also, there are two PBKDF2 processes in play here: one used for authentication to the server and an entirely separate one to derive the vault encryption key. https://www.lastpass.com/-/media/175854c49fcb489baeaa87e78579e28f.pdf
Show threadBen AvelingDec 25, 2022
@neilmadden @alx @HamAndChris @epixoip
Doesn’t matter if your salt isn’t random, so long as it’s unique.
Show threadNeil MaddenDec 25, 2022
@BenAveling @alx @HamAndChris @epixoip Depends if you are likely to be individually targeted. If you are then a predictable salt allows an attacker to precompute hashes prior to compromise, speeding up password recovery post-compromise. This is why OPAQUE goes to great lengths to hide the salt: https://datatracker.ietf.org/doc/html/draft-krawczyk-cfrg-opaque-03
The OPAQUE Asymmetric PAKE Protocol

This draft describes the OPAQUE protocol, a secure asymmetric password authenticated key exchange (aPAKE) that supports mutual authentication in a client-server setting without reliance on PKI and with security against pre-computation attacks upon server compromise. Prior aPAKE protocols did not use salt and if they did, the salt was transmitted in the clear from server to user allowing for the building of targeted pre-computed dictionaries. OPAQUE security has been proven by Jarecki et al. (Eurocrypt 2018) in a strong and universally composable formal model of aPAKE security. In addition, the protocol provides forward secrecy and the ability to hide the password from the server even during password registration. Strong security, versatility through modularity, good performance, and an array of additional features make OPAQUE a natural candidate for practical use and for adoption as a standard. To this end, this draft presents several optimized instantiations of OPAQUE and ways of integrating OPAQUE with TLS. This draft presents a high-level description of OPAQUE highlighting its components and modular design. A detailed unambiguous specification for standardization will be presented in future revisions of this document, or separately.

IETF Datatracker
Show threadBen AvelingDec 25, 2022

@neilmadden

True, but something of an edge case. Especially so here, given that the disclosure timing was chosen by the adversary.

Show threadWladimir PalantDec 25, 2022

@epixoip No, the server-side iterations were a joke. They only applied that to the hash used to verify correct logins, but the encryption key was still derived with 5000 iterations and it was used to encrypt pretty much everything. In 2018 I actually found pieces of data that were encrypted with that key and that any website could easily steal: https://palant.info/2018/07/09/is-your-lastpass-data-really-safe-in-the-encrypted-online-vault/. That’s why they changed the default, but they apparently didn’t bother upgrading old accounts (or at least not all of them).

@alx

Is your LastPass data really safe in the encrypted online vault?

LastPass fanboys often claim that a breach of the LastPass server isn't a big deal because all data is encrypted. In reality, somebody able to compromise the LastPass server will likely gain access to the decrypted data as well.

Almost Secure
Show threadJeremi M Gosney Dec 25, 2022
@WPalant @alx Oh shit! Ok that definitely changes some things...
Show threadWladimir PalantDec 25, 2022

@epixoip Yeah. Back in 2018 I urged them to check their logs for suspicious referrers on requests to that script. Just to see whether anybody was already stealing this data. Because the vulnerability was way too obvious.

They never replied, and I don’t think that they did this. Their philosophy seems to be: if we don’t go looking, we won’t learn about a compromise, so we don’t have to publicly admit it.

And here they at least had logs. For way too many critical vulnerabilities in their browser extension there was no way for them to know whether these were already being exploited to exfiltrate people’s passwords. This didn’t stop them from confidently declaring that they fixed the issue before anyone could exploit it.

@alx

Show threadvalentijn scholtenDec 25, 2022
@WPalant @epixoip @alx one could read this LastPass blog as a promise to upgrade all existing users from 5000 to 100,100 clientside iterations (2018) https://blog.lastpass.com/2018/07/lastpass-bugcrowd-update/
LastPass BugCrowd Update - The LastPass Blog

Learn about a few recent product improvements that are now live, as a result of the bug bounty program.  

The LastPass Blog
Show threadWladimir PalantDec 25, 2022

@valentijn Yes, same in the statement they gave me and which I quoted under https://palant.info/2018/07/09/is-your-lastpass-data-really-safe-in-the-encrypted-online-vault/:

> The default for new users was changed in February 2018 and we are in the process of automatically migrating all existing LastPass users to the new default.

They certainly didn’t deliver for some users, and I’m not certain whether they delivered at all.

