LastPass Breach

Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. Turns out the full story is worse:

While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

[…]

To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

That’s bad. It’s not an epic disaster, though.

These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

So, according to the company, if you chose a strong master password—here’s my advice on how to do it—your passwords are safe. That is, you are secure as long as your password is resilient to a brute-force attack. (That they lost customer data is another story….)

Fair enough, as far as it goes. My guess is that many LastPass users do not have strong master passwords, even though the compromise of your encrypted password file should be part of your threat model. But, even so, note this unverified tweet:

I think the situation at @LastPass may be worse than they are letting on. On Sunday the 18th, four of my wallets were compromised. The losses are not significant. Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.

If that’s true, it means that LastPass has some backdoor—possibly unintentional—into the password databases that the hackers are accessing. (Or that @Cryptopathic’s “16 character password using all character types” is something like “P@ssw0rdP@ssw0rd.”)

My guess is that we’ll learn more during the coming days. But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.

If you’re changing password managers, look at my own Password Safe. Its main downside is that you can’t synch between devices, but that’s because I don’t use the cloud for anything.

News articles. Slashdot thread.

EDITED TO ADD: People choose lousy master passwords.

Tags: , , , ,

Posted on December 26, 2022 at 7:06 AM50 Comments

Comments

iAPX December 26, 2022 7:57 AM

that’s because I don’t use the cloud for anything.

Et voilà!
Limiting attack surface by not pushing critical informations (passwords, token, etc.) to the cloud, this is exactly how I do with my password manager.

But for many convenience trump security…

Doug December 26, 2022 8:09 AM

For those of us who do use cloud based systems, is there any way to mass import logins into password safe from other systems? The idea of manually moving hundreds of logins is daunting.

Robin December 26, 2022 8:48 AM

@iAPX and all: “Limiting attack surface by not pushing critical informations (passwords, token, etc.) to the cloud, this is exactly how I do with my password manager.”
Yes, I try to, but not always easy and in fact passwords are almost by definition, things that get sent over the internet to “somebody else’s computer”. Secure in theory …

But as a matter of interest, if my PasswordSafe database file were to fall into the wrong hands, in reality how safe is it? My password is 15 characters all char types and no silliness like “pAssw0rd”.

Michael December 26, 2022 9:26 AM

The most damning revelation of this latest LastPass hack is that not everything in your “LastPass vault” is encrypted, including websites, URLs, and all timestamps. While usernames, passwords, and “secure notes” are encrypted, a lot can be inferred from the unencrypted info. First of all, the hackers now have a full list of websites that you have accounts for. Second, the hackers will likely be able to gain access to a small number of websites which put sensitive info in the URL. Third, it’s opening the door for phishing attacks.

The tweet saying “four of my wallets were compromised” is too likely to just be a coincidence. There’s no evidence that these accounts were compromised through his LastPass vault, as the hackers could have gained access in many other ways (despite his reassurance), and the timing of the hacks could be pure coincidence.

My password is 15 characters all char types and no silliness like “pAssw0rd”.

That’s a very secure password. Nobody is ever going to brute force your password. If your LastPass vault is somehow cracked, it will be by other means.

Vesselin Bontchev December 26, 2022 10:10 AM

Even if you’ve used a strong password for LastPass and the attacker can’t crack it, be advised that the meta data (which sites the passwords are) is not encrypted. This means that the attacker knows who you are and passwords for which sites you have there, so he could set up phishing sites for them.

True, a browser-integrated password manages protects from phishing, but be on the lookout for this kind of attacks anyway.

Clark Gaylord December 26, 2022 10:17 AM

Cryptopathic’s statement does not use the word “random”, so I will bet any number of beers that it is something more akin to P@ssw0rdP@ssw0rd than, say, nkpnphtpmnqhsbqz. If you bother to say you are using “complexity” as a guide to password strength, then you don’t know what a secure password is. Now that fact is the fault of the sad state of professional training.

