LastPass has been breached: What now?

If you have a LastPass account you should have received an email updating you on the state of affairs concerning a recent LastPass breach. While this email and the corresponding blog post try to appear transparent, they don’t give you a full picture. In particular, they are rather misleading concerning a very important question: should you change all your passwords now?

Screenshot of an email with the LastPass logo. The text: Dear LastPass Customer, We recently notified you that an unauthorized party was able to gain access to a third-party cloud-based storage service which is used by LastPass to store backups. Earlier today, we posted an update to our blog with important information about our ongoing investigation. This update includes details regarding our findings to date, recommended actions for our customers, as well as the actions we are currently taking.

The following statement from the blog post is a straight-out lie:

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology.

This makes it sound like decrypting the passwords you stored with LastPass is impossible. It also prepares the ground for blaming you, should the passwords be decrypted after all: you clearly didn’t follow the recommendations. Fact is however: decrypting passwords is expensive but it is well within reach. And you need to be concerned.

I’ll delve into the technical details below. But the executive summary is: it very much depends on who you are. If you are someone who might be targeted by state-level actors: danger is imminent and you should change all your passwords ASAP. You should also consider whether you still want them uploaded to LastPass servers.

If you are a regular “nobody”: access to your accounts is probably not worth the effort. Should you hold the keys to your company’s assets however (network infrastructure, HR systems, hot legal information), it should be a good idea to replace these keys now.

Unless LastPass underestimated the scope of the breach that is. If their web application has been compromised nobody will be safe. Happy holidays, everyone!

Edit (2022-12-27): As it turned out, even for a “nobody” there are certain risk factors. You should especially check your password iterations setting. LastPass failed to upgrade some accounts from 5,000 to 100,100 iterations. If it’s the former for you, your account has a considerably higher risk of being targeted.

Also, when LastPass introduced their new password complexity requirements in 2018 they failed to enforce them for existing accounts. So if your master password is shorter than twelve characters you should be more concerned about your passwords being decrypted.

What happened really?

According to the LastPass announcement, “an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.” What data? All the data actually: “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” And of course:

The threat actor was also able to copy a backup of customer vault data

That’s where your passwords are kept. Luckily, these are encrypted. Whether the encryption will hold is a different question, one that I’ll discuss below.

But first: one important detail is still missing. When did this breach happen? Given that LastPass now seems to know which employee was targeted to gain access, they should also know when it happened. So why not say it?

I can only see one explanation: it happened immediately after their August 2022 breach. After investigating that incident, in September 2022 LastPass concluded:

Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.

I suspect that this conclusion was premature and what has been exposed now is merely the next step of the first breach which was already ongoing in September. Publishing the breach date would make it obvious, so LastPass doesn’t to save their face.

How long does decrypting passwords take?

Whenever LastPass has a security incident they are stressing their Zero Knowledge security model. What it supposedly means:

LastPass does not have any access to the master passwords of our customers’ vaults – without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data

Ok, let’s assume that indeed no master passwords have been captured (more on that below). This means that attackers will have to guess master passwords in order to decrypt stored passwords. How hard would that be?

The minimums requirements for a LastPass master password are:

  • At least 12 characters long
  • At least 1 number
  • At least 1 lowercase letter
  • At least 1 uppercase letter
  • Not your email

So “Abcdefghijk1” is considered perfectly fine as your master password, “lY0{hX3.bV” on the other hand is not.

Let’s look at the passwords meeting these exact baseline requirements. They consist of ten lowercase letters, one uppercase letter and one digit. If one were to generate such a password randomly, there were 4.8 · 1018 possible passwords. This seems like a lot.

But it all stands and falls with the way the encryption key is derived from the master password. Ideally, it should be a very slow process which is hard to speed up. Unfortunately, the PBKDF2 algorithm used by LastPass is rather dated and can run very efficiently on a modern graphics card for example. I’ve already explored this issue four years ago. Back then my conclusion was:

Judging by these numbers, a single GeForce GTX 1080 Ti graphics card (cost factor: less than $1000) can be used to test 346,000 guesses per second.

In response to my concerns LastPass increased the number of PBKDF2 iterations from 5,000 to 100,100. That’s much better of course, but this graphics card can still test more than 17,000 guesses per second.

