8

The LastPass Team states the following in their FAQ:

Do you use a salted hash for logging in?

Yes, we first do a 'salt' of your LastPass password with your username on the client side (on your computer, LastPass never gets your password), then server side we pull a second 256 bit random hex-hash salt from the database, use that to make a salted hash which is compared to what's stored in the database.

Does anyone know if the part "we first do a 'salt' of your LastPass password with your username on the client side" is meant literally?

According to this answer it almost looks like this is the case:

From these details, my best guess is that the LastPass decryption key is calculated by:

DK = PBKDF2(HMAC-SHA256, password, email, <user set>, 256)

Since this appears to be Pseudocode I can only guess that the third argument for PBKDF2 is the salt.

I realize that the right thing to do would be to run email through PBKDF2 to make it more suitable as salt. This is of course where the cat chases its own tail which probably forced them use the email as salt in the first place.

Community
  • 1
Oliver Weichhold
  • 201
  • 1
  • 4
  • Another thing here, is, assuming that the identity thief already knows your email address (sounds quite likely), why would email even be a suitable salt at all? (also note that if the email is known, running PBKDF2 on it doesn't help) – NH. Nov 14 '17 at 16:42
  • 1
    @NH. Secrecy is a non-goal for salts. Salts need only be globally unique, which an email address should be. Presuming that a salt is unknown to an attacker is not part of the equation when determining the security level of a system. – Xander Feb 15 '18 at 18:52

1 Answers1

3

I would interpret "we first do a salt of your LastPass password with your username on the client side" as: we do a PBKDF2 function on the client side that includes your password and username (email) as salt:

client_encryption_key = PBKDF2(HMAC-SHA256, password, salt_email, 5000, 256) // 5000 rounds, 256 bits
auth_key = sha256(client_encryption_key) // this is what is sent to the server for authentication
server_key = PBKDF2(HMAC-SHA256, auth_key, salt_random, 100000, 256) // this is what is stored in the auth db

Note that client key is also used to encrypt/decrypt your data.

Also to answer NH's comment about email as salt possibly not being suitable: salts are typically not considered secret. Their purpose is to ensure the resulting key is different for two identical passwords.

HTLee
  • 1,772
  • 15
  • 30
  • 1
    To expand on that a little: the reason for two cycles of PBKDF2 (or whatever password hash they use) is so that the client can generate the cryptographic key used to protect your vault, but the server cannot. The server never even has the ability to decrypt your vault; it never sees either the raw password (they way purely-server-side hashing requires) nor the crypto key derived on client-side from that password. Salting with the username (on the client side) is simply done to prevent the case where two people with the same password would have the same crypto key on their vault. – CBHacking Feb 15 '18 at 21:00