Twenty years ago, when we started telling people “don’t use ‘password’ as your password”, we said something stupid like “ya know, add some numerals or special characters”. That was the wrong advice then, and it is the wrong advice today. (Note: in those days, passwords could not be longer than 8 characters.) For all intents and purposes only length and randomness matter, not so much size of character set. If you double the size of the character set and your method is random, then you’ve added one bit of entropy per character. You might be saying “that’s a good thing” but it isn’t because humans are involved and they are far less likely to use randomness if you require them to use complexity.

Winter December 26, 2022 10:24 AM

@Robin

My password is 15 characters all char types and no silliness like “pAssw0rd”.

With 94 printable ASCII characters, a random string of 15 printable characters corresponds to a password strength of 98 bits. That should suffice for current brute force attacks.

But if the string is not entirely random, eg, it uses real words with “1337 5p33ch”, then the strength could be much, much weaker. Eg, a 4 word string could have a strength of ~48 bits, crackable in minutes.

Winter December 26, 2022 10:27 AM

@Dough

For those of us who do use cloud based systems, is there any way to mass import logins into password safe from other systems?

Bitwarden allows export and import of login data in common formats (csv, json). Iirc, LastPass does too.

Clive Robinson December 26, 2022 10:42 AM

@ Robin, ALL,

Re : Password security

“But as a matter of interest, if my PasswordSafe database file were to fall into the wrong hands, in reality how safe is it?”

In theory,

“As strong as the weakest link”

But that leaves the question,

“What links and how strong?”

Well the fact any system you use will be “On-Line” means very weak indeed as a distinct possibility.

Well the file it’s self is almost certainly not as strong as it could be as I’ve mentioned above. There is a probability the designers of the system you use like so many developers went for “convenience with ignorance” in their design and build.

Thus there are likely to be a lot more attacks open against it than just master “password guessing”. The file design might be such that just XORing two parts of the file, or an old file and new file will give up easily recoverable service passwords.

Then there is the question of the overall system security, not just of the application, but the OS, it’s drivers and the hardware. After all why bother atacking the crypto when I can just use a bit of malware to install a “key-logger” on your system?

But a lesson from crypto history, prior and during WWII messages were frequently broken without needing the key using known plaintext etc. However recovering the key was considered important, because the key had to be remembered or created. SOE for instance used the truely appaling “poem codes”. Without going into details each message key was in effect a word from the poem. Intercept and get more than one word the chances are you will be able to better guess other words. Eventually you have sufficient to work out the whole poem, even the bits not yet used…

It may be the case that information obtained from the file helps find not just the master password but other service passwords.

That is you say,

‘My password is 15 characters all char types and no silliness like “pAssw0rd”’

This might or might not be true. But if it is 15chars then it’s not likely that they are random unless you’ve written them down or similar.

Because the simple fact is most these days can not remember their own phone number let alone someone elses. Worse a sizable part of the population have trouble remembering the four digit PIN of their bank or credit card.

So from an attackers perspective they will on average start breaking files rather rapidly unless the developers actually had a way better than average understanding of how to design the system such that password guessing is impractical.

So one way to attack that is possible. I have your file obtained from the password service, and your browsing habits from meta-data, so I know what fields in the file records are likely to be. Also I could have got into one or two of the services you use and because of their poor security already have some of your passwords that are stored in the file.

This makes a “known plaintext” attack easier for me to carry out. But also it alows me to analyse your chosen password form for “habits” that help me guess other of your passwords…

The point is it’s the security of the overall system that should concern you, bot that of the master password unless you know it’s the weakest link.

TimH December 26, 2022 11:00 AM

Michael: “First of all, the hackers now have a full list of websites that you have accounts for.”

This means that attackers know exactly who to target, because they’ll pick account types that are easy to reset by TFA intercept or social eng. or other weakness.

This is much more of a disaster than general reporting suggests.

Frederik H. December 26, 2022 11:22 AM

Is the key derivation function (key stretching) function in Password Safe sufficiently strong (and slow) against brute force attempts?