Update (2022-12-23): While LastPass changed the default in 2018, it seems that they never bothered changing the settings for existing accounts like I suggested. So there are still LastPass accounts around configured with 5,000 PBKDF2 iterations. The screenshot below shows my message on Bugcrowd from February 2018, so LastPass was definitely aware of the issue.

Screenshot from Bugcrowd. bobc sent a message (5 years ago): Ok thank you. Our default is now 100k rounds and artificial limits on number of rounds have been removed. palant sent a message (5 years ago) Yes, the default changed it seems. But what about existing accounts?

If someone tries to blindly test all the 4.8 · 1018 possible passwords, a match will be found on average after 4,5 million years. Except that this graphics card is no longer state of the art. Judging by these benchmark results, a current NVIDIA GeForce RTX 4090 graphics card could test more than 88,000 guesses per second!

And we are already down to on average “merely” 860 thousand years to guess a baseline LastPass password. No, not “millions of years” like LastPass claims. And that’s merely a single graphics card anyone could buy for $2000, it will be faster if someone is willing to throw more/better hardware at the problem.

But of course testing all the passwords indiscriminately is only an approach that makes sense for truly random passwords. Human-chosen passwords on the other hand are nowhere close to being random. That’s especially the case if your master password is on some list of previously leaked passwords like this one. More than a billion passwords? No problem, merely slightly more than four hours to test them all on a graphics card.

But even if you managed to choose a truly unique password, humans are notoriously bad at choosing (and remembering) good passwords. Password cracking tools like hashcat know that and will first test passwords that humans are more likely to choose. Even with the more complicated passwords humans can come up with, cracking them should take determined attackers months at most.

By the way: no, diceware and similar approaches don’t automatically mean that you are on the safe side. The issue here is that word lists are necessarily short in order to keep the words easily rememberable. Even with a 7776 words dictionary which is on the large side already, a three words combination can on average be guessed in a month on a single graphics card. Only a four words password gives you somewhat reasonable safety, for something as sensitive as a password manager master password five words are better however.

Update (2022-12-23): Originally, the calculations above were done with 190,000 guesses per second rather than 88,000 guesses. I wrongly remembered that LastPass used PBKDF2-HMAC-SHA1, but it’s the somewhat slower PBKDF2-HMAC-SHA256.

Possible improvements

The conclusion is really: PBKDF2 is dead for securing important passwords. Its performance barely changed on PC and mobile processors in the past years, so increasing the number of iterations further would introduce unreasonable delays for the users. Yet the graphics card performance skyrocketed, making cracking passwords much easier. This issue affects not merely LastPass but also the competitor 1Password for example.

Implementors of password managers should instead switch to modern algorithms like scrypt or Argon2. These have the important property that they cannot easily be sped up with specialized hardware. That’s a change that KeePass for example implemented in 2017, I did the same for my password manager a year later.

Does it mean that all passwords are compromised?

The good news: no, the above doesn’t mean that all passwords stored by LastPass should be considered compromised. Their database contains data for millions of users, and the key derivation process uses per-user salts (the user’s email address actually). Attempting to crack the encryption for all users would be prohibitively expensive.

The big question is: who is responsible for this breach? Chances are, it’s some state-level actor. This would mean that they have a list of accounts they want to target specifically. And they will throw significant resources at cracking the password data for these accounts. Which means: if you are an activist, dissident or someone else who might get targeted by a state-level adversary, the best time to change all your passwords was a month ago. The second best time is right now.

But there is also a chance that some cybercrime gang is behind this breach. These have little reason to invest significant hardware resources into getting your Gmail password, there are easier ways to get it such as phishing. They will rather abuse all the metadata that LastPass was storing unencrypted.

Unless of course you have access to something of value. For example, if your LastPass data contains the credentials needed to access your company’s Active Directory server, decrypting your passwords to compromise your company network might make it worthwhile. In that case you should also strongly consider changing your credentials.

By the way, how would the attackers know which “encrypted vaults” contain valuable information? I mentioned it before: LastPass doesn’t actually encrypt everything in their “vault.” Passwords are encrypted but the corresponding page addresses are not. So seeing who holds the keys to what is trivial.

