What’s in a PR statement: LastPass breach explained

Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren’t amused, this holiday season became a very busy time for them. LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.

Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn’t want to mention.

Screenshot of the LastPass blog post: Update as of Thursday, December 22, 2022. To Our LastPass Community, We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data. In keeping with our commitment to transparency, we want to provide you with an update regarding our ongoing investigation.

Let’s start with the very first paragraph:

In keeping with our commitment to transparency, we want to provide you with an update regarding our ongoing investigation.

In fact, this has little to do with any commitment. LastPass is actually required by US law to immediately disclose a data breach. We’ll soon see how transparent they really are in their statement.

While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

LastPass is trying to present the August 2022 incident and the data leak now as two separate events. But using information gained in the initial access in order to access more assets is actually a typical technique used by threat actors. It is called lateral movement.

So the more correct interpretation of events is: we do not have a new breach now, LastPass rather failed to contain the August 2022 breach. And because of that failure people’s data is now gone. Yes, this interpretation is far less favorable of LastPass, which is why they likely try to avoid it.

Note also how LastPass avoids mentioning when this “target another employee” happened. It likely did already before they declared victory in September 2022, which also sheds a bad light on them.

The cloud storage service accessed by the threat actor is physically separate from our production environment.

Is that supposed to be reassuring, considering that the cloud storage in question apparently had a copy of all the LastPass data? Or is this maybe an attempt to shift the blame: “It wasn’t our servers that the data has been lifted from”?

To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

We learn here that LastPass was storing your IP addresses. And since they don’t state how many they were storing, we have to assume: all of them. And if you are an active LastPass user, that data should be good enough to create a complete movement profile. Which is now in the hands of an unknown threat actor.

Of course, LastPass doesn’t mention this implication, hoping that the less tech-savvy users won’t realize.

There is another interesting aspect here: how long did it take to copy the data for millions of users? Why didn’t LastPass detect this before the attackers were done with it? We won’t learn that in their statement.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Note how LastPass admits not encrypting website URLs but doesn’t group it under “sensitive fields.” But website URLs are very much sensitive data. Threat actors would love to know what you have access to. Then they could produce well-targeted phishing emails just for the people who are worth their effort.

Never mind the fact that some of these URLs have parameters attached to them. For example, LastPass will sometimes save password reset URLs. And occasionally they will still be valid. Oops…

None of this is new of course. LastPass has been warned again and again that not encrypting URLs and metadata is a very bad idea. In November 2015 (page 67). In January 2017. In July 2018. And that’s only the instances I am aware of. They chose to ignore the issue, and they continue to downplay it.

These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.

Lots of buzzwords here. 256-bit AES encryption, unique encryption key, Zero Knowledge architecture, all that sounds very reassuring. It masks over a simple fact: the only thing preventing the threat actors from decrypting your data is your master password. If they are able to guess it, the game is over.

As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

Unless they (or someone compromising their servers) decide to store it. Because they absolutely could, and you wouldn’t even notice. E.g. when you enter your master password into the login form on their web page.

But it’s not just that. Even if you use their browser extension consistently, it will fall back to their website for a number of actions. And when it does so, it will give the website your encryption key. For you, it’s impossible to tell whether this encryption key is subsequently stored somewhere.

None of this is news to LastPass. It’s a risk they repeatedly chose to ignore. And that they keep negating in their official communication.

Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.

This prepares the ground for blaming the customers. LastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didn’t follow their best practices.

We’ll see below what these best practices are and how LastPass is actually enforcing them.

We routinely test the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls.

Sounds reassuring. Yet I’m aware of only one occasion where they adjusted their defaults: in 2018, when I pointed out that their defaults were utterly insufficient. Nothing changed after that, and they again are falling behind.

Now to their password best practices:

Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing.

If you are a LastPass customer, chances are that you are completely unaware of this requirement. That’s because LastPass didn’t ask existing customers to change their master password. I had my test account since 2018, and even today I can log in with my eight-character password without any warnings or prompts to change it.

So LastPass required twelve characters for the past four years, but a large portion of their customer base likely still uses passwords not complying with this requirement. And LastPass will blame them should their data be decrypted as a result.

To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password.

Note “stronger-than-typical” here. I seriously wonder what LastPass considers typical, given that 100,000 PBKDF2 iterations are the lowest number I’ve seen in any current password manager. And it’s also the lowest protection level that is still somewhat (barely) acceptable today.

In fact, OWASP currently recommends 310,000 iterations. LastPass hasn’t increased their default since 2018, despite modern graphics cards becoming much better at guessing PBKDF2-protected passwords in that time – at least by factor 7.

And that isn’t even the full story. In 2018 LastPass increased the default from 5,000 iterations to 100,100. But what happened to the existing accounts? Some have been apparently upgraded, while other people report still having 5,000 iterations configured. It’s unclear why these haven’t been upgraded.

In fact, my test account is also configured with 5,000 iterations. There is no warning when I log in. LastPass won’t prevent me from changing this setting to a similarly low value. LastPass users affected don’t learn that they are at risk. But they get blamed now for not keeping up with LastPass recommendations.

Update (2022-12-27): I’ve now seen comments from people who have their accounts configured to 500 iterations. I’m not even sure when this was the LastPass default, but they failed to upgrade people’s accounts back then as well. And now people’s data leaked with protection that is factor 620 (!!!) below what OWASP currently recommends. I am at loss of words at this utter negligence.

In fact, there is so far one confirmed case of an account configured with 1 (in words: one) iteration, which was apparently the LastPass default before they changed to 500. I’ll just leave this standing here.

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology.

I’ll translate: “If you’ve done everything right, nothing can happen to you.” This again prepares the ground for blaming the customers. One would assume that people who “test the latest password cracking technologies” would know better than that. As I’ve calculated, even guessing a truly random password meeting their complexity criteria would take less than a million years on average using a single graphics card.

But human-chosen passwords are far from being random. Most people have trouble even remembering a truly random twelve-character password. An older survey found the average password to have 40 bits of entropy. Such passwords could be guessed in slightly more than two months on the same graphics card. Even an unusually strong password with 50 bits of entropy would take 200 years on average – not unrealistic for a high value target that somebody would throw more hardware on.

Another data point to estimate typical password strength: a well-known XKCD comic puts a typical “strong” password at 28 bits of entropy and a truly strong diceware password at 44 bits. Guessing time on a single graphics card: on average 25 minutes and 3 years respectively.

The competitor 1Password solves this issue by adding a truly random factor to the encryption, a secret key. Some other password managers switched to key generation methods that are way harder to bruteforce than PBKDF2. LastPass did neither, failed to adjust parameters to modern hardware, and is now preparing to blame customers for this failure.

There are no recommended actions that you need to take at this time. 

