Over the years I have paid attention to password managers like Bitwarden, Keychain, 1Password, and many others. Despite the many alternatives, including free ones, most people use LastPass.
This service, this year, has suffered two violations, the last one with a leak of user data. The company published a post on how the attack happened and what it entailed.
I decided to read the post published by Karim Toubba, the CEO of LastPass, and discuss some details.
To Our LastPass Community, We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data. In keeping with our commitment to transparency, we want to provide you with an update regarding our ongoing investigation.
Even if this definition raises even more questions, without going into detail, whoever carried out this attack has certainly obtained a lot of sensitive company data (from private information to the entire source code of the features implemented by LastPass).
The even bigger problem is this data is part of a set that LastPass identifies as a backup.
A backup can represent an entire list of files and information that has been kept for a certain period. If this information is not protected, the person who obtained this data can dig “over time” from the LastPass information.
These first few sentences don’t say anything yet, we’re just speculating, but the mere fact that a company like LastPass hasn’t implemented good security measures is a good reason to use another service.
Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service. LastPass production services currently operate from on-premises data centers with cloud-based storage used for various purposes such as storing backups and regional data residency requirements. The cloud storage service accessed by the threat actor is physically separate from our production environment.
Even worse, this data has been decrypted and therefore the attacker has all this information in the clear.
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from the backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
We get the first part of the information that has been leaked. We are not talking about classic data that can be found without any difficulty on the internet, but we are talking about elements such as billing addresses, telephone numbers, and email addresses (strange as it may seem, the email address is considered sensitive data and in fact, this led to the development of random emails or email aliases to protect one’s primary email) and more.
Unfortunately, the worst comes now.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
Let’s forget that the author of the threat has a certain set of encrypted user vaults but let’s dwell on the sentence that contains unencrypted data.
LastPass has always defined itself as a zero-knowledge password management company that encrypts all user data.
The zero-knowledge protocol is an interactive method used by one subject to demonstrate to another subject that a statement is true, without revealing anything other than its truthfulness. In the simplest terms, a zero-knowledge demonstration allows data to be shared between two parties without the use of a password or other information associated with the transaction.
Although the company has a page dedicated to its security structure, unfortunately, we cannot know if this protocol used by LastPass has been correctly implemented as we are talking about a product close source.
But suppose LastPass did this, the real problem is that not all the data of the user is encrypted. We speak, for example, of website URLs. Perhaps taking only the URLs, these elements can do very little but put together with other information saved in clear text such as user emails, the situation changes.
By having both the email and all the sites visited and saved by the user, the attacker is on a small gold mine.
This data can easily be sold to third parties to carry out phishing, doxing, smishing, and vishing campaigns.
No matter how shrewd a user you are, these social techniques become more and more sophisticated to the point of misleading even the most paranoid. Furthermore, the email will be bombarded, forever, by hundreds and thousands of spam emails.
Having available the list of websites on which the user is registered, this information can be sold to third parties for targeted advertising, behavior analysis, subscription to services, and more.
Other techniques can be even more catastrophic, such as blackmailing the user into paying them not to disclose their private information online.
And these are just some of the possible uses of a user’s data.
The main point, however, is that a company whose purpose is to secure all, ALL, user information, must do so in its entirety and not leave certain elements clear.
These encrypted fields (A/N: all other fields such as password, notes, and others) remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data are performed only on the local LastPass client. There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment.
AES encryption is now a standard and has years of study behind it. The problem remains the strength of the user’s password, this is the only key to access all the data saved in the vault.
The user must therefore evaluate how strong and unique their password is. In the first case, you can use tools like the one provided by Bitwarden which assumes a date on how long it takes to crack a password. If, of course, you don’t want to test your LastPass password, try creating one to get an idea of how strong it is.
For example, let’s say the password used to access the LastPass vault is:
Let’s create one like this:
According to Bitwarden, it will take centuries to crack it.
Another consideration is the uniqueness of the password. If you have also used your LastPass password on one or more websites, you must change and make it unique. Unique means that you must use only that password to access your vault.
What Should LastPass Customers Do? As a reminder, LastPass’ default master password settings and best practices include the following: Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute-force password guessing. To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function PBKDF2, a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
Since 2018, a password of at least twelve characters is required. OK, but was this rule also applied to users who signed up before 2018?