But everyone else is safe, right?

The above assumes that the LastPass statement is correct and only the backup storage has been accessed. I’m far from certain that this is correct however. They’ve already underestimated the scope of the breach back in September.

The worst-case scenario is: some of their web application infrastructure could be compromised. When you use the LastPass web application, it will necessarily get the encryption key required to decrypt your passwords. Even if LastPass doesn’t normally store it, a manipulated version of the web application could send the encryption key to the attackers. And this would make the expensive guessing of the master password unnecessary, the passwords could be easily decrypted for everybody.

Note: you are using the web application, even if you always seem to use the LastPass browser extension. That’s because the browser extension will fall back to the web application for many actions. And it will provide the web application with the encryption key when it does that. I’ve never looked into their Android app but presumably it behaves in a similar way.

Comments

  • Mahesh

    How does 2 factor authentication change your conclusions, if at all? Or, in other words, if the hacker(s) were able to guess the password, would 2 factor authentication prevent them from decrypting the password vault, or does it not impede them much?

    Wladimir Palant

    Two factor authentication is merely a part of the login procedure. It has no impact on encryption whatsoever. Whoever has access to the data already (like the attackers here) doesn’t care about it.

  • Mark

    I keep reading glowing articles about how WebAuthn will virtually eliminate credential compromises, but this (latest) breach serves as a reminder of the old phrase, "don't put all of your eggs in one basket." By storing all of your credentials, whether passwords or tokens, in a single web-accessible service used by millions of people, you inherently create a very appetizing target. Yes, they are presumably far better skilled at cybersecurity than the average user, but a single chink in the armor (or malicious insider) has far greater reach. Given how much time the hackers have already had to crack the hashes of targeted accounts, here's to the futile hope that all of the downstream services accessed with those LastPass-"protected" passwords also require hardware security keys.

    Side question for LastPass: why are archived backups containing all that metadata not fully encrypted? Sigh!

    Wladimir Palant

    Not encrypting metadata was something security researchers pointed out repeatedly. I found a 2015 presentation mention it. I mentioned it again in my 2018 disclosure. Other people likely did as well. LastPass is aware but simply doesn’t care.

    Quite frankly, I absolutely expect the people behind WebAuthn to get security correctly. They have the necessary skills and the incentives. Commercial password managers sadly tend to lack both. The trouble with WebAuthn is rather adoption.

  • Raylon

    So what is a cosure solution for a nobody like me to securely protect all my passwords, two factor authentication for each account or Face ID maybe?

    Wladimir Palant

    I’m the wrong person to ask. I wrote my own password manager because I was unhappy with what is out there.

  • Miki

    Scrypt is better than Argon2?

    Wladimir Palant

    No, Argon2 should usually be the better option. The reason I decided to use scrypt was the fact that JavaScript isn’t good at operating with 64 bit numbers, rendering Argon2 implementations inefficient.

  • Adam

    Thanks for the detailed article!

    I also note that Bitwarden use the same outdated encryption methods. I wonder why this is?

    Out of interest, do hardware keys (I.e yubikey) make this a non issue? I’m not exactly sure how these keys work but expect they are storing a 32-64 long key, similar to a crypto hardware wallet.

    At this time, these are not able to be brute forced, right?

    Wladimir Palant

    Yes, truly random keys aren’t realistic to bruteforce. So hardware tokens would render such attacks impossible if used correctly.

    I also learned that 1Password, while also using PBKDF2 with similar parameters, complements user’s password with a randomly generated secret key – a good call. I’m not sure whether Bitwarden does anything to prevent brute forcing of the master passwords, should the data ever leak.

  • Mark

    This is why I'm a big fan of Yubi keys. Yes you may be able to get my password for something, but without my Yubi key you're not going to get much further than the login screen.

  • LostPassFanclub1876

    Hey Wladimir, first of all thanks for all your research work and the incredible documentation and reporting you did. Too bad i discovered your informative site only now. Do you have any take on Bitwarden ? and would you chose the self hosting approach or trust their services/interface/apis etc. Also would you use a browser extension or rather a standalone app which goes to a (possibly time limited) copy and paste procedure on logins ?