This is just gross negligence. There certainly are recommended actions to take, and not merely for people with overly simple master passwords or too low number of iterations. Sufficiently determined attackers will be able to decrypt the data for almost anyone. The question is merely whether it’s worth it for them.

So anybody who could be a high value target (activists, dissidents, company admins etc.) should strongly consider changing all their passwords right now. You could of course also consider switching to a competitor who in the case of a breach will be more concerned about keeping you safe than about saving their face.

We have already notified a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations.

Presumably, that’s the accounts configured with 5,000 iterations, these are at risk and LastPass can easily determine that. But why notify only business customers? My test account for example is also configured with 5,000 iterations and I didn’t receive any notification.

Again, it seems that LastPass attempts to minimize the risk of litigation (hence alerting businesses) while also trying to prevent a public outcry (so not notifying the general public). Priorities…

Comments

  • Sean

    Thank you for this great summary. I got very similar "vibes" from it but this breaks it down in a very succinct and clear way.

    I've had a LastPass account for a long time and was very surprised to see that my account was still at 5,000 iterations; I am someone who absolutely would have changed this if warned and was able to find it and change it once I was aware of it. I also thought based on their defaults that 100,100 was sufficient; thank you for alerting me to that being wrong as well.

    It's unfortunate because it's such a hassle, but I've got to move myself and my family off of LastPass ASAP.

  • Mark

    "But website URLs are very much sensitive data. Threat actors would love to know what you have access to. Then they could produce well-targeted phishing emails just for the people who are worth their effort."

    Just to harp on that a bit more, merely knowing where users have registered accounts can be used for blackmail (such as the fallout from the Ashley Madison breach years ago), discrimination (are you a member of the 'wrong' special interest group's forum?), or governmental persecution (China and North Korea, among others, come to mind). The fact that LastPass considers that non-sensitive information really does set the stage for understanding their philosophy here.

  • Shree

    Hi bro, i am very appreciated from your article, thankyou for all the point you written hardly.💕

  • Keith

    Thank you for this timely information. I have been a LastPass user for a very long time and I was concerned by the breach. When I got the second notification I reviewed my settings. My account was set to 100,100 itinerations and I have 2 factor turned on. I first heard about LastPass from the podcast Security Now and decided to use it per the host vetting of it in the early days. I also knew to reset itineration from 5,000 to 100,100 and enable 2FA from recommendation of Steve Gibson, one of the podcast hosts.

    It is a daunting task to move because of the number of passwords stored and that most of them are long generated passwords I can't possibly remember. I always set master password to 12+ characters of all types but in a way I can remember it. My main concern about moving to new password manager is I don't want to migrate to a worst one.

  • Kumaravel

    Thank you for breaking down the press release.

  • Simon

    Moving away from LastPass shouldn't be too hard: most competitors will have a migration tool of some sort.

    But if you consider your credentials compromised, then that's where the real hassle starts: for some services, changing the password is easy (I think LastPass even had (has?) a tool for that), but for some it's manual and tedious...

    Thanks for a great breakdown of the weasel words! I almost got got by the

    it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.

    but thanks to you I now know it's not that simple!

    FFS, they had one job....

  • Akos

    If they only store password hashes, they have no way to know neither the amount of iterations used for generation, nor the length of your password. So they can't really warn you about these. They could force you to rotate though. The rest of the article is valid and solid, thanks.

    Wladimir Palant

    They store the number of iterations in their database, there is even a public API call anyone could use to check the iterations count for any account if they know the email address. So LastPass could easily send an email to anyone who has 5,000 iterations configured.

    As to password complexity: presumably (hopefully) they don’t store that. This is something that is normally checked when users log in. That’s the point where the password is known, and their app could warn the user. Which they really should have implemented at least four years ago.

  • Jojomonkey

    Thanks. What’s your best recommendation on where LP customers should consider migrating to? Thanks again!

    Wladimir Palant

    I am really the wrong person to ask for recommendations. I wrote my own password manager because I was unhappy with the available options.

    So far the only solution that I looked into and could actually recommend was 1Password. However, a security researcher I very much respect is highly dissatisfied with their vulnerability handling.

  • Eetu

    I was wondering if you have any opinions about the super-admin user capabilities and password recovery...

    Because lastpass website says super-admin can reset user master-passwords without losing data... https://support.lastpass.com/help/what-is-the-encryption-process-when-a-super-admin-resets-a-master-password

    Not to mention the master-passwords can apparently be recovered using SMS... (so is it possible to decrypt the vault data anyway?) https://blog.lastpass.com/2022/03/forgot-your-password-your-guide-to-lastpass-account-recovery/

    It also says admin can view master-passwords. But I think it is a mistake in their article... https://support.lastpass.com/help/enterprise-admin-management-of-master-passwords-lp010025

    Wladimir Palant

    I’ve never looked into LastPass’ business offerings, so I don’t know any technical details. From the documentation however, the implementation of super-admin capabilities makes sense. The consequence of course is: a company administrator can always access the passwords for all users. This isn’t really unusual in a corporate environment.

    For this breach, this makes super-admins high-value targets however. If someone can decrypt a super-admin’s vault, they will be able to get the admin’s private key. With that they can retrieve the encryption key for each user and no longer need to bruteforce. And the attackers should see from the data both who is a super-admin and how many users they will get by decrypting their data – neither information can be encrypted. Great for prioritizing attacks.

    This SMS recovery isn’t quite as bad as you think. It works via the Recovery OTP that is stored in your LastPass browser extension. I wrote about it here: https://palant.info/2018/07/09/is-your-lastpass-data-really-safe-in-the-encrypted-online-vault/#a-few-words-on-backdoors. I mentioned email as an additional verification step they require, but apparently SMS will work as well.

    No, admins cannot view master passwords, that’s not what the article you link to says. They can see when the master password was last changed, and they can force a user to change their password. They still won’t know what that password is.

  • Mogreen

    Thanks for working through the PR fluff and breaking it all down. As a LP customer hoping you can help with some question: 1 - My master password is 17 characters - should I be worried at this time - assume I am not a high value target , just a regular person 2 - Now that the horse has left the barn , besides changing all of my passwords (big pain) and leaving LP , is there anything else to be done ?

    Wladimir Palant

    In https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/ I wrote: “If you are a regular “nobody”: access to your accounts is probably not worth the effort.”

    I already have to correct this slightly however: check your iterations count. If it’s set to 5000, the effort of decrypting your data is much lower and you might get targeted after all. Note that a long password isn’t always a safe password, particularly if it is made up of dictionary words or something similarly predictable.

    Also, the more time passes, the more likely it is even for those “unattractive” vaults to be decrypted. You should keep that in mind and at some point change the password at least for the valuable accounts (online banking, shopping websites). For most people there is no urgency, it’s just better to be safe than sorry.

