Last week, just before Christmas, LastPass dropped a bombshell announcement: as the result of a breach in August, which lead to another breach in November, hackers had gotten their hands on usersâ password vaults. While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager.
LastPassâ December 22nd statement was âfull of omissions, half-truths and outright lies,â reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent itâs being; he accuses the company of trying to portray the August incident where LastPass says âsome source code and technical information were stolenâ as a separate breach when he says that in reality the company âfailed to containâ the breach.
âLastPassâs claim of âzero knowledgeâ is a bald-faced lie.â
He also highlights LastPassâ admission that the leaked data included âthe IP addresses from which customers were accessing the LastPass service,â saying that could let the threat actor âcreate a complete movement profileâ of customers if LastPass was logging every IP address you used with its service.
Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. âLastPassâs claim of âzero knowledgeâ is a bald-faced lie,â he says, alleging that the company has âabout as much knowledge as a password manager can possibly get away with.â
LastPass claims its âzero knowledgeâ architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. While Gosney doesnât dispute that particular point, he does say that the phrase is misleading. âI think most people envision their vault as a sort of encrypted database where the entire file is protected, but no â with LastPass, your vault is a plaintext file and only a few select fields are encrypted.â
Palant also notes that the encryption only does you any good if the hackers canât crack your master password, which is LastPassâ main defense in its post: if you use its defaults for password length and strengthening and havenât reused it on another site, âit would take millions of years to guess your master password using generally-available password-cracking technologyâ wrote Karim Toubba, the companyâs CEO.
âThis prepares the ground for blaming the customers,â writes Palant, saying that âLastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didnât follow their best practices.â However, he also points out that LastPass hasnât necessarily enforced those standards. Despite the fact that it made 12-character passwords the default in 2018, Palant says, âI can log in with my eight-character password without any warnings or prompts to change it.â
LastPassâ post has even elicited a response from a competitor, 1Password â on Wednesday, the companyâs principal security architect Jeffrey Goldberg wrote a post for its site titled âNot in a million years: It can take far less to crack a LastPass password.â In it, Goldberg calls LastPassâ claim of it taking a million years to crack a master password âhighly misleading,â saying that the statistic appears to assume a 12 character, randomly generated password. âPasswords created by humans come nowhere near meeting that requirement,â he writes, saying that threat actors would be able to prioritize certain guesses based on how people construct passwords they can actually remember.
Of course, a competitorâs word should probably be taken with a grain of salt, though Palant echos a similar idea in his post â he claims the viral XKCD method of creating passwords would take around 25 minutes to crack with a single GPU, while one made by rolling dice would take around 3 years to guess with the same hardware. It goes without saying that a motivated actor trying to crack into a specific targetâs vault could probably throw more than one GPU at the problem, potentially cutting that time down by orders of magnitude.
âThey essentially commit every âcrypto 101â sinâ
Both Gosney and Palant take issue with LastPassâ actual cryptography too, though for different reasons. Gosney accuses the company of basically committing âevery âcrypto 101â sinâ with how its encryption is implemented and how it manages data once itâs been loaded into your deviceâs memory.
Meanwhile, Palant criticizes the companyâs post for painting its password-strengthening algorithm, known as PBKDF2, as âstronger-than-typical.â The idea behind the standard is that it makes it harder to brute-force guess your passwords, as youâd have to perform a certain number of calculations on each guess. âI seriously wonder what LastPass considers typical,â writes Palant, âgiven that 100,000 PBKDF2 iterations are the lowest number Iâve seen in any current password manager.â
Bitwarden, another popular password manager, says that its app uses 100,001 iterations, and that it adds another 100,000 iterations when your password is stored on the server for a total of 200,001. 1Password says it uses 100,000 iterations, but its encryption scheme means that you have to have both a secret key and your master password to unlock your data. That feature âensures that if anyone does obtain a copy of your vault, they simply cannot access it with the master password alone, making it uncrackable,â according to Gosney.
Palant also points out that LastPass hasnât always had that level of security and that older accounts may only have 5,000 iterations or less â something The Verge confirmed last week. That, along with the fact that it still lets you have an eight-character password, makes it hard to take LastPassâ claims about it taking millions of years to crack a master password seriously. Even if thatâs true for someone who set up a new account, what about people who have used the software for years? If LastPass hasnât issued a warning about or forced an upgrade to those better settings (which Palant says hasnât happened for him), then its âdefaultsâ arenât necessarily useful as an indicator of how worried its users should be.
Another sticking point is the fact that LastPass has, for years, ignored pleas to encrypt data such as URLs. Palant points out that knowing where people have accounts could help hackers specifically target individuals. âThreat actors would love to know what you have access to. Then they could produce well-targeted phishing emails just for the people who are worth their effort,â he wrote. He also points out that sometimes URLs saved in LastPass could give people more access than intended, using the example of a password reset link that isnât properly expired.
Thereâs also a privacy angle; you can tell a lot about a person based on what websites they use. What if you used LastPass to store your account info for a niche porn site? Could someone figure out what area you live in based on your utility provider accounts? Would the info that you use a gay dating app put your freedom or life in danger?
One thing that several security experts, including Gosney and Palant, seem to agree on is the fact that this breach isnât proof positive that cloud-based password managers are a bad idea. This seems to be in response to people who evangelize the benefits of completely offline password managers (or even just writing down randomly-generated passwords in a notebook, as I saw one commenter suggest). There are, of course, obvious benefits to this approach â a company that stores millions of peopleâs passwords will get more attention from hackers than one individualâs computer will, and getting at something thatâs not on the cloud is a lot harder.
But, like cryptoâs promises of letting you be your own bank, running your own password manager can come with more challenges than people realize. Losing your vault via a hard drive crash or another incident could be catastrophic, but backing it up introduces the risk of making it more vulnerable to theft. (And you did remember to tell your automatic cloud backup software to not upload your passwords, right?) Plus, syncing an offline vault between devices is, to put it mildly, a bit of a pain.
As for what people should do about all this, both Palant and Gosney recommend at least considering switching to another password manager, in part because of how LastPass has handled this breach and the fact that itâs the companyâs seventh security incident in a little over a decade. âItâs abundantly clear that they do not care about their own security, and much less about your security,â Gosney writes, while Palant questions why LastPass didnât detect that hackers were copying the vaults from its third-party cloud storage while it was happening. (The companyâs post says itâs âadded additional logging and alerting capabilities to help detect any further unauthorized activity.â)
LastPass has said that most users wonât have to take any action to secure themselves after this breach. Palant disagrees, calling the recommendation âgross negligence.â Instead, he says that anyone who had a simple master password, a low number of iterations (hereâs how you can check), or whoâs potentially a âhigh value targetâ should consider changing all of their passwords immediately.
Is that the most fun thing to do over the holidays? No. But neither is cleaning up after someone accessed your accounts with a stolen password.
Update December 28th, 7:39PM ET: Updated to include comments from 1Password, which published its own rebuttal to LastPassâ claims.