I’ve written a lot about password management during the past few years. Indeed, when people ask me what kind of security software they should use, my answer always starts with: “Find a good password manager and use it.”
When I have those discussions IRL, I consistently hear the same questions and objections, most of which are perfectly sensible and need to be answered. This comment, posted in response to my recent post about online security, is a great example:
Speaking of password managers, I’d be a bit leery since LastPass was hacked and users’ encrypted password files were leaked. Black hats have been trying to crack their master passwords and apparently succeeded in some cases, even stealing the contents of people’s crypto wallets.
The natural question is, are password managers still such a great idea when this kind of thing can happen? The affected users had to spend countless hours changing their dozens or hundreds of passwords everywhere. That’d be way too much of a chore and headache.
Aside from third-party products like LastPass, can we rely on the built-in password managers in Firefox, Chrome and Edge? I suppose these have big companies behind them doing their best to keep away a massively compromising and embarrassing situation, but then I’m sure LastPass did the same.
That’s an admirably concise summary of the issues with password managers that I think most people are concerned about. It also raises a whole bunch of questions about what LastPass did, exactly. So, let’s start with a quick summary of what the LastPass security mess was — and why it was uniquely awful for its customers.
Among online services that help you organize your passwords, LastPass was an early leader and is still a significant player. The LastPass brand was valuable enough that LogMeIn acquired the company eight years ago for $110 million. A few years later, LastPass was spun off into its own company, but was still controlled by the private equity firms that own LogMeIn. In its account of the sale, PCMag noted that those companies “specialize in trying to maximize the value of an asset for later sale.”
That is not the sort of reassuring description you want to see for a security firm. The result, as I wrote near the end of 2022, was predictable:
LastPass got gobbled up by LogMeIn back in 2015. And then in 2021, LogMeIn announced it was planning to spin LastPass off as a separate company. Astute observers of the software industry know that this playbook rarely works out well. At the very best, your employees are distracted by the whole M&A song and dance. At worst … well, here we are.
LastPass has been the victim of multiple successful hacks since at least 2011. But the two intrusions in 2022 were especially bad. The official notification from a December 2022 LastPass blog post was blandly titled “Notice of Recent Security Incident”, but the content of that post was a nightmare scenario for customers paying for an online service that promises to keep their secrets safe from outside attackers.
We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.
This attack took place after a separate successful intrusion of LastPass networks in August 2022. In that incident, the attackers obtained information they used to target a LastPass employee and were able to obtain credentials and keys they used to access and decrypt files in the online storage service, Amazon’s AWS S3.
It gets worse.
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
If you’re interested in the technical details of what data was stolen, read this thorough summary from Lawrence Abrams at Bleeping Computer.
Also: The best VPN services: Expert tested and reviewed
The bad news is that a lot of customer data was stolen. The good news is that the password vaults were encrypted using 256-bit AES technology with a unique encryption key derived from the user’s password, which was never shared with LastPass, meaning it would take an extraordinary amount of time and computing resources to crack them.
(Side note: The word you never want to read after a paragraph like that is however. Alas…)
However, LastPass did not apply the same strong encryption to other customer data, including website URLs and “certain use cases involving email addresses”. That information turned out to be incredibly valuable as a way for the attackers to sort out which password vaults would be most valuable. According to security expert Brian Krebs, that targeting might explain a wave of attacks against cryptocurrency wallets that started shortly after the LastPass hack:
[T] the best practice for many cybersecurity enthusiasts has long been to store their seed phrases either in some type of encrypted container — such as a password manager — or else inside an offline, special-purpose hardware encryption device, such as a Trezor or Ledger wallet.
“The seed phrase is literally the money,” said Nick Bax, director of analytics at Unciphered, a cryptocurrency wallet recovery company. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. And you can transfer my funds.”
[…]
[Security researchers have] identified a unique signature that links the theft of more than $35 million in crypto from more than 150 confirmed victims, with roughly two to five high-dollar heists happening each month since December 2022. … [T]he only obvious commonality between the victims who agreed to be interviewed was that they had stored the seed phrases for their cryptocurrency wallets in LastPass.”
Every indication is that LastPass has been running an incredibly sloppy operation for years. The employee who was targeted was one of only four DevOps engineers with access to the AWS decryption keys. You would think that anyone accessing the most sensitive customer data would have been using a dedicated PC running over a secure network, but that didn’t happen here.