    The only other precaution I can think of is: expect phishing emails. They now know where you have your accounts. They might attempt to trick you into giving away your LastPass password, and they might do the same with the other services you use.

  • Chris

    I logged in and my account was set to 500 iterations, which likely means I have been using LastPass for a very very long time.

    Wladimir Palant

    Oh… My… God…

    I am speechless…

  • Scott

    Thanks very much. The delta between what LP said and your explanation is, as a customer, very scary. LP should have said that we will obfuscate the situation to the highest degree possible.

    Thanks again. On the semi+plus side, my iterations was set to 100,100.

  • particles

    I shared this on Mastodon but I checked my mom's account and her account reported having the iteration count set to 1. Bug or not, I think this is pretty unacceptable. We spent most of Christmas changing her passwords.

    Wladimir Palant

    Yes, 1 iteration was reportedly LastPass’ default before they increased it to 500, which was the default before they increased it to 5,000, which was the default before they increased it to 100,100. I was wondering whether there are any accounts around that still use that value. Thank you for confirming…

  • Chris

    Thank you for this! Given that LP is now a no-go and you mentioned that a security researcher you trust doesn't recommend 1Password either, do you have any article recommendations for a comparison infosec-wise for the remaining password manager options?

    Wladimir Palant

    I don’t.

  • Patrick H

    "LastPass is actually required by US law to immediately disclose a data breach"

    What Federal law requires a company to immediately disclose a data breach?

    Wladimir Palant

    I’m no expert on US law, so here is your Wikipedia link: https://en.wikipedia.org/wiki/Security_breach_notification_laws#United_States

    There is no federal law, but each state requires it.

  • Nancy

    I've been a LastPass user for six years. Not sure when they changed the iterations requirement but mine is set to 100100. Even if no one wants my data because I'm a nobody :), I am still switching to something else. As a freelancer, I have a lot of passwords stored. I notified all my clients to let them know of the breach, and to recommend that they change their passwords, especially for accounts to which I had access to financial information. Also, LastPass's data export process is absolutely garbage. My husband was flabbergasted -- exporting LastPass data resulted in all my data being displayed in a new browser tab window with no encryption when it was supposed to generate a CSV download.

  • Jan

    Thank you for the easier to understand translation of the LP message. I have been a long time user of LP, have multi factor authentication but don't know if that means anything. I'm not knowledgeable obviously and need direction on how to find what iteration I have, please. It seems overwhelming to change all my passwords but will start right away with crucial banking and anything financial and go from there. Sad that you can't trust anything these days!

    Wladimir Palant

    Unfortunately – no, multi-factor authentication on your LastPass account won’t help you now. Multi-factor authentication on the accounts you shared with LastPass on the other hand is helpful.

    Here is the help article on this iterations setting: https://support.lastpass.com/help/how-do-i-change-my-password-iterations-for-lastpass

  • Frank

    Alternatives? I use Keepass. It’s maybe not that comfortable in the beginning, but I am confident, that I is secure. Give a it try. The container is always in your hands (eg in your own Nextcloud environment) and you have plugins which make it pretty nice to integrate it on your browser. Locally.

  • Nancy

    I forgot to note in my first comment, that the CSV wasn't generating because I had pop-ups blocked. Once I unblocked pop-ups, a CSV was downloaded but it only contained a few entries and of course, there should've been hundreds.

  • Jay

    Thanks for the informative article, I'm wondering If I use a YubiKey, should I still be concerned with my passwords?

    Wladimir Palant

    I never had a chance to test their YubiKey integration. Presumably, if it is done correctly, your passwords should be safe. All the unencrypted metadata (especially website addresses corresponding to your accounts) – not so much.

  • Randy

    If a user is going to be using passwords that fall to a dictionary attack, no encryption in the world will help them. While I don't blame the user for a breach, users have to accept some responsibility in their security too. If you're a high value target and your password isn't at least 30 characters, you aren't doing your part to help with your own security.

    That the law requires some degree of transparency is insufficient to say there is no commitment otherwise. There is a strong personal bent to this article. You do not differentiate between lies and updated information that was not previously known.

    What you don't know is if other such companies have been breached, which has happened or will happen, and how well their vaults will stand up to offline attacks.

    Not saying that there weren't some serous problems, but your post does make some assumptions that would appear to be unqualified unless you have inside information

    Wladimir Palant

    LastPass competitor 1Password held cracking competitions to figure out how strong real-world passwords are. Their conclusion was to introduce a secret key, a truly random factor to complement human-chosen passwords. This is keeping users safe.

    LastPass on the other hand didn’t warn users about unsafe security settings (I now have the first report of an account still configured with one PBKDF2 iteration) but are bubbling something about “millions of years.”

    Besides: how secure a password is cannot be told from its length. In fact, most people cannot even remember a high-complexity password, much less choose one. That’s why choosing a strong KDF is essential for a password manager.

    Don’t help LastPass blame the users, they totally messed up.

    Everything I mentioned here is information known to LastPass. LastPass knows when the leak happened but won’t tell us. LastPass knows who has an insufficient iteration count but won’t notify them. LastPass knows how long bruteforcing real-world passwords takes, this isn’t our first rodeo. But they still choose to ignore this, assuming truly random passwords and years old hardware.

    I do know that 1Password devised a secure solution in case a vault is breached (see above). I do know that Keepass switched to Argon2 for key derivation five years ago. Both are valid solutions to the problem. Ignoring it like LastPass did isn’t.

  • DanG

    Thanks for this article.. I'm a complete novice - but, learning fast... unfortunately. this information was very helpful (if non-reassuring).

  • Richard Fan

    for those customers who follow our password best practices.

    It's like company selling power cable without jacket. And then put a sentence "Do not touch the cable" in the user manual.

    If an unlucky guy get shocked, they'll just say he is not following our best practices.

  • Steve

    Thank you for your detailed analysis and explanation. Do you perhaps know if our 3rd party 2FA keys are also compromised? Hope I have explained that correctly. They store them in their vault for our “convenience”. I think I will finally leave them, but while I find my next password manager, do we need to redo all our 2FA’s. I.e disable and re-enable? Thanks

    Wladimir Palant

    I assume they are, anything that LastPass refers to as “stored in your vault” is. In https://palant.info/2022/12/24/what-data-does-lastpass-encrypt/ I explain how to see the contents of your vault. Not sure whether you’ll recognize the 2FA keys in there however.

    Yes, you’ll need to disable the existing keys. I hope this works.

  • Shlomo Finkelstein

    I never personally trusted PM companies. As a consequence I am using a hash function on (website + user name + master PW) to generate an unique output. Do you consider this to be a good alternative? From my point of view it has the advantage of not requiring a 3rd party I have to trust.