Not sure what algorithm is used for it. Seems similar to PBKDF2 ?

Winter December 26, 2022 11:51 AM

@TimH

Michael: “First of all, the hackers now have a full list of websites that you have accounts for.”

This means that attackers know exactly who to target, because they’ll pick account types that are easy to reset by TFA intercept or social eng. or other weakness.

Actually, they already have your PII. Your LastPass account info was in cleartext:

basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

They know the websites you have accounts for etc.

What they do not have is you master password. The information leaked does not allow them to get that information. And if they want to get the individual site passwords, they will have to get that the classical way. Like when they wanted to target you without the LastPass leak.

As such, not that much changed. Unless you are worried they find out you had accounts in certain sites (but who cares?)

Ulrich Boche December 26, 2022 12:32 PM

There are in fact apps to share a PasswordSafe database with iOS/iPadOS and Android. The downside is of course that you need some cloud service to share the database. Or copy the PasswordSafe database to the mobile device manually after each update on the PC. A lot safer of course, but a PITA.

My PasswordSafe database with 730 entries (first created when the program was still maintained by Bruce) is on my Dropbox. A compromise of course, but you have to make it workable in some way (I use an iPad and an Android smartphone) and my passphrase is long.

Modem phonemes December 26, 2022 12:48 PM

There are other things to consider such as the security of the password database storage format. See papers by Paolo Gasti for some interesting reading.

With apologies to Wham ! –

LastPass, I gave you my keys
But the very next say you fave them away

This time to save me from tears
I’ll keep them on an energy-gapped desktop

Finally,

Security level 1 – the data is secure even if the encryption algorithm is known (not too hard)

Security level 2 – the data is secure even if the encryption password is known (unsolved, apparently quite hard)

tfb December 26, 2022 12:55 PM

I think the question of why everything in the credentials store was not encrypted is interesting. What possible advantage is there of not just encrypting the whole thing under your master password.

Perhaps there is some other reason I have not thought of, but I can think of two

  • the people who implemented it were not thinking hard enough
  • or having things like the URLs associated with passwords be available was somehow interesting to them.

… because of course they were not in the business of scraping that interesting information and selling it. I mean, of course not: they must have just not been thinking. I”m not sure which is worse.

John Thurston December 26, 2022 1:31 PM

“I think the question of why everything in the credentials store was not encrypted is interesting. What possible advantage is there of not just encrypting the whole thing under your master password.”

Because this is how Lastpass is able to offer to supply uid:pwd values when you have not unlocked your vault. If this information was kept encrypted, then the browser extensions would not know when to prompt you to unlock to supply the creds.

I’ve never liked this ‘feature’, but there’s nothing I can do about it.

Winter December 26, 2022 1:33 PM

@tfb

What possible advantage is there of not just encrypting the whole thing under your master password.

Account information must be available to LastPass. Your IP address is relevant in certain security/criminal contexts.

For the rest, there is the common tradeoff between security and convenience/efficiency.

I can understand that including all metadata in the secure enclave could complicate the code, which would reduce security. But until LastPass tells us why, we do not know.

Clive Robinson December 26, 2022 3:21 PM

@ Modem phonemes, ALL,

Re : ML password guessing

“See papers by Paolo Gasti for some interesting reading.”

Not sure which papers you refer to but Prof Paolo Gasti[1] of NYIT has a few papers in various ICTsec areas.

But the one that I found quite interesting was from a half decade back and involved the us of Machine Learning to Password Guessing.

I kind of mentioned such things above but did not want to get into details as ML is a bit of a “hot button” issue in ICTsec and peoples wings are flapping about the sky is about to fall in because of it.

It’s not going to fall in, but yes it does efectively say that as far as password algorithm/rule finding is concerned “ML is better than humans”, and that was half a decade ago and ML has moved on a pace since then.

Realistically the only passwords you should use are “long and strong” both now well beyond the capabilities of average human minds.

