RT published an article today whose content made my inner computer security nerd tremble with rage. This uninformed kind of writing about cryptography makes me rage, so let me explain why your LastPass passwords aren’t being traded among foreign spies as we speak.
- LastPass stores things in two mediums. Usernames and e-mail addresses of its clients (and likely 2FA keying detail and payment info) in a database. This is what was compromised. User passwords, however, are stored in a portable database that is encrypted by one’s master password, and…
- The master password cannot be stolen from LastPass’ side. It’s feasible for someone to keylog a client machine and steal someone’s specific master password, but that’s possible with any password. LastPass never actually knows your master password, it only knows that your master password is sufficient to open the portable database.
- Yes, short and easy passwords like “Password123” can be hacked easily. That’s why LastPass actively chastises you for using simple and duplicate passwords. If you follow their advice, this is a complete non-issue regardless of whether LastPass has been hacked or not. That said, any password can be hacked, given enough effort, and LastPass correctly points out that…
- Their passwords are stored with an insane amount of hashing. The algorithm in question is PBKDF2, which is a key derivation function that is part of the RSA standard. This algorithm applies a cipher to the password based on your master password (and some salt) some number of iterations. In LastPass’ case, they default to 100,000 iterations of PBKDF2 with SHA-256 (256 bit key), which is substantially more secure than the “standard” implementation of PBKDF2, which is with SHA-1 (160 bit key). The number of PBKDF iterations can even be changed through the user’s control panel within LastPass, giving them the option of added security if desired. How does this help? Well, the key to PBKDF2 in general is to understand that it is designed to be *slow*, which greatly increases the amount of time it will take a hacker to pull out your passwords; more iterations means more time to crack.
Overall, it is unlikely that there is an immediate concern for most people, given the information above. That said, putting passwords in the hands of a cloud application is something that must be done with an understanding that you are trading off some security for convenience; despite the best cryptography, anything can be reversed with enough time and resources, and any user who is using LastPass should acknowledge that to themselves. While your neighborhood lowlife may take 15 years to crack your password, if you’re the target of a nation-state, you may be out of luck.
(Some reference information taken from LastPass’ Security and Compliance report, as well as a subsequent update)
One thought on “Why RT’s Coverage of LastPass’ Security Breach is Fear-Mongering”
Yeah, even running a dictionary attack requires that the program compute 100,000(+) hashes which would slow even a fairly decent system down (even GPU). If you’re smart and use two-factor then this is even less of an issue.