When LastPass was hacked over Christmas 2022, it sent shivers through IT departments, business owners and personal users.
Many conscientious professionals had put ALL their passwords in one place – LastPass – because it was considered the Fort Knox of password security. And now it had been compromised, it appeared EVERYTHING was at risk.
The fallout has been pretty frantic and, to be honest, that’s perfectly understandable. A serious breach CAN send a business under. (Incidentally, a LastPass user has filed a class action lawsuit against the company claiming substantial damages.)
In this post, we’re going to take the topic off the boil and give a cool and calm appraisal of the LastPass breach. We’ll try to see both sides, but – spoiler alert – we’re also going to be forthright about LastPass’s responsibility for this and its neglect of duty.
Most importantly, we’ll be giving you solid action points about what you should do right now to protect your business in the wake of this breach – and what you should do in the future.
The LastPass Security Breach – What Exactly Happened?
A recap. In December 2022, cyber criminals infiltrated copies of customers’ password vaults and stole millions of users’ online data. This included company names, billing and email addresses, telephone numbers and IP addresses. LastPass says that the data exposed was a mix of unencrypted (website URLs of the passwords in the vault) and fully encrypted (website usernames, passwords, secure notes and form-filled data).
What Did LastPass Say About the Breach?
They insist that all encrypted data is secure with 256-bits AES. This can only be decrypted with a unique encryption key derived from each user’s master password. The master password is never known to or stored by LastPass and – based on zero-knowledge architecture principles – is known only to the user.
Why We Think Their Rationale Amounts to Some Serious Buck-Passing
You may have noticed that the last sentence above shifts the emphasis from LastPass to the user and their choice of password. After all, only they know the password.
Well, actually, we still need to keep our focus firmly on LastPass.
According to Intersys MD Matthew Geyman, every LastPass user should consider themselves a more likely target for fraudsters, spear phishers and social engineering attacks. Plus, there are serious concerns around how LastPass has handled user passwords. Users should never have been in a situation to be able to submit weak passwords and LastPass should have undertaken due diligence to ensure it couldn’t happen.
He says,
“As well as leaking the websites that users visit, this was also a security gap that should have been plugged long ago. If master passwords were too short, they could have nudged people to ensure they were longer and more complex.
“Simple prompts to help users to strengthen their passwords could have limited some of the potential impact of this high-profile attack. If only they had nudged people towards that and automatically made their password’s PBKDF2 encryption iteration higher, more of the attack’s impact could have been mitigated”.
Although LastPass had a minimum 12-character limit from 2018 onwards, we understand that, in some limited circumstances, longer-standing customers could have used shorter passwords. Regardless, we believe master passwords should be still longer: at least 16 characters.
However… We Should Absolutely Expect These Attacks to Happen
Matthew also says,
“Although this was a serious security breach, it is to be expected with every password manager at some point – they are high-value targets. Just as important for most people is that they’ll now be greater targets for fraudsters (who may never decrypt their passwords but may be able to target them by knowing which websites are contained in their vaults).”
Also, despite the breach, LastPass has very strong encryption standards and users are only likely to be at serious risk if their personal LastPass master password is weak in the first place. (We’ll define strong/weak passwords and suggest a way forward below.)
What Could Happen Next?
It’s possible criminals could try to use brute force to guess your master password and decrypt copies of your stolen vault data. While technically possible, this IS very unlikely.
One real risk is that the leak of lists of websites that users visit will allow hackers to identify high-value targets (for example users with cryptocurrency, or lots of financial accounts).
Says Matthew,
“Don’t panic. encryption standards at LastPass are very strong. This is because LastPass uses a PBKDF2 function with SHA-256 to encode your master password into its encryption key; this function is run again and again, to compound overall strength (over 100k times by default). Depending on the quality of your LastPass password, it would still take hundreds to millions of years to crack the contents of your vault.”
You may have noticed Matthew’s caveat about the quality of your password. This gets to the heart of the matter and it largely comes to password length. But even weaker passwords will be hard to crack. For example, this is how long it would take to crack various strengths of password with high entropy (randomness):
- 16-character complex passwords – almost impossible to crack; millions of years
- 12-character complex passwords – hundreds of years and many millions of dollars on a single GPU (graphics processing unit)
- 8‑character complex passwords – 200 years and $1.5m on a single GPU
These estimates are derived from the Security Now Podcast (i.e., Gibson Research Corp) and based on brute force attacks, with the default LastPass encryption iteration set to 100100+.