@epixoip @alx

Is your LastPass data really safe in the encrypted online vault?

LastPass fanboys often claim that a breach of the LastPass server isn't a big deal because all data is encrypted. In reality, somebody able to compromise the LastPass server will likely gain access to the decrypted data as well.

Almost Secure
Show threadStephen EdmondsDec 25, 2022

@WPalant

Did they not even change the default in Feb 2018? I have an account created on 7 July 2018 that was set to 5000...

@valentijn @epixoip @alx

Show threadWladimir PalantDec 25, 2022

@popcorncx That’s weird. They definitely changed it in February 2018, I verified that.

Edit: Just checked this, I confirmed the default being changed on Februar 24, 2018. Did they reverse the change at some point to reinstate it later maybe?

@valentijn @epixoip @alx

Show threadAGTMADCAT 🇬🇧🇺🇸🇺🇦🇹🇼🇵🇸Dec 25, 2022
@popcorncx @WPalant @valentijn @epixoip @alx Where can we check our own account value? This is going to be a whole mess as I get all my non technical people sorted out.
Show threadWladimir PalantDec 25, 2022

@AGTMADCAT Here is the help article: https://support.lastpass.com/help/general

It’s under General preferences in Account Settings, a setting called “Password Iterations”

@popcorncx @valentijn @epixoip @alx

How do I change my General preferences in Account Settings? - LastPass Support

You can manage various general preferences in the Account Settings for your LastPass account.

Show threadJustin du CoeurDec 25, 2022
@WPalant @valentijn @epixoip @alx They certainly did for some -- I'm a very old account, and they definitely upped me to 100,100 at least a couple of years ago. (And then screwed something else up, with the result that I wound up setting my account to a different, somewhat higher number.)
Show threadWladimir PalantDec 25, 2022

@epixoip Fun fact: also back in 2018 I pointed out that not encrypting “equivalent domains” data is a bad idea. Anybody who can manipulate the data on the LastPass server will be able to trick the extension into filling in passwords on the wrong sites – exfiltrating passwords without having to decrypt anything. I received a bug bounty for this report, it was marked as “resolved” in 2018. Yet now I see that this data is still unencrypted. No idea how this is supposed to be resolved.

And I’m afraid to even look into the “custom_js” attribute of theirs. It was pointed out back in 2015 just how dangerous this is: https://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/. Yet this attribute is still present today. I suspect that it is still in use and still unencrypted.

@alx

Even the LastPass Will be Stolen Deal with It!

How to obtain encryption keys to decrypt the LastPass vault in different scenarios

Martin Vigo
Show threadDick SvenssonDec 25, 2022

@epixoip @alx , My understanding based on the documentation is that the vault are only based on the client side rounds, not the server side. They are only used for the auth / online hash.

Default rounds for really early users where 500 and after a while 5000 later they changed to 100100.

https://www.lastpass.com/-/media/175854c49fcb489baeaa87e78579e28f.pdf

Show threadApicultor 🐝Dec 25, 2022

@epixoip @alx >Users: Change your master password and enable 2-factor authentication immediately.

"the horse has bolted, but lock the stable door anyway" is garbage advice for people worried about the horse.

Step 1: https://vault.bitwarden.com/#/register?premium=purchase but DO NOT use the same master password you used with LastPass

Step 2: https://bitwarden.com/help/import-from-lastpass/

Continued...

#LastPass #LastPassHack

Bitwarden Web Vault

Show threadApicultor 🐝Dec 25, 2022

@epixoip @alx Step 3: Delete all saved credentials from LastPass, then https://support.lastpass.com/help/restore-deleted-items-and-folders BUT delete them from the deleted items list instead of restoring them

Step 4: Delete your LastPass account at https://lastpass.com/delete_account.php ... if you can lol https://infosec.exchange/@chiesennegs/109570145849933257

Step 5: Change the passwords for the most important services (registrar of any domains you own, email, bank, PayPal, etc)

Step 6: There is no step 6. -FIN-

Restore Deleted Items and Folders - LastPass Support

When you delete passwords, secure notes, or items from your LastPass vault, the items are sent to your Deleted Items repository where they are stored for up to 30 days from the date they are deleted.