The answer is no.
Just search the LastPass subreddit to confirm that many users registered before 2018 can log into their LastPass account with their eight-character password. Also, if you are a LastPass customer, chances are you are unaware of this requirement. This is because LastPass has not asked existing customers to change their master password.
So LastPass has required twelve characters for the last few years, but a large part of their customer base is probably still using passwords that don’t comply with this requirement.
Similar speech for the PBKDF2. LastPass increased the default from 5.000 iterations to 100.100 in 2018, but does this apply to existing accounts as well?
The answer is still no.
Some people report that they still have 5.000 iterations configured and receive no warning when they log in. This way affected LastPass users will never know they are at risk.
If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology
Ultimately LastPass is saying: “I didn’t warn you to change your 8-character password to a 12-character one, I didn’t warn you that you need to change iterations from 5.000 to at least 100.000, so it’s your fault”.
So, dear user, it’s you who made a mistake, it’s you who didn’t find out about the new security and encryption procedures to follow.
Finally, the touch of class:
There are no recommended actions that you need to take at this time
This is just gross negligence. The company is trying in every way to minimize what is instead one of the biggest catastrophes that can happen to a cloud-based password manager.
In most cases when a company says not to worry it means that the user needs to worry.
In essence, whoever attacked LastPass has:
To learn more, a user on Reddit created a complete list of data unencrypted by LastPass.
Why LastPass can’t be trusted anymore:
In addition, just search on Wikipedia to view the list of security flaws and data breaches that the company has suffered almost every year.
Unfortunately, accidents can happen any day. But after the first incident in August, releasing a post of this importance, a post that makes all users uncomfortable, forced to change every single password, just a few days before Christmas, seems quite suspicious.
I don’t want to go against LastPass but the timing of the post seems to be calculated to try to sweeten users over the Christmas season and minimize this data breach.
Basically, LastPass waited until the day before Christmas to announce the data breach, all with obfuscating language trying to minimize the extent of this bad news.
First, change your LastPass master password. To be clear this won’t help you with stolen encrypted vaults that are only protected by your previous master password but it’s a good start to solving this huge company-generated problem.
Next step, consider an alternative to LastPass. If you think you can still trust an agency that has put all its users at risk from bad security management, maybe it’s better that you write your passwords in a notebook.
At the end of the post, you will find two of my favorite password managers, feel free to try them and look for opinions on Reddit (many websites, even famous ones, are almost always paid to do a good review of a product. On Reddit you can find some users who used the product).
Found a new service, consider creating a new email and using it only to register with the new password manager. Unfortunately, your email is in the hands of the attacker, and therefore sooner or later it will be everywhere on the internet, any attacker will try to use your email to access any other password manager you may have registered with.
Another alternative is to create a new email using a provider (iCloud, Proton, Tutanota) that allows you to create email aliases. This way you will have a primary email that you will only use to sign up for essential services such as a bank, credit cards, password manager, insurance, government portals, health care, and others.
Email aliases, on the other hand, will be used for all other services such as Amazon, eBay, forums, social networks, and many others.
In this way, you go to minimize the use of your real email.
During the transition from LastPass to the new manager avoid exporting and importing your file containing all the passwords, but take each element present in LastPass one by one, access the site, change the email with the new one and change the password, then save it on the new password manager.
This process will be long and you’ll hate yourself and LastPass, but you’ll feel better and more confident once it’s done.
Always enable two-factor authentication on every website that allows it, including your password manager. I already wrote something about 2FA.
Once you have completed the migration and all items have been exported from LastPass, please proceed with deleting all of your data via GDPR or similar request forms. This breach contained personal and vault data from previous customers. To ensure you don’t continue to be exposed to LastPass’s abysmal practices in the future, force them to delete everything they have on you.
I love trying out software like password managers and embracing their philosophy of protecting user data. Among the password managers out there, I recommend two.
I talked about it in a post almost two years ago analyzing the pros and cons of this password manager. The pros of Bitwarden are still valid, I would go and re-discuss the cons instead.
Development: required features not implemented in a very long time. For example, adding new tags in addition to those present was proposed in 2018 but has not yet been implemented today.