    Wladimir Palant

    Unfortunately – no, somehow I never managed to take a proper look at Bitwarden.

    I would still use a browser extension. Browser extensions make sure you won’t incidentally paste your password on the wrong (especially phishing) site. I have very high requirements on the quality of that browser extension of course, but that’s me.

  • NoNam

    Thank you for your efforts and investigation. Till today I was at Lastpass. After knowing all of the above mentioned, I am looking for another Pass manager. But which one should we choose? Is there a particular one, technically superior to the competitors?

    Wladimir Palant

    Unfortunately, I cannot really give a recommendation. Given the specifics of my engagement with password managers, I probably see them in an overly negative light.

  • James Ravenscroft mentioned this article in Personal & Commercial Post-LastPass-Breach Password Management Approaches

    Photo by Roth Melinda on Unsplash

    Earlier this month LastPass revealed that they had been breached and then a few days later that that their customer’s encrypted password data was stolen. Following a couple of years of controversy including earlier breaches and price rises, this latest breach hasn’t been a particularly good look for them. I’ve been an LP user for a few years, but this latest breach has me concerned - particularly because their customer data vaults have been exposed.

    Quick disclaimer: I’m not specifically a security expert but I’ve been the CTO at a small tech firm for the last 6 years and data breaches are one of the topics that keep me up at night and make me sweat at work on a regular basis. I probably spend an unhealthy amount of time thinking and worrying about this stuff

    Making Good Use of Time Bought with LastPass’ Strong Encryption

    Well, the good news is that LastPass uses pretty strong encryption to store customer password vaults so, in the best case for users, it might take hackers years or centuries to break in to your account depending on the strength of the password you chose…

  • Randy

    Question: our company uses SSO for master password authentication. (Specifically AD login). How does this change the likelihood of the threat actors from decrypting our data?

    Wladimir Palant

    Unfortunately, I have no idea. Presumably, that’s the Federated Login Services that LastPass mentions in their blog post. According to LastPass, a hidden master password is used in this scenario. As this one should be random, it would in principle prevent bruteforce attacks. Unless the attackers somehow accessed the master password itself which LastPass claims they didn’t. I have not looked into how this is implemented, so I cannot tell whether there are any design flaws here.

  • Kevin

    Regardless, LastPass can't be trusted. This is as bad as it gets really...especially admins!

    Start a 1Password account w/32-char min master pass, set up 2FA, and begin the painful process:

    Login with LastPass, for-each site/note: change the password and store it in 1Password, and delete from LastPass... process of elimination and it makes 100% sure you get them all changed.

    Start with the highest value sites first of course.

    1Password has some good passkeys stuff in the 2023 pipeline. Can't wait to be passwordless someday!

  • Random Username

    Thanks for this very informative article.

    So we now know that LastPass didn't encrypt their metadata, and was recording our IP addresses during all these years.

    What about their competitors ? Are you aware of at least one of them who encrypt absolutely everything ?

    Wladimir Palant

    I think that encrypting everything is actually the more typical approach. It has been a while since I was checking out password managers, but I’m fairly certain that 1Password encrypted everything. And from what people say I think that Bitwarden does the same.

  • Zsolt M.

    Start a 1Password account w/32-char min master pass, set up 2FA, and begin the painful process ...

    I think that the takeaway here is not to use any password manager cloud service at all. They have crosshairs painted on their backs since one successful breach gets the attacker millions of passwords (or even millions of password stores).

    The best bet seems to use a strictly client-side password manager and if syncing between devices is a must, use a regular cloud storage service (like Dropbox, Google Drive, etc.) to share the encrypted secrets store.

  • Gerardo Ortiz

    Hi Wladimir, thank you very much for such a great analysis and recommendations. I've spent a lot of time updating my most important accounts, it's been a nightmare.

    I've also removed Lastpass authenticator and moved to Yubico Authenticator as I can imagine that the stolen vault also includes the information from the TOTP acounts sync'ed on the cloud.

    If I have Yubikeys as the only 2FA for LastPass, does it mean my vault is more secure?