Show threadBartosz MikulskiDec 25, 2022
@apicultor @epixoip @alx
Don't import those passwords. You have to change them anyway.
Also, when you change the password, it's good time to decide whether you still use the service. Maybe you can remove the accounts you no longer need
Show threadApicultor 🐝Dec 26, 2022
@mikulskibartosz @epixoip @alx Yes, do import them, so you have a record of what you have to change.
Show threadYeleekDec 26, 2022
@apicultor @epixoip @alx why bitwarden instead of 1password please? Currently use Lastpass with a yubikey, I want to know the best option. Thanks.
Show threadAlex CoventryDec 26, 2022

@yeleek

LastPass has probably leaked an encrypted copy of your "vault" of passwords, the latest in a string of LastPass security failures. Using a yubikey does not defend you against this. In addition, LastPass's encryption method may allow attackers to try encryption keys for your vault much faster than the current state of the art would allow. In addition, they failed to encrypt metadata associated with your passwords These are serious design and operational...

@apicultor @epixoip

Show threadAlex CoventryDec 26, 2022

@yeleek

...failures, which suggests that more and more serious failures will come to light regarding LastPass's handling of people's passwords.

There is not much to recommend Bitwarden over LastPass at this stage, other than that 1) It's open source, so its handling of encrypted passwords is easily auditable and 2) so far they haven't screwed up in the ways LastPass has. To me, those are compelling reasons to move away from LastPass to *something* else, though.

@apicultor @epixoip

Show threadJudd StorrsDec 25, 2022
@alx @epixoip I have an ancient LastPass and when I checked after hearing about this 5k on old accounts issue, I went and checked and found that I was already using the 100k setting. I have never looked at that setting. So there's more at play than account age.
Show threadJoe OrtizDec 24, 2022

@epixoip How about encouraging folks to #KeePass instead, especially #KeePassXC?

It's free, open source, and offline most importantly while the user is in complete control of their data.

Show threadThe Orignal ‘SonyFony’Dec 24, 2022
@joe
Two things I spotted was because the URLs we're not encrypted it would be possible to target .gov passwords and as it was a backup how often is the backup refreshed, even if you deleted your Lastpass vault the day before the breach the backup may still exist
@epixoip
Show threadJeremi M Gosney Dec 24, 2022
@joe I don't like KeePass and I don't think it's a good solution for the average user. Sure, solid crypto, that's great. But it's obviously a password manager designed by crypto people and thus severely lacking in the UX department. A good password manager eliminates steps from your workflow and is transparent as possible.
Show threadDirk HohndelDec 24, 2022
@epixoip @joe
KeePass is So. Frigging. Painful.
Played with it and the UX is just not what I want to suggest to non-techies. And it’s even a bit much for me.
I really think the value of “easy, works on every device” outweighs the risk of using a cloud service ASSUMING that the cloud service is well run and not run by morons… the rumors that the Notes field in #FuckLastPass wasn’t encrypted scares the crap out of me…
Show threadPasha FinkelshteynDec 24, 2022
@dirkhh @epixoip @joe for me KeePsssXC was the silver bullet. Awesome integration into browsers, Android support, desktop application... Everything is there
Show threadCharles RoperDec 25, 2022
@dirkhh @epixoip @joe You don't like KeePass or KeePassXC? Quite different UX between the two. The latter is much improved over the former.
Show threadDirk HohndelDec 25, 2022

@charlesroper

The main issue that I couldn't make work with KeePassXC was multi device use. Also, the browser integration overall (on Mac) feels less smooth.
@epixoip @joe

Show threadCharles RoperDec 25, 2022
@dirkhh @epixoip @joe I've not had any problems with multi-device use. I use OneDrive to sync my database files. I use KeePassDX on Android and KeePass Touch on iOS - both work directly with OneDrive. Browser integration, yeah, having to link the extension to the app is an extra step, but after that it feels like any other password manager pretty much.
Show threadDirk HohndelDec 25, 2022

@charlesroper
So now I need a cloud that I use on each device - and that I trust to hold the database file. Which kinda gets me to the same (or a worse) place than using #1Password, right?

I’ll admit that I haven’t found any cloud (OneDrive, GoogleDrive, DropBox, iCloud - which of course would exclude Android and Linux) that I trust enough for that. And of course I’m the weirdo who would want to be able to use this from macOS, iOS, Android, and Linux…

@epixoip @joe

Show threadCharles RoperDec 25, 2022
@dirkhh @epixoip @joe Yes, definitely tradeoffs. I just like the decentralised, portable nature of a kbdx file. I can use whatever cloud provider I want, or my own server, or none. I don't feel held hostage to any particular subscription service, which I am keen to avoid.
Show threadDirk HohndelDec 25, 2022

@charlesroper

That makes perfect sense to me.