So, What Should You Do to Protect Yourself from Attack?
Regardless of the unlikelihood of an attack, if you are a LastPass customer you must take action to secure your data and mitigate the chance of damage. Do the following:
- Change your LastPass Master password. If you haven’t already, change your LastPass master password now. You should go beyond LastPass’ character minimum and use 16 characters for your new password.
- ALSO, if you had only a 12-character password, change any critically important passwords in your vault. Following this, you should gradually start changing ALL the rest of your LastPass vault passwords too.
- ALSO, if you had only an 8‑character password, please let your IT department or cyber security provider know right away.
- ALSO, if you have an old account, check the number of encryption iterations and increase it to 200000 or more (or ask your IT department or cyber security provider for help).
- Assume you’re at heightened risk of attack – forever. Unfortunately, hackers may now know more about you. For instance, who you are, what you do, where you go and your work email accounts. This will provide an opportunity to undertake more convincing, targeted spear-fishing campaigns. If you’re a high net-worth individual, trading in cryptocurrency, expect to be targeted as a priority.
- If you’re technically minded, review the obfuscated (unencrypted) part of your vault, to see what scammers may be able to find out about you, plus to check for older (EBC) password encryption standards. If you find EBC records, change their passwords and replace with a new record (CBC). Ask your IT department or cyber security provider for help if you’re unsure.
Help! I Need Good Password Ideas
The longer and more random a password, the harder it is to compromise by brute force. The objective is to increase randomness (or bit entropy), to make it harder for brute force cracking to be done against password hashes that have been exfiltrated (stolen).
Aim for 16 characters, with a couple of capital letters, a couple of numbers and a special character or two. Adding a number of full stops and/or a phone number you know (but don’t write it down) is a great way of increasing your bit entropy further.
If you’re struggling to think of random words, search for Diceware – a secure, online password generator.
Examples of bit entropy in passwords are below. Matthew says,
“If I were choosing a new Master Password, I’d choose something between examples 3 and 4 below (i.e., a Bit Entropy of 150+)”.
- Three random words.
o royalsandart
o 12 letters = 56 bits of entropy (not good enough for a Master Password) - Three longer words
o royaltysandwichtransporting
o 27 letters = 126 bits of entropy (good enough for a Master Password, but can be improved) - Three longer words, with capitals – shorter, but almost as good
o RoyalSandwichTransport
o 19 lowercase 3 uppercase letters = 125 bits of entropy (easier to remember than the one above, but with similar entropy) - Three longer words, with capitals, numbers and special characters — note the ten full stops at the end (a good Master Password).
r0y@LSandwichTransport……….
o 19 lowercase 3 uppercase letters, 1 number, 11 special characters = 216 bits of entropy (much higher entropy than all other examples)
Is a password this complex necessary for everything? No, but this is for the keys to your vault.
What’s Our Final Verdict on LastPass?
Says Matthew,
“To expand on the point about encouraging stronger passwords, there are many things LastPass could have done to better protect users. For instance, issuing warnings if the master password was shorter than 12 characters. Also, they could have proactively prompted users with lower iterations (say 500 – mainly those people with older LastPass accounts) to set encryption iterations higher; or even automatically increased the number.
“The irony is that LastPass could have limited impact by just prompting users to have 16 to 20-digit passwords with numerals, special characters, upper and lower case, and high-bit entropy, making them almost impossible to crack.
“Also, older accounts were supposed to be upgraded automatically to LastPass’ recommended 100,100 rounds of encryption, but many users have complained this did not happen. If this is the case, it is a big concern – it would make the encrypted stores that have been stolen easier to decrypt.”
Should I Stay with LastPass? Or Should I Go?
Continues Matthew,
“My advice is that, if you’ve lost faith in LastPass, it might be time to look at other options. Their business model over the last few years has felt avaricious. They are owned by a private equity company and the breach feels symptomatic of the approach of putting profit over security: LastPass has hiked prices dramatically and clearly not invested enough in security. However, the very act of moving could expose you to greater risks, if not carefully planned.”
Finally, Matthew says,
“Be alert: even if your master password was very secure (e.g., 16 characters, letters, numbers), although you don’t need to worry that your vault will be decrypted, you should still expect to become a greater target for fraudsters. Vigilance and phishing awareness training remains key.”
Intersys is a specialist cyber security provider offering everything from one-off breach response to a fully managed security operations centre (SOC).
Find out more about our cyber security services and our MD Matthew Geyman’s journey with Intersys over the past 25 years.