Which means we are back to the modern equivalent of,

“Write them down and put them in your wallet.”

Using a modern token device that in no way connects to the Internet even indirectly…

Even back in the 1960’s it was recognised that passwords were a security problem and should be replaced, with something more appropriate as the resources became available…

But here we are over half a century later with computing power ~275 thousand million (2^38) times as much, and still using passwords…

The best solution we have “so far” that most humans are aware of are “Passphrases” which essentially use an “alphabet” of words rather than characters.

The most well known as such is XKCD’s “Horse battery staple…” but it sufferes from “The human memory problem” as well.

The idea is a word list of say 1024 words “from the common canon” of such. You “randomly” select four and use them concatonated as your passphrase. The argument is that you get 10bits of entropy for each word. So four words gives you 40bits, five 50bits and so on.

The problem is the human mind breaks it almost immediately…

If the human,

1, Does not like one or more of the words they will press the button again (thus reducing the alphabet size).

2, Does not like the order will either,
2.1, Press the button again,
2.2, Reorder the words,
2.3, Change one or more words,
thus reducing the passphrase set size.

3, Sees the same word two or more times,
3.1, Press the button again,
3.2, Reorder the words,
3.3, Change one or more words,
3.4, Drop the repeats,

4, Do something worse, like use a line from a well known poem or song and just leave words out to make it look kind of like “HorseBatteryStaple…”.

Thus the bits of entropy get cut off faster than the “mad salami slicer” in your favourit deli.

[1] https://www.nyit.edu/news/profiles/paolo_gasti

[2] PassGAN ML Password Guessing paper from 2017,

https://arxiv.org/abs/1709.00440

Colby B December 26, 2022 4:56 PM

Zero knowledge means that no one has access to your master password or the data stored in your vault, except you. Not even LastPass.

Does this seem like an odd definition of “zero knowledge” to anyone else? They seem to be using it to simply mean “strongly encrypted”, whereas I’d have expected it to mean something much stronger. In particular: no unencrypted metadata sitting around; no ability of LastPass to associate the encrypted data with any particular user; ideally, no ability of LastPass to see who’s connecting or where they’re connecting from. Something like the Pynchon Gate e-mail proposal, perhaps, maybe combined with a “digi-cash” payment system as in the ZKS Freedom 2.0 Network.

The reality is quite disappointing, and I think storing the metadata unencrypted is a negative shibboleth. I might have chosen some two-stage system in which a user could optionally access certain metadata without the master password (perhaps via a phone’s “secure element” just to know on which sites to prompt for the master password), while still protecting it from LastPass, but why on Earth would anyone trying to design a secure system possibly decide to store it completely unprotected?

iAPX December 26, 2022 5:57 PM

@Colby B, ALL

If you could give your master password to LastPass and have web access to all your passwords, there’s no way they are safe.
This is for me a no-go.

“zero knowledge” is becoming as BS as “end-to-end encryption”, everyone abusing their definition in one way or another.
This is just encryption through a derivative of the master password, this master password being sent over the Internet, at least locally memorized, a derivative that enable decryption being associated with the session and so on…

If you have to give your master password locally to access your locally stored (and encrypted) password, while never given on a website and nothing stored on the cloud, then you have improved your security.
Ideally you should have to use a master password and a 2FA to access your password, and it should never be automated through a browser extension.

Clive Robinson December 26, 2022 7:19 PM

@ Colby B, iAPX, ALL,

Re : Master password

“The reality is quite disappointing, and I think storing the metadata unencrypted is a negative shibboleth.”

Disappointing, yes… unexpected, no.

You could call it pragmatism, ignorance, or both, but you get to see a lot of it.

In pary “encryption is expensive” and “plaintext is cheap” to process.

Also the use of plaintext, madly perhaps, can be seen as a security feature. In that you are not using the master key as often, therefore it is less likely to be accessable to an attacker.