Also: Goodbye, LastPass: These are the best LastPass alternatives
The engineer had been accessing those data stores from a personal computer that was also running a third-party media server, which had itself been compromised, almost certainly by the same attackers. They in turn used that exploit to capture the employee’s master password for his LastPass accounts and steal encrypted notes containing access and decryption keys for LastPass customer data.
LastPass had previously increased the required length of its customers’ master passwords, from 8 to 12 characters, and had also increased the number of iterations used for generating private keys from those new, stronger passwords. Unfortunately, the company hadn’t required users to change existing passwords, which meant any long-time customer who was using an older password was using weak encryption that was dramatically more vulnerable to brute-force attacks.
As part of its incident follow-up, LastPass announced an extensive list of changes in its security policies, but the damage was already done.
Also: How to completely remove your data from LastPass’s servers (eventually)
These were not the first attacks on LastPass. In 2017, outside researchers disclosed an embarrassingly sloppy flaw in the way the company managed 2FA credentials. That flaw came on the heels of multiple earlier remote-code exploits in the previous year that led Tavis Ormandy of Google’s Project Zero to ask, incredulously, “Are people really using this lastpass thing?”
No other well-known password manager (and there are many) has a record like this.
Yes, in theory.
But a dedicated password manager is still the only practical way for human beings with ordinary human memories to create and recall strong, unique, random passwords for every secure service they use.
To use a pointed analogy: if you had $10,000 in cash, would you rather store each hundred-dollar bill in a cheap piggy bank with a toy lock, or would you prefer to stick that wad of cash in the bank, where it’s in a massive vault with state-of-the-art locks and armed security guards?
What LastPass did was akin to leaving the keys to the vault on the counter while forgetting to lock the front door.
Also: Best VPN for streaming: Unblock your favorite streaming services now
Anyway… If you’re going to put your passwords in an encrypted vault, the challenge is to protect that vault.
And here’s the most important thing: strong encryption really works! Every modern password management service, including LastPass, uses a Zero Knowledge model, which means the service does not have access to your private encryption key or the master password you use to access your account.
The attackers who broke into the LastPass network had stolen backups of a (presumably large) number of password vaults and were, therefore, capable of running sustained brute-force attacks against the encrypted data. Despite that advantage, the attackers have apparently only been able to break into a few per month, and then only by targeting those they were certain contained crypto vault keys. It probably required a staggering amount of resources to do so.
Also: 6 simple cybersecurity rules to live by
It took a combination of a very determined attacker and a very sloppy operation at LastPass to allow those encrypted password vault files to be stolen. I’m not aware of any other password service that has lost that kind of customer data. If it had happened, it would have been front-page news.
If you’re really worried about the possibility that someone will steal your encrypted password data, you can choose a password manager like KeePass, which allows you to store the encrypted vault in a separate location where you’re more confident of its security. But a well-run password management service (not LastPass) should be able to handle this task as part of its day-to-day operations.
When you access 1Password from a device that you haven’t previously used, for example, you have to enter your master password and also enter your secret key, which consists of 34 letters and numbers that you — and only you — know. The key is generated when you set up your account for the first time, and you’re encouraged to print it out or save it to a secure location, so you can access it when you set up a new device. It’s never shared with the 1Password cloud. An attacker who stole your master password would not be able to access your encrypted vault because they wouldn’t be able to provide that key.
In addition, most password managers allow you to set up two-factor authentication, which requires that you use a trusted device to approve any new sign-in before allowing access to your account and the vault data. Here, too, an attacker who has your master password won’t be able to use it without getting your permission — and alerting you in the process.
For as long as I can remember, every browser maker has offered a set of password-filling features. Years ago, these features were rudimentary, and it made sense to choose a third-party option.
In recent years, though, all of the major developers responsible for modern browsers (Apple, Google, Microsoft, and Mozilla) have made tremendous progress with their authentication solutions, making them equal to the core feature set of a good third-party password manager. And because they’re all free and use well-managed cloud storage, they’re perfectly acceptable options.
Also: The best browsers for privacy
Earlier this year, I wrote a lengthy article titled “How to choose (and use) a password manager”. Scroll down to the “Are built-in password managers good enough?” heading for capsule reviews of what you get from Apple, Google, and Microsoft.
From a usability standpoint, you’re probably better off with a third-party service (check out ZDNET’s recommended password manager list here) as long as it’s not run by you-know-who.