    Wladimir Palant

    There is an issue here as well if the hash function you use isn’t suitable for passwords. I mean, as long as you are the only one doing this you probably pass thanks to obscurity. But still. I wrote about it here: https://palant.info/2016/04/20/security-considerations-for-password-generators/

  • LC

    Thank you ffor this comprehensive summary. I haven't found anywhere in the LastPass iOS app to check/adjust the iterations setting. I have never accessed LastPass via the website. Considering the LastPass breach and their apparently lax attitude regarding vulnerabilities, would accessing from the website add any risk exposure beyond what may have already occurred?

    Wladimir Palant

    It likely doesn’t matter how you access LastPass. I’ve never looked at the LastPass mobile apps, but they likely work similarly to their browser extension. And the browser extension falls back to the website without you even noticing. It also gives the website your encryption key in the process. So if the website wants to store the keys to your vault, it already can. See https://palant.info/2019/03/18/should-you-be-concerned-about-lastpass-uploading-your-passwords-to-its-server/

  • Brian

    I disagree with OWASP idea of setting iterations to 310,000 iterations. Personally I know the importance of master password, so if a user like me sets his password to 30+ characters (I am fast typer), then 1 iteration of KDF should have no problem for me.

    I am a Keepass user, according to the link I linked, the time per action of your Keepass database should be set to 0.1 seconds or less, so the user feels the computer is responding to his/her request instantly. This way Keepass will feel fluent to use, just like LastPass.

    https://www.nngroup(dot)com/articles/powers-of-10-time-scales-in-ux/

    Wladimir Palant

    Ok, Brian. It seems that you have terribly wrong ideas about the complexity of human-chosen passwords.

  • Matt

    Not terrible, and some fair comments towards the end on user base management, consistency in upgrading users and enforcing good practice.

    My only gripe is the analytical leaps made early on interpreting the PR releases. This is sort of ok, but if you where writing this as an actual intelligence product, you need to clearly identify analyst opinion from facts. You also give a rational and level of confidence to a an assumption or connection made.

    The reason it bothers me so much, is I see people re-post articles like this as facts. And it’s like a cascade, those with less in-depth security knowledge, can’t identify opinions and facts and these semi-truths become the story.

  • Anon

    The worst part is that URLs are unencrypted and the attacker knows the matching of vaults with previously leaked emails. Without this information, this leak would have been many times less useful. Master passwords can be cracked, yes, but it also takes time and resources (GPU, CPU, electricity, time, etc.). If you have hundreds of thousands of encrypted vaults, it is an exercise in futility to try to decrypt all of them in the hope that some of them contain anything interesting. But the attacker has websites, so they can, for example, target only people who have a PayPal account or something similar, or target business accounts. An absolutely incompetent password manager solution.

  • Les

    If I add a Yubikey two factor token to LastPass but don't change old web passwords have I solved anything? Or are non-updated URL login credentials, still at potential risk?

    Wladimir Palant

    No, your current configuration doesn’t matter. What matters is what you had configured back when the vault data leaked. Which is somewhere between August and November this year, LastPass won’t tell exactly.

  • Les

    I was afraid that would be your response! (You have been a great resource! Thank you.)

  • Karl

    Hi. I closed my LastPass account last year and received an email confirming my "data has been purged from our systems" in May 2021. I know you aren't LastPass, so may not know, but should I be doubting that - and therefore suspicious about being included in the breach (though I had a 25+ character password, not using dictionary words, so am 'probably' alright).

    Wladimir Palant

    Yes, it’s unfortunately common for companies to keep data around despite claiming that it was removed. In particular, it’s hard to purge data from backup storage even when it was removed in production. And in this particular case it’s the backup storage that was breached. So you have all the reason to doubt this statement. Good luck!

  • Bryan

    Thanks for the informative article. I followed the instructions in the LastPass email to check the number of iterations, and discovered that mine was also set to 1 (one). This is the first time I was even aware of this setting, which is hidden unless you enable Advanced Settings.

    Additionally, my master password was still 8 characters -- my fault, but never flagged as insecure by LastPass.

    Based on these two weaknesses, I'm assuming all my passwords were compromised by this leak. Time to change passwords and password manager.

    Wladimir Palant

    I just published a follow-up article on this very issue: https://palant.info/2022/12/28/lastpass-breach-the-significance-of-these-password-iterations/

    What LastPass did here is beyond negligent.

  • Annette

    Thank you for breaking this SHIT-SHOW of a notice for me. I received a letter from LastPass a month or two ago and because of HOW it was worded, I didn’t pay much attention to it mainly because it stated, and I am putting it into what MY understand of the letter said, is that I had NOTHING to worry about and the chance that any of my data more than likely was safe. WHAT A LOAD OF WORD SALAD that came from them. They only stayed in the letter that it was a “third party” that was breached but NEVER said which one. Google? Samsung? Apple? Knowing who was breached would be a wonderful thing to know. Now, I am getting notifications CONSTANTLY that my passwords have been found on the DARK WEB ! ! ! And now I am getting unauthorized charges on my debit/credit cards and over the limit free for some and cannot make my payment on other accounts because of the missing money… Sad thing is, I DEFINITELY do NOT make a bunch of money and whoever is doing this crap is purchasing stuff from sites like Wal-Mart that I would normally not pay attention to and are making them for around the same amounts of my usual purchases. Between LastPass data breach this year AND T-Mobile’s last data breach… NONE of my ANYTHING is safe and EVERYTHING a scammer needs to access whatever they need/want because ALL my info including my SSN is now on the Dark Web…

  • Kate Orne

    Thannk you for posting. Currently with Last Pass, do you have another password protection site to recommend? Much appreciated. Thank you!

    Wladimir Palant

    As I’ve said above, I’m not the right person to ask for recommendations.

  • Raiver

    Two things I was unaware of here:

    1. LastPass didn't encrypt URLs.
    2. LastPass backed up our vaults to a 3rd party cloud storage provider (that's what I interpret from the statement)

    The reason I used a PW manager in the first place instead of something like KeepPass stored on DropBox is because I didn't trust even an encrypted vault sitting in a cloud. But LP is doing exactly the same thing, except that now they are a high-priority target! And the fact that the URLS were not encrypted is unforgivable. Maybe they mentioned it somewhere, but I didn't see it. When they keep saying "zero-trust" and my data is fully encrypted, I trusted them. It is not okay that all my URLs are now public for everyone to peruse. It's not just a security issue, it's one of privacy. The fact that all my URLs are stored in plain text completely shattered all the trust I had in them.

  • Guava

    Thank you so much for the article! Not only I reset all my passwords, but I also migrated to another manager. You've shedded some light on the actual impact of the data breach and specially the company's approach/behavior regarding the problem. Cheers!