But what ever the reasoning given, the reality is using plaintext is way way more convenient, enables things to be done easily, and gets more done for any given dollar of cost, so is seen as more efficient all round.

We might not like it, we may argue against it, we can call it insecure, but that is not going to change the developers or the majority of the users minds.

Because at the end of the day,

“Security just gets in the way”

Is the thinking…

Phillip December 26, 2022 7:23 PM

It is freemium. I like to reason it out. Software is not easy. While nothing is certain, one should consider risk.

Ted December 26, 2022 7:37 PM

The paper Stuart Schechter linked to on Mastodon (and also co-authored) provides a great survey on password manager use and password hygiene.

Their 2021 survey reported that 26% of participants used no password manager. 36% were using the manager built into the Chrome browser. (Oh wow, forgot about that one.) Next was Apple’s Keychain at 13%. LastPass usage came in at around 3% among the survey participants.

The resourcefulness demonstrated by the LastPass hackers was eye-opening, even if we know nothing is 100% secure. I know the LastPass data breach is a real and present threat, and it’s good we’re getting details on it.

lurker December 26, 2022 8:02 PM

@Ted, All
That same paper observed that the most common (~40%) method of local backup of the master password was to write it down on paper.

@Colby B
Maybe Zero Knowledge means nobody but you can ever have access to your data. Oh, wait …

Moz in Oz December 26, 2022 8:35 PM

Writing down the master password is all but essential if there’s anything important in your password database. The lawyer who did my wills (living and dead) was adamant about that. There are fun crypto system to let you distribute bits of a password around so that it’s harder for people who have other things to think about to make it work at all. Meanwhile you’re in a coma and the bailiffs are selling your house, “comes with a ready-made family for the lucky buyer”. Write the bloody thing down, put it in a safe place. My lawyer has half the password plus a list of people who each have a copy of the other half. And they have a copy of the file from ~2 years ago, and know how to get the latest one off my website(s), and that my work has a copy of it.

Security is always a balance, and I’ve been around long enough to have seen a few too many “Bob died so his website is gone forever”, not to mention seen families wandering lost in technology wondering whether Bob really had investments at all, or were they concealing a gambling problem (trick question, it was both: they invested in cryptocurrency). If no-one knows where you invested they can’t use your death to access those funds.

Colby B December 26, 2022 11:57 PM

@Clive Robinson,

we can call it insecure, but that is not going to change the developers or the majority of the users minds.

I really don’t think the users will have much opinion on this, or have the relevant knowledge to form such an opinion. Had every piece of unencrypted data been stored with even an autogenerated key kept on the hard disk, it could have greatly reduced the impact of this leak without impacting usability whatsoever. (One would still have to enter the master password to access the passwords or connect a new device.) The hypothetical use of an actual zero-knowledge algorithm would, I presume, be similar. We’d care, most users would never notice… but the company would have had to do some extra work, with tricky math, which most users would never notice.

David December 27, 2022 1:22 AM

Is the key length really 256 bit? Some systems using 256 and 128 bit AES like TETRA TEA 2 and TEA 3 are known to fix some of the bits.
Its very hard to detect that a TLA hasn’t got involved and reduced key space

Robin December 27, 2022 4:59 AM

@Winter, @Michael, @Clive, all

Thank you for your interesting comments (and reassurances). FWIW I try to keep everything off “the cloud” but there are times when that’s difficult (Clive: there you go, one weaker link straight off).

I create particular passwords that I want to memorise from snippets of multi-character data that for some reason I remember clearly from over the last 50 years (shades of Asperger’s probably: when I ask other people if they remember the same sort of data I get some very odd looks). No words, no numbers that resemble dates, and a sprinkling of punctuation added for good measure. As for the rest, I generate them from PasswordSafe.

dizzy December 27, 2022 5:39 AM

If you’re changing password managers, look at my own Password Safe. Its main downside is that you can’t synch between devices, but that’s because I don’t use the cloud for anything.