    After I've changed the most important passwords, added 2FA using Yubikeys (or Yubico Auth TOTP) and removed any LP authenticator account, can I say I'm safe from hackers guessing my Master Password? They could have the MP but they won't have the Yubikeys.

    Wladimir Palant

    2FA is part of the login process which is required to access the vault data – it generally doesn’t help here, the attackers have the vault data already. Presumably, Yubikey isn’t used as a password replacement, meaning that it won’t prevent decryption which is still dependent on the master password only.

    Whatever configuration changes you implemented after the data was stolen also don’t affect anything unfortunately.

  • Gerardo Ortiz

    Thanks Wladimir. But what about my other important accounts? For example my email, I've changed the password and have 2FA trough hardware keys.

    Can I consider the risk remediated?

    Wladimir Palant

    Yes, 2FA on your accounts is definitely a good idea and helps mitigate all kinds of risks. And since you changed the password, you should merely expect phishing attempts now.

  • starbuck

    I would most likely be classed as a 'nobody', but I'm trying to understand how PBKDF2 affects how hard it would be for the threat-actor to crack/decrypt my vault if they decided to try it. I had 100,100 iterations set on my account. Am I correct in understanding that 100,100 iterations slows down the speed at which they can attempt to crack my password to approximately 88,000 guesses per second if they were using an RTX 4090 - regardless of the length of my password? That suggests to me that 8-10 character passwords that are reasonably strong would take a fair bit of effort to crack? I ask because I'm looking cracking speeds from GRC's https://www.grc.com/haystack.htm and it seems PBKDF2, while flawed, does considerably slow down cracking speeds versus just raw attempts at guessing?

    Wladimir Palant

    Yes, I did more detailed time and cost estimates in https://palant.info/2022/12/28/lastpass-breach-the-significance-of-these-password-iterations/. These apply to a truly random 8 character password. If your password isn’t random, even at 10 characters it will be considerably easier to guess. But we are still talking about thousands of dollars, so it wouldn’t be worth doing for a regular account.

  • Jose

    Hi. After the breach I changed my Lastpass Master password (it was a sentence at over 35 characters) changed all passwords withing the vault at each website, as well as recovery codes, upped the iterations (it was at the original 100,100 now at 300,100). In my settings I used 2FA, and limited access from only 2 countries. How safe am I right now? Also, I did keep copies of some documents in my vault. This worries me more than passwords, as all my sites have 2FA enabled since always plus all passwords have been changed. Does the data that was breached only contain what was in there at the time of the breach or will they also have access to new data? Anything else I can do other than deleting my account? Thank you. Jose

    Wladimir Palant

    Yes, you can only lose what was in your vault at the time of the breach. They might guess your master password and try to log in to see the new info. That’s already quite unlikely in itself (why bother trying to trick LastPass’ location-based blocking when they already have plenty of data?), and with a changed master password it is no longer possible.

    The documents should be encrypted. You might be able to check in order to be certain, see https://palant.info/2022/12/24/what-data-does-lastpass-encrypt/#downloading-your-lastpass-data.

  • James

    Based on this write-up, I checked my Last Pass Iterations settings to see whether I was in the legacy 5,000 group or the new default 100,100 group. That setting is set to 500 for me. Uh-oh.

  • dingdong

    What if you had a 32 character mostly non-random password, and 5000 iterations?

    Asking for a friend. (Seriously, 85% of my $$$ is going to charity before I die (if I don't die early), it would be a pity if most of it were stolen. So, the real question is, how fast must I change my passwords (now in 1Password?))

    Wladimir Palant

    Non-random means that the length isn’t necessarily helping. You probably shouldn’t wait for the thieves to figure out how long decrypting your passwords takes – better change them now. At the very least for the accounts which could be used to access your $$$.

  • Matt

    Hi Wladimir, Unless I'm reading the hashcat benchmarks wrong, a RTX 4090 can try 8.8 millions PBKDF2-HMAC-SHA256 per sec, not 88 000.(My 1060 is at 560 000 kH/ sec)

    Wladimir Palant

    You are reading the benchmarks correctly but you need to remember that LastPass does 100,100 iterations on newer accounts, not 999 as measured here. So the benchmark results have to be scaled down accordingly.