About a year ago, I had sung praises of lastpass in my blog article. Yesterday, lastpass said that based on some traffic anomalies, they suspect that part of the encrypted database may have been retrieved by the bad guys. You may know about this as lastpass is asking every user to a) validate their email address and b) forcing you to change your master password.
This, of course, a bit disconcerting, but there is no need to panic unless you have used a simple, dictionary based password as your lastpass password — a very bad idea in the first place.
The whole idea behind lastpass.com is that instead of remembering 20 or more passwords — not easy as most banks and other websites require the use of complex passwords and some require password change every few months — you have to remember only one strong complex password: so using a simple — dictionary guessable — password for the only password that you need to remember is asking for trouble.
Here’s is the statement from lastpass.com:
"If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you – the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that’s immune to brute forcing."
The way lastpass works, your master password is never sent — even once — from your browser to the lastpass server. lastpass.com has no knowledge of your master password. To reiterate, lastpass.com doesn’t (cannot) store your master password in any form. In other words, if you have forgotten your lastpass password — the only password you are required to remember — lastpass.com cannot help you as they have no idea what it is. Encryption of your database happens in your PC and lastpass.com has only your encrypted data.
What can the bad guys do with the encrypted database? They will typically try to compute the lastpass passwords of the user accounts, typically using what is known as rainbow tables, which is a time consuming process. The amount of time required would be dependent on the following parameters which lastpass.com has not disclosed (perhaps to not give info to the attackers). These parameters are:
- The length of the salt used in the password hash — longer the better.
- the number of rounds it is rehashed — more the better
- hash algorithm — SHA256 is better than SHA1 is better then MD5. Note that the first 2 items are lot more important than the choice of the hash algorithm.
Long salts make pre-computation of rainbow tables infeasible. So does increasing number of rounds. If long salts and-or multiple rounds are used, the attackers have to do the computation after retrieving the salt and password hash of the user — that is, after the theft.
The attack is not feasible — may take years — if you have chosen a complex password. But if you have chosen a weak password, you may be vulnerable. Note that when you first sign up for lastpass and enter your lastpass password, the system will tell you if your password is strong. Do not ignore it when lastpass tells you that the password is not strong.
Action items if you are a lastpass user:
Go to the lastpass site and after authenticating your email address and selecting a new complex password, look at all the accounts that are listed there. Login to each one of those accounts and change the password. Do not manually enter the password for these accounts. Use lastpass’s password generation facility to generate password of length at least 10. Now, even if the attackers manage to — after days of computation — compute your master password and decrypt the database, they won’t be able to access any of the accounts as you have changed the passwords. Of course, the attackers will get some info like the email address of the user. Also, if you have stored ‘secure notes’ they can read them too if they have been able to compute your master password.
Also, install the Lastpass pocket application which allows you to access your password vault — but not modify — when offline.
Though this theft of data is not at all good news, in a way I am glad that it happened now than later. Lastpass is getting very popular and so if this breach happened when the number of users is far larger than the current 1 million or so, there is potential for more harm.
I am glad to hear that lastpass.com will be switching to using Password-Based Key Derivation Function: PBKDF2 with 256 bits hash, 100,000 rounds and SHA-256 hashing algorithm. They should have done this in the first place. With this, you can be rest assured that even if the attackers steal the database from lastpass.com again they cannot do harm. But please do your part and choose a long complex lastpass password. After all you need to do this only once.