I use PasswordSafe on all my devices and synch the pwsafe db with Syncthing. Since there isn’t a central server the db is stored only on my devices and the transfer is encrypted peer-to-peer with GPG keys.

Alternatively you could use encfs on the devices and synch the encrypted directory on ‘untrusted’ cloud services like Dropbox or Mega, possibly using Rclone instead of their proprietary apps.

SpaceLifeForm December 27, 2022 5:59 AM

@ ALL

Read this from someone who has been paying attention to the LastPass issues for years.

‘https://infosec.exchange/@epixoip/109585049354200263

Bruce Schneier December 27, 2022 6:34 AM

@Doug:

“For those of us who do use cloud based systems, is there any way to mass import logins into password safe from other systems? The idea of manually moving hundreds of logins is daunting.”

Some password managers can import and export plaintext files. That’s the easiest way.

Wladimir Paöant December 27, 2022 6:56 AM

I would have been less problematic had LastPass not messed up. They:

  1. Failed to upgrade many accounts from 5,000 to 100,100 iterations.
  2. Didn’t keep up with cracking hardware improvements (100k iterations are really on the lower end today).
  3. Didn’t bother existing their new password complexity rules for existing accounts.
  4. Didn’t bother encrypting URLs despite being warned about it continuously, allowing attackers to determine which accounts are worth the effort to decrypt.

Their statement is misleading, they downplay the issues. I’ve summed it up on my blog here: https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

Denton Scratch December 27, 2022 7:03 AM

Its main downside is that you can’t synch between devices

I rely on PasswordSafe. It’s main downside is that it only works on Windows. That would be OK, but I’m planning to abandon Windows for Linux.

Also, it’s problematic that the home of PasswordSafe isn’t tied to anyone with a personal reputation; fosshub.com is not a schneier property. I’m afraid I don’t know who Rony Shapiro is, and the “currently maintained” bit suggests that it might be maintained by someone else tomorrow.

Denton Scratch December 27, 2022 7:16 AM

@Colby B

Does this seem like an odd definition of “zero knowledge” to anyone else?

Yes, it does. My understanding of “zero-knowledge” is a protocol that lets me prove I know something, without actually spitting out what it is that I know.

Gunter Königsmann December 27, 2022 7:38 AM

What I don’t understand is why there are only very few apps that can sync without the cloud: one could sync my phone with my PC by just waiting until the device with the right SSH key appears and then syncing with it. Sooner or later my phone will appear in my home network and my PC will do so, too.

Denton Scratch December 27, 2022 8:21 AM

@Gunter Königsmann

It doesn’t matter whether it’s “in the cloud”, or just some non-cloud private server in a datacentre; if it’s not yours, then you don’t control it. If you don’t control the server, then you don’t control the data it stores either.

I don’t use “the cloud” at all. At least, not directly; there are probably websites I use that depend on the cloud. Who knows – probably this one (I have no idea who “Pressable” is, nor how they host).

Gunter Königsmann December 27, 2022 10:08 AM

@Denton Scratch: I didn’t propose to sync anything with other people’s computers. But when my portable computer aka cellphone is in my home wifi it could sync with my other computer automatically without needing a cloud or static IP address or similar.

modem phonemes December 27, 2022 10:54 AM

Re: sync-zygy

Hopefully any pwd manager used is auditable/open source, as is the sync tool. Otherwise anything could be happening.

kiwano December 27, 2022 4:24 PM

Taking a peek over at Password Safe, I’m wondering if there’s a good (security) reason for storing passwords using a symmetric cipher (i.e. TwoFish), rather than using a CHF digest of a master password concatenated with a password identifier?

I’m mainly curious because back when I was in school, a classmate of mine posted a fairly simple hash-based password manager that he wrote in JS — and which I subsequently cribbed the idea from and reimplemented as a shell script. Said classmate was pretty clever at the computer stuff and in the intervening years he made up a systems programming language, which he named after a fungus, and which has become relatively popular, so I’m kinda curious as to whether he was missing something (possibly something important), or just making a different choice on some of the inevitable trade-offs.