I'm looking for something that's secure and convenient for myself and my family, including the ability to share the credentials for certain accounts (e.g., the EV charging network credits for one of the cars we all share)
@epixoip @joe

Show threadtehmaspDec 29, 2022
@charlesroper @dirkhh @epixoip @joe Similar solution I had yrs ago when TrueCrypt was all the rage. Just harder with a family to support in security. Didn’t know about extension for KPX. Have always used KPX for work where I never use cloud storage.
Show threadCharles RoperDec 29, 2022
@tehmasp @dirkhh @epixoip @joe To be clear, KeePassXC and KeePassX are different things. I’ve only used the former.
Show threadMark CrockerDec 25, 2022

@dirkhh @charlesroper @epixoip @joe I have a #SyncThing #Docker container running under #OpenMediaVault on a #RaspberryPi to keep my #KeePassXC data updated with any changes I make with #KeePassDX on one of my mobile devices. Of course, I also have an off site, offline backup too, but that's just a thumb drive.

I know it sounds like a lot, but this way I don't have to use some untrusted, closed source, proprietary, third party to host my data.

Show threadDirk HohndelDec 25, 2022

@mcrocker
I can admire the dedication and agree with the sentiment.
I'm also realistic enough to know that I wouldn't be able to make this work with low enough friction to replace something like #1password for myself and my family...

@charlesroper @epixoip @joe

Show threadCharles RoperDec 25, 2022

@dirkhh @mcrocker @epixoip @joe

Yes, I find using the cloud storage we already use as a family (we have a Microsoft 365 subscription, so everyone gets 1TB of space on OneDrive) to store and sync the database along with the built-in in sharing feature to be perfectly good. Ease of maintenance and portability is definitely a key consideration for me. I have limited time and attention! 😅

Show threadMark CrockerDec 25, 2022

@charlesroper @dirkhh @epixoip @joe excellent point. As much fun as geeky, hobbyist, do it yourself solutions are, they aren't practical for most people with busy, complicated lives.

So, when asked, I explain what I use, then say I've never used it, but #BitWarden seems to be the way to go for most folks.

Show threadblsDec 26, 2022
@dirkhh @charlesroper @epixoip @joe I was in the "don't trust the cloud with my important stuff" for years. After working with MSFT on some security-related projects and learning more about OneDrive, I now backup my stuff to a 1TB "user" in my MS365 subscription using the linux onedrive app. Much simpler to set up than syncthing, and doesn't require me to carry backup drives around. Tried that too, in the past, and sometimes I forgot, etc. Now, it's all automatic.
Show threadMatt ChambersDec 25, 2022
@charlesroper @dirkhh @epixoip @joe I use Dragon speech recognition and KeepassXC is incredibly Dragon-unfriendly. Keepass plays beautifully with Dragon.
Show threadスパックマン クリスDec 24, 2022

@epixoip @joe

I'd add that in-browser password management (such as #BitWarden or similar) can help regular users avoid phishing via look-alike sites because the manager will not fill in fields or even show any results for the fake site.

At least, that's my theory.

I know when I use #KeepassXC, I always double check the site URL myself, just to be sure.

Show threadLJNielsenDk 🕹️💾💿🎹Dec 24, 2022
@chris_spackman @epixoip @joe To be extra sure, delete the domain name and retype it yourself to also avoid the cases where they've used very similar-looking unicode characters to make it look like the real domain.
Show threadDavidDec 25, 2022
@chris_spackman @epixoip @joe can confirm that my password manager has prevented me from sharing a password with the wrong site a few times.
Show threadDrJekyllDec 25, 2022
@chris_spackman @epixoip @joe I open the login link _from_ keepass / keepassXC and then log into the site :)
Show threadKinetixDec 24, 2022
@epixoip
Sure, but if keepassxc were recommended more, and more were using it, perhaps more rough edges would get worked on or out.

I'm in one of those privileged situations where having my own nextcloud + keepassxc + apps works out great.
@joe
Show threadpascal guldenerDec 24, 2022
@epixoip @joe you dont like keepass because it doesnt fit average users needs or is there other reasons ?
Show threadResunaDec 24, 2022
@epixoip @joe What's your opinion of Codebook (formerly STRIP)? It syncs through a choice of several cloud storage services, in your own personal file store.