  • Rob

    Thank you for taking apart this great example of deflection. While you cover mostly what they say, or leave out, I wanted to add emphasis to how they say it. Use of the words "third party... service" tries to trick people into thinking "it wasn't lastpass' fault". Same for "if you[...] do[...] not ... make use of the defaults" -- like it would have been a user's choice when they signed (< or > 2018).

  • Randy

    LastPass did not blame the users, that's your own personal prejudice coming out. LastPass said that if you followed thier advice your in good shape. That means that if you didn't follow their advice you need to act quickly. That is reasonable advice, it isn't saying it's your fault that your password was cracked.

    That said, a user who has been taught good password hygiene and refuse to use it are 100% at fault for making it easier to crack their password, just as LastPass is not at fault for being hacked, they didn't do some things that made it harder to breach their systems. Te criminal is ALWAYS at fault.

    To say that most users can't remember a long complex password is flat out wrong. Bad password advice by trusted "security experts" is a huge part of the problem.

    How hard is it to remember "piglet was one cute little dude"?

    Please encrypt that passphrase with LP's algorithm, assume you know that I use a passphrase, but you do not know the number of words or which words. Now go crack it. I don't want theory, I want outcome.

    It won't fall to a dictionary attack based on found compromised passwords. What about a password/passphrase token attack? How big is your dictionary? Is piglet in it? When you tell me how many words are in your dictionary, are you counting capital letters? do your iterations count all caps? First letter of each word capitalized? Without knowing if the user is using a passphrase are you going to start with a lengthy password token attack or spin your wheels using other methods of password cracking?

    Let's say that you have 3000 words in your dictionary. for a 31 lowercase character password you have 3000^31 possible permutations. Are you going to tell me that it isn't stronger than "xR$8(p#wb0K~"

    I advise people to make up silly sentences that have at least 20-characters.

    As for the different types of encryption, what's the effective security difference between an octillion permutations and a decillion permutations of a given length and character set.

    If one technology only protects my password for a million years, and another for a trillion years, bitching about the use of the lessor technology is snobbery.

    So, what's the difference in maximum time required to crack a "piglet was one cute little dude" password using the different technologies. I say maximum because absolute time depends upon a variety of factors. For example, if an attacker wants to brute force a password sequentially, knowing that most LP passwords are at least 12 their going to start with (95^12) - (95^11) permutations of the character set. That means my 13-character password, aaaaaaaaaaaa will not fall until a very, very long time. See, just one extra character made all the difference in the world. Granted, an un-optimized sequential brute force attack is likely to be the last resort.

    By the time you are using a 20-character or greater password, the use of multi-character set passwords becomes substantially meaningless unless you're a very high-value target.

    Security "experts" that keep espousing icorrect and/or obsolete password advice do play a role in users not using better passwords. Unless allowed password lengths are less than 12-characters, 12, not 8, should be the recommended minimum password length. For a PW manager master password users need to be taught that a minimum of 16 characters should be used and that a 20-character minimum is highly recommended. Of course password hygiene needs to be taught too.

    Users do not need to remember long complex passwords, then need to be taught how to make secure, long, and easy to remember passwords. Even at that, "Piglet was one cute little dude1!" meets 4-character set complexity and is good enough to last through most anything but a phishing attack, keystroke logger, lucky guess, or side-channel attack. But then encryption doesn't make much difference.

    Teaching that most users can't remember a long complex password is incompetent. Teach how to make long memorable passwords with instruction concerning things like always make up your own sentence and mind the character count.

    Yeah, it's the criminal's fault. Yeah, LastPass could have made it harder to get breached. Yes, customers who deliberately ignore best practices are to blame for making it easier to crack their passwords, but poor quality security education has exasperated the problem, and many refuse to learn how to give better advice.

    As for quantum computing, when it is mature enough to matter, will any of the algorithms you mention much matter? There is research underway that is trying to create counter-measures to protect against quantum attacks on cryptographic technologies.

    As a complete aside, you might find this article interesting. Note that I didn't create the title. The title is bullshit. There are no security consequences since, according to an ML expert, algorithm that exploits the concept would take too long to run.

    https://community.spiceworks.com/topic/2173665-password-constraints-and-their-unintended-security-consequences

  • AC3100

    LastPass states that business customers using Federation are better off due to the use of a “hidden master password” which requires 2 separate strings that must be combined in order to decrypt a vault. One string is stored in the company’s identity provider and the other string is stored with LastPass (they claim this component wasn’t compromised). So in addition to compromising an Associate’s master password, an attacker would also need to compromise both of the randomly generated strings stored in those 2 different locations. Should we trust LastPass when they state that these companies are at a significantly lower risk because of this architecture?

    Wladimir Palant

    I have no idea. This isn’t a component of their system that I looked into, I don’t know how it works.

  • JS

    I just updated my master password and the minimum requirements are:

    • 8 characters
    • at least 1 number
    • at least 1 lower case letter
    • at least 1 upper case letter

    Very strange that they claim they require 12-character passwords.

    Wladimir Palant

    As least in the web interface they really enforces 12 character passwords for me. I guess you are using the mobile app?

  • AC3100

    For anyone interested in more info based on my question above regarding the risk to Federated customers, I found some helpful info in this subreddit:

    https://www.reddit.com/r/Lastpass/comments/zvv0tk/lastpass_breach_question_about_azure_federated/

  • WhichWitcher

    Don't even get me started on the fact they only allow MFA on your master password for premium accounts. I think that qualifies as shady AF for a company concerned with users' cyber security. Thank you for the great article!

  • Marcin

    What do you think about opensource BitWarden? It seems to be quite popular and its functionality seems to be similar to LastPass.

    Wladimir Palant

    I don’t know, I never took a proper look at it.

  • Mark

    It's time xkcd put a correction on that passphrase comic. It's utterly destructive when people out of their intellectual depth quote it as gospel. "3000^31" - what a howler, but no doubt Randy would argue with anyone who points out the error.

    Wladimir Palant

    Your comment would come across better if you could explain what’s wrong with this comic. I don’t know what “3000^31” is supposed to mean and where you got it from.

    This comic is actually a pretty good representation of real password complexity, as opposed to supposed complexity based on password length and character set which is still quoted way too often. And it explains nicely why diceware passwords tend to be considerably more secure than anything people can come up with normally.

  • Mark

    Fine. The precise problem with that xkcd comic is that it has promoted the cult of the passphrase amongst people like your previous commenter Randy (who I did name in my original comment) who are out of their depth. They will argue at length that "correct horse battery staple" is a better password than an 8 character random string, despite the fact that it actually contains 8 bits less entropy. Or they'll suggest "piglet was one cute little dude" as a good example of a passphrase despite the fact that is considerably less secure and more predictable than a truly random passphrase. Or they'll mix up dictionaries and character sets and proudly announce they can create 3000^31 31 character passwords. Worse still, Randy and the xkcd 936 cult have infested the Web, bamboozling those without the desire or capacity to learn about password entropy and good security. Their jargon filled rants have the veneer of credibility to the layman, who follow the 936'ers into a security panacea that will crumble into dust as soon as malicious actors notice there is an opportunity to exploit their poor passphrase choices.

