18

I use Lastpass. Today I got an email from them telling me that their servers were hacked, and a database with email addresses and recovery hints was probably copied.

Dear LastPass User,

We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.

We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.

We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.

How safe is the recovery method?

Just now I logged out of my Lastpass account, and did a recovery. It turns out that Lastpass stores a one time password on my machine (and on each machine that I used to login to Lastpass), activated by a recovery link sent to the mail address used for the Lastpass account. Just clicking the link is enough to unlock the local database. The link has a long identifier. I guess this id is required to unlock the local one time password - if not the password could simply be copied and abused.

  • Question: How safe is this method, with those one time passwords on all machines where I logged in?

Abuse of stolen email addresses

The stolen email addresses - what risk do they pose?

Of course it's not good that yet another time thousands or millions of valid mail addresses are stolen and can be abused for spam. Furthermore, as these are all Lastpass users, they can be mailed about Lastpass, and tricked into entering their master password.

When I login to lastpass, it downloads the user database, and unlocks it. If this happens in that order, I can download all databases for all users without having their passwords. I could then try to unlock the databases using a list of standard passwords like "password" and "1234567890", the usual bad passwords. That will open quite a lot, and it won't notify Lastpass as they don't see the many tries.

If the database is not downloaded before the password is validated, that means that the database is unlocked remotely, which is not what they tell us. Right?

  • Question: Is this a possible scenario or is this method protected in some way?

The connection between the browser addon and Lastpass is of course encrypted, and I don't know if they somehow protect a newly downloaded database to prevent something like this, but won't some really smart people be able to get around that encryption?

Advice to update master password

As they write in the mail, Lastpass monitors whenever someone logs in from an unknown location, and sends a mail to verify that this is legit. This is of course good practise. Then they write that they will prompt users to update their master password. Why? I don't understand. How will this prevent the criminals from unlocking accounts more than currently is the case? Lastpass says no passwords are downloaded, which should be impossible anyways because they don't store them.

  • Question: So why do we need to change the master password and how is that going to make it more difficult for the criminals?

Hack impact

This "hack" can be done without having all those addresses. Just login using a random email address and follow the same scenario. The difference is efficiency.

  • Question: If Lastpass is sure they properly protect my data, and I use a strong password, then nothing has changed except that some criminal organisation got my email address, if they didn't already?

Other risks?

Do I miss something? What other risks are there?

Community
  • 1
SPRBRN
  • 7,379
  • 6
  • 33
  • 37
  • 1
    maybe i'm mistaken, but this looks more like it should be posted as a community wiki. maybe it would be better to just ask "what are the potential security implications of the lastpass hack?" and answer your own question with this excellent overview. – Woodrow Barlow Jun 16 '15 at 13:09
  • as a fellow lastpass user, i really appreciate this post, though. – Woodrow Barlow Jun 16 '15 at 13:10
  • Thanks for the reply! :-) When I ask a question here, I try to write out as much of the answer as possible, all that I know and all that I tried. I do this to avoid that others give answers that I already know and that won't help me any further. It's a waste of effort and time on their part, and a waste of time on my part as well as they will probably first give the easy answers, things that I tried already. My overview here has several real questions in it, and I will appreciate all input. – SPRBRN Jun 16 '15 at 13:42

1 Answers1

12

Ars has a decent article on the problem: http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/

One particular Ars user also posted an enlightening breakdown:

epixoip wrote:

vcsjones wrote: I feel like LastPass needs to really lay out their security. They tout PBKDF2-SHA256 with 100k rounds. Sure, that is pretty good. But they also mention doing 5k rounds on the client side. What is the relationship between the client side PBKDF2 and server side? What about the salt that goes in there?

rounds = user_rounds || 5000 // the iteration count is user-defined. default is 5k

encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this is what unlocks your vault

auth_key = sha256(encryption_key) // this is what is sent to the server for authentication

server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // this is what is stored in the auth db

So the full algorithm for the password stored in the database, which is what the attackers obtained, is:

PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000)

Ain't nobody got time for that.

In short, you need not bother changing your master password.

HTLee
  • 1,772
  • 15
  • 30
  • 2
    Do we know if the client-side hashing salt is the same as the server-side hashing salt? – Iszi Jun 16 '15 at 19:32
  • Client side salt is different from server side salt: https://lastpass.com/support.php?cmd=showfaq&id=1116 – HTLee Jun 17 '15 at 17:52