Brian December 28, 2022 2:57 AM

Personally I straight up upload/sync my Keepass database (I use KeepassXC) on Github and set it to PUBLIC.

There is a reason.

Lets say you upload your database to your Gmail, and lets say you lost your PC and phone.
Oh crap!! The 2FA system blocked you. Now you lost everything!! (I have 2 databases, one for my ID, and one for my accounts, they use similar but abit different master passwords.)

Now lets say you upload your Keepass database to dropbox, guess what?? You still need the link, and that link is gibberish!! Even if you lost everything during a freak accident, you will still lose the link!!

Also, when you upload the file to dropbox, SSL uses public key cryptography, which only has a theoretical security of 128 bit in symmetric key!!

Now Keyfiles, I personally use notepad with the text like “ZYRACHICKENBLABLABLA”, and I upload it everywhere!! On facebook, on my Twitter, in the basement, on my favorite book, behind the car, at my friends house. The password manager will hash it into gibberish anyways, and if there is an actual disaster, I can re-create the keyfile in notepad BY HAND.

Lastpass is a redundant company and you are only wasting your money using their service.
BTW iterations is meaningless, I set mine to 0.2 seconds because I use a password close to 39 characters, which has an entropy of close to 150 to 250 bits.

Rony December 29, 2022 2:12 AM

Rony here – the current Password Safe maintainer.

To answer a few of the points raised:

  • Password Safe can import data in CSV or XML format.
  • The key stretching function is basically PBKDF2 from before it was standardized. The number of iterations used is configurable.
  • There are Linux ports to the common distros on the github and sourceforge project pages.

Denton Scratch December 29, 2022 4:40 AM

@kiwano

You are coy. I can’t think of a systems programming language named after a fungus; you have me scratching my head.

Field mushroom? Amanita? Yeast? Rose rust? Potato blight? Ceps?

Winter December 29, 2022 6:16 AM

@Denton Scratch

I can’t think of a systems programming language named after a fungus; you have me scratching my head.

Rust is a generic name for a major class of fungal plant diseases.
‘https://en.m.wikipedia.org/wiki/Rust_(fungus)

Frederik H. December 29, 2022 7:56 AM

Thanks Rony.
Is there any intent to add argon2 to the software? Is it considered a useful enhancement?

Chris January 3, 2023 3:51 PM

I have a question. If the bad actor had created a number of accounts in lastpasss. Identifying them either the unencrypted portion or just getting lucky. Can the bad actor reverse engineer the encryption. That is to say while zero knowledge is cool on public services. Do they off protection to a bad actor who has a number of accounts on the system and gets the encrypted vault

Channing Jones January 5, 2023 4:46 PM

I’ve been reading up a little on this, and noted that LastPass uses PBKDF2 to derive each vault key, which basically means that they take the master password and subject it to 100K rounds of expensive hashing with salt. In the context of offline brute-forcing, this says (in my thinking) that it doesn’t matter how strong the master password is because it’s just a piece of entropy. Am I wrong?

Ray K January 15, 2023 8:10 PM

The key here is that your password vault is out in the wild. The threat actor may sell the vaults for $1 apiece (that’s $30 million dollars) and in the next 3, 5 or 10 years, technology will get to a point where a password that requires a million years to crack will only need a year to crack. What a cluster. Shame on LastPass for downplaying the risk.

Chris January 16, 2023 7:54 PM

How do/did you vet all the 43 people (https://github.com/pwsafe/pwsafe/graphs/contributors) and their “contributions” to your Password Safe?

You’re asking us to trust yourself, and a very large number of possibly sketchy people, any one of which could easily be motivated by the challenge and prestige of sneaking their backdoor into your product.

Inserting back doors in plain sight is arguably one of the most exciting challenges possible – juggling race-conditions, interrupts/exceptions, unexpected expansions, etc etc, all while disguising what you’re doing as something safe and helpful…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.