    Wladimir Palant

    The point is rather: remembering an 8 character random string is already close to impossible for most people. A comparable diceware password on the other hand is easy to remember. That’s a point this comic illustrates perfectly.

    Of course people still need to understand that passwords have to be random. But that isn’t the comic’s fault.

  • zipityzi

    Could we clarify whether having 2FA on your LastPass account itself protects these hacked vaults any bit?

    No one seems to be mentioning 2FA, so I assume it was somehow rendered useless here? Do other vendors implement 2FA in a different way?

    Wladimir Palant

    I don’t know about other vendors but for LastPass 2FA has nothing to do with encryption. It’s merely an additional step when you log in, so that you can access the vault data. Given that the attackers here got the vault data already, they don’t need to care about 2FA any more.

  • DB

    Is there any reference or mention by LastPass in any of their terms and agreements or documentation as to which fields they do and do not encrypt? Advertising "AES256 Encryption" rather than "AES256 Encryption", " does not include URLs and these other fields..." is misleading at best.

    I am also curious about the impact to clients of LastPass Authenticator which can also be backed up to I assume the same cloud and location as the password vault but haven't seen any mentioned of?

    Wladimir Palant

    I wrote down what LastPass does and doesn’t encrypt, as well as a way for you to see for yourself: https://palant.info/2022/12/24/what-data-does-lastpass-encrypt/

    And I have no idea about LastPass Authenticator whatsoever.

  • Guru

    Can you please write a detailed breakdown of bitwarden as most LP users are migrating there. Would like your assessment especially since it is hosted in Microsoft Azure

    Wladimir Palant

    I cannot. I investigated a bunch of password managers four years ago, Bitwarden wasn’t one of them. And now I’m too busy with other things. Properly analyzing a password manager is lots of effort.

  • Daz

    "They will argue at length that "correct horse battery staple" is a better password than an 8 character random string, despite the fact that it actually contains 8 bits less entropy"

    This seems to assume that there is 11 entropy per word, but this is only true as per the xkcd example, and even if we assume this is using Diceware's website, the wordlist is now 7776 words meaning you have 12.9 entropy per word which is only 1 bit less entropy than a random 8 character password that uses a-z+A-Z+0-9+special chars, and more importantly as has been said, who can remember a totally random password of 8 chars vs a string of words (not to mention that you can use your own words not present in Dicewares dictionary or capitialize letters and end up with loads more entropy than a easy-to-forget random string of characters).

    Sure a random string of letters at say 18+ characters is what I use for each secure site I have saved in my password manager and probably easier-to-type for the low security ones but for the MASTER password on a password manager where you should not write it down anywhere then it's hard to argue that a 8 character totally random password is better than a diceware-esqe password format - for most people. Guaranteed that if you try to get an older person to remember their password thats totally random - first thing that they will do is write it down and leave it lying around. Me personally, I don't use a diceware password as my master password but neither is it totally random to me either. It has over 100 bits of entropy and isn't using plain character substitution either so it would be hard to guess using any sort of dictionary-with-substitution attacks.

  • Sanjay Sahay

    Have been using Lastpass for a while. But this is scary. After reading the analysis, was scanning for alternatives. What do you feel about the approach of PasswordWrench? https://www.passwordwrench.com/

    Wladimir Palant

    No idea, never heard about it before.

  • tkteo

    In your article above, you mention that "Note “stronger-than-typical” here. I seriously wonder what LastPass considers typical, given that 100,000 PBKDF2 iterations are the lowest number I’ve seen in any current password manager. And it’s also the lowest protection level that is still somewhat (barely) acceptable today."

    But LastPass is hardly the only password manager software using PBKDF2 as default and 100K iterations. See for example 1Password's disclosure: "1Password uses PBKDF2 in the process of deriving encryption keys from your account password. Learn more about the key derivation process in the 1Password Security Design White Paper. There are 100,000 iterations, or functions, of PBKDF2 in the current version of 1Password. This means anyone who tries to guess an account password needs to perform the same calculations." https://support.1password.com/pbkdf2/

    I know 1Password has the additional "secret key" security feature, but this may mean that ALL password manager software security models need to be scrutinized more.

    Wladimir Palant

    Yes, I certainly wouldn’t object if LastPass said “typical.” It’s the “stronger” that surprises me here, a lot.

  • Norm

    Does any one have experience with either Apple's password manager for Safari/iCloud or Google's for Chrome? Both offer end-to-end encryption and easily integrate with their respective browser. Are either a good replacement for LastPass?

  • Kris

    Thanks for this great info. Something I haven't been able to find the answer to is this - is the email address of the vault i.e. the Lastpass username unencrypted with/in the vault? Or is it encrypted along with all the other password usernames? So is the only way for an attacker to identify the email address of the vault to unencrypt it? (Or figure it out from IP address and URLs in the vault.) Thank you again.

    Wladimir Palant

    No, the user name isn’t part of the vault but rather stored within the customer database that LastPass confirmed to have leaked as well. Presumably, each user entry in the database is linked to the corresponding vault.

    It isn’t possible to encrypt user’s email address because LastPass needs it to notify users on important occasions (such as losing all their data). Also, it is used as salt when generating the encryption key.

  • Mr. Chiggz

    Thank you for the informative piece. Can you please confirm that I am correct that:

    a) the attacker(s) possess the email address used to login to the vault. b) the attacker(s) possess the URL of all websites for which the username and password are stored. c) the attacker(s) possess the encrypted master password to the vault.

    d) The attackers do not have the username and password of any website but can obtain these if they manage to decrypt the master password.

    If the client chose a easy to brute force password then it's game over for them. If they chose something with far more entropy then they will hopefully be OK.

    Also, as you pointed out, if they known a password is stored for a crypto-currency website for example then they can send phishing emails from that site (since they have the email used to login to the vault).

    Yes?

    Wladimir Palant

    a) Definitely, the LastPass statement already says that. b) Yes. c) No, that’s not quite how it works. They don’t have the master password in any form. They do have lots of encrypted data (usernames, passwords etc.) for the user however. So they can test their master password guesses: the correct master password can decrypt the data. d) Yes, if they manage to guess the master password correctly they will be able to decrypt all that data.

    Yes, people with high-entropy (usually meaning: randomly generated) passwords should be ok. But everyone should indeed expect phishing emails.

  • Jerry Lerman

    Awesome, and relevant information, as usual. Thank you very much!

