Last August, those responsible for LastPass published a statement informing users that their service had been hacked. The well-known password manager that theoretically should guarantee the security of those keys was in question, but at LastPass they seemed to downplay the severity of the hack. Now several cybersecurity experts say the problem was much more serious than LastPass wanted to admit.
Wait, there was another hack. Following the August incident, LastPass updated its statement informing of another hack at the end of November. The investigation into the incident has resulted in the updated report a few days ago, and according to those responsible for the service, the stolen data includes user passwords.
Brute force. In LastPass they assure that the attacker “could try to use brute force to find out your master password and decrypt the copies of the “vault” of data that he stole”, but that “would be extremely difficult” due to the type of encryption provided by the service. With 33 million registered users, the company claimed that users did not have to take any extra measures to protect their accounts.
Millions of years? In fact, LastPass claimed that if users followed the service’s recommendations, it would take “millions of years to figure out your master password” with brute force applications.
Almost no. Cybersecurity expert Jeffrey Goldberg, from rival company 1Password, ensures that that statement is “very misleading” and that even using that 12-character minimum password “human-created passwords never come close to meeting that requirement” because as he points outthey try to use passwords that are easy to remember, and that means that they are not usually strong passwords.
a recent competition showed how testing 10 billion passwords would cost about $100: a motivated attacker—and with good GPUs—could also focus on the way people typically create their passwords, narrowing down the problem.
LasPass did not contain the problem. Wladimir Palant, a developer and cybersecurity expert who helped create AdBlock Pro, explained that the August statement was not entirely transparent and the company failed to stop the impact of the attack. LastPass further admitted that the stolen data included IP addresses from which customers were accessing the service, something that could create “motion profiles” of those customers. Not only that: Palant also assured that the 12-character requirement is not such: “I can enter with my eight-character password without warnings or recommendations to change it.”
“blatant lie”. Another expert in this field, Jeremi Gosney, explained that LastPass’s claim to know nothing about your password (“zero knowledge”) is “a bald-faced lie.” According to him, although people believe that his vault is some kind of encrypted database in which the entire file is protected, in reality the vault is a plain text file in which only some specific fields are encrypted.
Other problems. These researchers also criticize the way LastPass strengthens the security of those passwords with an iterative system that now requires 100,000 of those iterations, even though the old accounts used 5,000 or fewer, making them more vulnerable to potential attack.
Not only that: LastPass doesn’t encrypt the URLs people save in their password manager, which could help attackers target certain users when trying to crack their master passwords with targeted phishing attacks.
Alternatives. Both Palant and Gosney recommend people consider switching to another password manager, especially after seeing how LastPass has handled the problem and how it’s not the first time that this happens. What point other experts, the truth is that despite the fact that the company does not make that recommendation, changing the master password and all the passwords of our vault (or at least those of the most sensitive services) does not seem like a bad idea.
There are other similar cloud services (BitWarden, 1Password), but there are also alternatives that users can use on their own machines or in private clouds, such as KeePass or KeePassXC (local) or Vaultwardenthe alternative implementation of Bitwarden.