Still true, but Bitwarden has decided to publish a roadmap on all the features that will be implemented during the year. The custom item types will be added in the first half of 2023 (although this feature was expected to be released in Q4 2022).
Development for sure remains slow, but better to have late but safe features than to have everything right away with bugs and problems.
Offline management: it’s not allowed to edit items if you are offline. This is a serious shortcoming despite being proposed in 2018 because you can find yourself in environments and places where there is no signal, or the signal is weak, and therefore you cannot add, modify and delete the elements of your vault.
This feature is on the roadmap but is in future development. Sure it’s a great feature but not as important and indispensable as you expect.
The user can indeed find himself in situations where his device has no signal, but the possibility of being in a place without a signal and with the absolute necessity of having to add or modify an element on Bitwarden is almost minimal.
Other features must take precedence.
Discrepancy: there’re some strange cases of people who’re no longer able to access their vault despite having entered their master password correctly.
As I wrote in the past: Obviously problems of this type, hopefully, are mainly due to errors on the part of the user and not of the system., still today I am convinced of this. During these years it happened to find users who had this discrepancy problem only to discover that: the user had changed his password days ago and was still using the old one to try to access, the user used an input source for a different keyboard, the user had switched iterations of the KDF not following BItwarden’s instructions to log out of all devices.
Non-native code: without going into details, Bitwarden’s applications are developed with multi-platform languages and not in native code according to the system used. On the one hand, this choice makes it easier to develop an application because with a single development, it can be used universally for multiple systems and therefore the same application doesn’t have to be developed for each system. On the other hand, it involves having a product with lower performance and efficiency than other products.
By now almost all the companies that develop cross-platform software no longer use native code but prefer to use frameworks like Electron.
The advantages in terms of costs for the company are enormous while the user’s machine will have worse performance (in terms of ram and CPU) than a native application.
In the end, most password managers (cross-platform ones) use this Electron or similar, so little few changes.
Interface: too dated. For when this parameter can be completely subjective if you put the Bitwarden interface (web, mobile app, desktop) for that of other operators, Bitwarden turns out to be completely anachronistic and in some ways engineering, that is, inconsistent with the set of novice users who are starting to use the product. In particular, the discourse of the UI is very important for this type of product. Unfortunately, let us return to the first problem highlighted: development.
True, the Bitwarden graphical interface for certain features is cumbersome and not treated in every detail, but it works and does what it’s supposed to do. If you love the minimalist design you might find the desktop app even prettier than other competitors.
In the end, it’s subjective, you may like it or not, but the important thing is that it works.
The only criticism is that the Bitwarden desktop and mobile app do not implement all the features present on the website such as Reports.
Unlike Bitwarden which offers almost all the features for free, 1Password requires an annual subscription but offers cross-platform software with attention to the smallest detail.
One of the features that differentiate 1Password from other competitors is its Secret Key.
Other managers encrypt the data using the password information that the user chooses, which means that only the password is needed to decrypt the vault.
With 1Password, both the user’s password and secret key are needed to decrypt the vault. The secret key is requested every time a new device is registered and therefore should not be memorized. This double password adds a higher level of security because if an attacker manages to obtain the vaults as happened to LastPass, even if the attacker knows the password he cannot decrypt the vault because he does not know the secret key.
This is one of 1Password’s strengths.
The cost of the subscription is similar to that of LastPass, so if you’re fleeing LastPass, with 1Password you get more security and GUI care that is worth the expense.
If you are undecided about the type of manager to subscribe to, both Bitwarden and 1Password are very active through forums and Reddit, really fantastic.
Regardless of the password manager, always carry out in-depth research on the service you want to use, ask on forums, or Reddit, and carefully evaluate the philosophy and the path that the company has created.
The last tip is always to remember to back up your vault, however solid the service is you better have a way to restore your data if the main service fails.
In particular, the summary of the post lies in this sentence:
This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.
How is it possible that in 2023 companies allow employees to work with their personal computers or allow any product to be installed on the company computer. 🤷♂️
Perhaps it’s the right time to evaluate some other alternatives.
This is not the first nor the last time, most of the attacks start from the vulnerabilities or the naivety of the employee himself. Employees should be trained and companies should not only think about the cloud infrastructure but also about managing the things that connect to it.