    I'm moving to 1Password and I'm going to change my passwords. Unfortunately, I have a huge number. I have been with Lastpass since they started. This is going to be a big task, but I will do what I must.

  • Someone

    Thank you for the info,

    After reading this and all the comments, I changed all my passwords in all the important accounts, delete my LASTPASS account and switched to different free PM,

    Thanks,

  • Priko

    hi, thanks a bunch for your article, it's great even though the contents are disturbing to me. Reading it, together with the reactions and other articles on the internet a few questions keep lingering for me:

    how many accounts are breached in total? how can a user find out if his/her accounts are among them? *which editable fields in each users'database are in plain text? (I understand the url's are plain text, which is already insane, but are also the fields in which a user could jot down notes plain text?)

    Lastpass ought to give more information about the breach. More information not limited to but including answers to questions above and questions raised in your article and reactions to it. Gimme a break.

    Regards, Priko

    Wladimir Palant

    Concerning which fields are encrypted, I covered this in another article: https://palant.info/2022/12/24/what-data-does-lastpass-encrypt/. Your notes are encrypted.

  • Priko

    thanks Wladimir, will read

  • Frank

    Asa LP user for over 10 years, this one hurts. I have recommended LP to friends, family and more recently clients and to now have to unravel that is not only an inconvenience but a hit to my reputation as a cyber security SME. I've already changed most of my most sensitive passwords and transitioned to 1Password and will be advising other to do the same, even though LP will probably, hopefully, (maybe?) fix their glaring security issues. I won't stick around to find out.

    Two questions that I have regarding this is: 1: why was there a backup copy of my vault on a third-party storage solution? What purpose does it serve? And 2: If had 2-FA enabled on my account, does that mitigate the potential cracking of vault or is it rendered moot because it's apparently an offline copy? I hope they're able to answer these questions.

    Wladimir Palant

    Concerning 1: Presumably, this backup copy exists in case of data loss in LastPass’ production environment. Supposedly, it was an “encrypted container,” so it shouldn’t matter whether it is stored with a third party. Unless LastPass loses the encryption keys of this container, which they did.

    Concerning 2: Yes, 2FA sadly no longer helps protect that data. The attackers already have a copy, they no longer need to log in.

  • Elliott

    Why the warnings “never write down your passwords?” seems to me the cloud is unsafe, and the safest place to keep a password is in my dresser drawer.

    Wladimir Palant

    The cloud isn’t really the issue here, and writing down your passwords usually isn’t safer than a well-written cloud-based password manager. Sadly, that definition doesn’t quite apply to LastPass.

  • LM

    My account was set to 500 iterations, and I didn't have any idea about this setting until I saw their blog post. I was never notified about this most recent breach, and it was a clear dodge on LastPass' part to drop this 'update' on December 22 - the day before 1/2 the world will be out for Christmas.

    I'm surprised they didn't wait until December 23, but they were off, too, and they didn't want to have to 'work' that day.

    Their silence on this and the way they attempted to minimize it with a news drop says all I need to know about the people running LastPass. Whatever class action lawsuit they catch is well earned. Here's hoping they and LogMein go out of business as a result.

  • Martin

    Came here via digg.com. Thank you so so much for this article which finally nudged me to delete my account. I had been with LastPass for what feels like ages. 10 years maybe? I was aware that there had been at least one security breach in the past but the corporate PR back then made me believe that it had not been that serious. But this now and your commentary is the straw that broke the camel’s back. Invested the last 2 weeks deleting my 150+ LastPass entries and manually assigning new passwords to each one of them. Finally done and realised that I need to this more often.

    Wladimir Palant

    Yes, the 2015 breach has already been massively downplayed by LastPass. Back then they got away with it. Maybe the perpetrators just didn’t know what to do with the data, or maybe they also believed the LastPass narrative of the data being properly protected, or maybe the resulting fallout merely wasn’t attributed to LastPass. Who knows… But there has been significant research after that breach demonstrating that the data is everything but properly protected. That LastPass is still telling people “it’s encrypted, so nothing to worry about” when they should definitely know better – that’s negligence.

  • Castle

    Mine was set to one iteration. So painful.

    Thank you very much for writing this article. You have done a mitzvah.

  • Steve

    Great article - thanks for writing. Many articles on this breach don't really get into any details about the risks and what to do about it and so I appreciate that you took the time to explain the LastPass statement and get into some detail. The typical recommendations seem to be to "change all your passwords" and get a new password manager, but the former can be easier said than done and the latter does not negate the existing risks to comprised data which may include sensitive data in secure notes, and bank and credit card entries. These are things that cannot be easily changed such as bank account and routing numbers, credit card numbers, etc. Also, with nearly 900 passwords stored over 20+ years of using the internet, deleting now defunct Web sites and changing passwords for those still in existence could take about 40 hours or so by my calculations. If LastPass were more responsible, they would provide their customers better guidance and, ideally, some tools to help manage and minimize risks. For example, something as simple as helping to identify and prioritize sites by risk level (e.g. financial at the top, forums at the bottom) and ability to see when passwords were last changed relative to the date of the breach would be extremely helpful to help manage through this. But I have seen neither the guidance nor any tools from LastPass which is why I now agree with many who say it is time to change providers.

    Would appreciate any thoughts you may have on Microsoft Authenticator as a password manager.

  • T Smith

    Thanks for this detailed writeup.

    The question I have is about the encryption of the stolen vaults. I understand from the LP blog entry and your analysis that the storage container encryption keys were leaked, but I thought customer vaults were encrypted using an encryption key generated from (a 1-way salted hash of your master password + account name) x nn PBKDF2-SHA256 rounds.

    If the encryption keys acquired by the actors were storage container keys and not the keys used to encrypt the data, how could simply brute forcing / guessing a master password password be used to decrypt the leaked vaults?

    Maybe another way to ask this: is my limited understanding correct, and did the threat actor also obtain the vault encryption keys? (Please reference if you have one - I'm super curious).

    Many thanks

    Wladimir Palant

    No, so far this looks like vault encryption keys were not stolen. While this isn’t as impossible as LastPass wants us to believe, this would have required access to production systems and not merely the backup. This doesn’t seem to have happened.

    You are correct that the encryption key is derived from the master password and account name. This allows guessing the master password – an encryption key derived from the correct master password will be able to decrypt the data. The number of PBKDF2 iterations is what slows down the guessing process.

    Note that “encrypted vault” is a misleading image used by LastPass PR. In reality your vault data is largely stored unencrypted, it merely has pieces of encrypted data sprinkled in here and there (most notably passwords and notes).

    Storage container encryption is a separate mechanism provided by the cloud storage they used as backup, that one didn’t help here.

  • Matt

    Hello, in the comments above you said:

    "LastPass 2FA has nothing to do with encryption. It’s merely an additional step when you log in, so that you can access the vault data. Given that the attackers here got the vault data already, they don’t need to care about 2FA any more."

    I have a Yubikey on my Lastpass account. Does this mean my vault data is any more protected?

    Thank you!

    Wladimir Palant

    As I said above, I don’t know how they use Yubikey. Presumably, it’s only used as a second factor for authentication and does not contribute to the encryption.

  • ALee

    Thank you so much for this useful article. I checked and my iterations was still at 50,000. I've bumped this up to 310,000. I was considering migrating to 1Password with their use of a secret code (in addition to the masterpassword) to encrypt all our passwords stored on their system. However I notice you had mentioned in one of your replies that: "So far the only solution that I looked into and could actually recommend was 1Password. However, a security researcher I very much respect is highly dissatisfied with their vulnerability handling."

    Is there an article from the security researcher about why he/she is dissatisfied and what concerns they had.

    thanks.

    Wladimir Palant

    No, unfortunately there isn’t. In the end, the fact that I cannot wholeheartedly recommend anything doesn’t mean that there is a danger for you there.

  • Ratko

    I’m LP user for years and I just checked my iteration number and it is 1 (one). Tomorrow morning I’m leaving LP and changing all my passwords.

  • olejonbj

    Thanks for pointing out that one can change the number of iterations. However upon checking today, LastPass had updated mine to 100,100 and IIRC the Account Settings said it was their minimum. However I changed this to 500,500 and (you don't type in the comma) and it said it could take a while but took just a couple of seconds once the progress bar appeared.

    As for IP addresses that's logical. Also, in if you click Advanced on the Account Settings' first tab, you can scroll down and set Only allow logins from these countries. Now that's nice. I just added my own of course, Norway, that was auto-checked, and well should I could end up in Sweden or Denmark temporarily, but the must have one is Spain as that's my second home. I hadn't revised that section "Security" (first tab Advanced mode) in a good while, and more options where there. Very basic geoip.

    Also I in addition to using Google Authenticator mandatory, only letting my phone and workstation remember it for 30 days, plus my completely (yes) random 19 characters password, I'm good I think. Also I enabled LastPass's own Authenticator app. It's pretty sweet to use with LastPass. Of course I could swap Google Authenticator for that, but I'll probably just that one just for LastPass.

    You wrote in another you hadn't tested the Android app (not iOS either?). I find it pretty good, and it doesn't push me to the website. That's only and absolutely only for the Account Settings I can end up there (from extension). It's a good idea to delete all "authorized" sessions and mobile devices, as they can pile up and some names are cryptic, and log in again on whatever device got logged out (all in this case). It got some URL settings there too, which IIRC first time (maaany years ago) I opened an account, was indeed prefilled with some URLs, and IIRC that tab is called "Never URLs".

    The point about URL parameters is good, and I've always said to peopleb "You know what you do when you've forgotten a password right? You tap the «Forgot password" button, get a unique link by email [today they all say the expire within X minutes, also SMS confirmations], and therefore your email is DEFINITELY your weakest link. Someone can access that, and they can reset all your passwords!!». Pretty much anyone, even tech savvy people get a little «oh shit never thought about that! or how drastically important my email account is» Usually, unless they've added SMS confirmation too, or something else (Google uses a range of options and not always can you use this or that backup option if you can't log in to that Gmail you use purely for testing).

    So TLDR: Don't be logged into your email on anything not properly secured. Like it's fine on my workstation, it's always in sight an locked if not, and my phone, which well, is very secured. Otherwise, none. No authorization to macOS for example. Add a Google account there and it wants access. Just see the prompt of permissions, or later in Google My Account > Security which should be revised regularly, in fact if you use Google account creation for some non-important service, some apps only allows Google, Apple, Facebook (!?) etc, but the point is, those normally only ask for your email, and possibly name and whatever you yourself have made public in About Me on My Account.

    DO: Such apps where it offers "Continue with Google" and only asks for e.g. your email, they just read it and create an account on their system, and no longer uses Google for anything, not storing anything in Google One/Drive, it was just to get a username for you, SO, you can REVOKE permissions to such apps. You won't get logged out then, as they only have read permissions. You reinstall the app later and just "log in" (continue) with Google (or Apple etc), and your saved data is there. Like my Football ("Soccer") app, the highest ranked in the world even made here in my city in Norway. Benign data which leagues, teams etc I follow. Same I guess with Feedly which took completely over RSS when Google Reader was shut down (remember that? so many were sad on Reddit), and Feedly only (or did) accepts such logins, via Google, Apple and 1-2 more. Just to create the account and save your feeds and preferences on their own system, so revoked ASAP after "logging in" when app is reinstalled on a new device.

    BTW you're authoring amazing posts. I'm fairly tech savvy, 24/7 Linux user and know we'll web development and encryption, so your super clean and easy to read website here is now in my bookmarks!

  • Jimble

    Wow, awesome write up on the LastPass breach! Very informative!

    I had a question about this part of the article:

    "If you are a LastPass customer, chances are that you are completely unaware of this requirement. That’s because LastPass didn’t ask existing customers to change their master password. I had my test account since 2018, and even today I can log in with my eight-character password without any warnings or prompts to change it."

    This is just incredible. Why can't LastPass just force a password reset of all their customers who have the weak 8-character master passwords?

    Also, are you still able to log in with your 8-digit password?

    This just boggles the mind...thanks again for the article, it was an eye-opener!

    Wladimir Palant

    Well, LastPass could force all users with a weak master password to reset it when they log in. They choose not to however.

    I just tried again and – yes, my eight-character password still works. I can log in, and I’m not forced to choose a new password.

    There is a red dot on “Security Dashboard” now however. When I go there I see a message on the right side:

    Master password alert February 27, 2023

    Master password strength Weak (50%)

    For your protection, change your master password immediately!

    Not ideal of course: it relies on the user noticing the red dot, reading the message and taking action. But that’s at least something.

  • Jimble

    I'm still digging into this article, and have another question:

    So LastPass stores both the passwords and the metadata (URLs, IP addresses, user's name, email addresses, etc.) in the customers vault. However, the passwords inside the vault are encrypted but the metadata is not? So EVERYTHING is in the vault, but not everything is encrypted?

    If that's the case, this means that all the metadata is already visible to the threat actors, even though the passwords are safe (but only if the customer has a strong master password). Do I have this correct?

    Also...isn't it the standard to encrypt everything, including metadata? I don't understand why LastPass puts everything in the vault but does not encrypt the metadata too?

    Wladimir Palant

    Yes, you are correct. And – yes, normally one would encrypt everything.

    The “vault” is merely how LastPass likes to describe it. In reality, this is a binary data blob, nothing inherently “vaulty” about it. Some pieces of the data are encrypted, others are not.