Lastpass have been breached again, this time vault data has been exposed via backups.
Sounds like not all data was encrypted, so even without your master password attackers can tie your billing info to a list of sites you have saved.
Anyone with a weak master password might want to go through all their saved sites and get resetting.
https://blog.lastpass.com/2022/12/notice-of-recent-security-…
https://www.bleepingcomputer.com/news/security/lastpass-hack…
Or engrave on the stones like the ten commandments.
Download from the cloud to your tablets!
Makes sense in 2023, also makes sense in 1445 BC
Bad example, Moses was showing those off to everyone. Now Joseph Smith, he had golden plates from god and nobody ever saw them! We should be security conscious like him.
Actually, there were over 11 witnesses who either saw or touched the golden plates - but then after translating them, the plates were taking back by God - maybe into “the cloud” and so since there has been no “breach” that has allowed the originals to be accessible.
However, they have created a “distributed network” so that there are multiple hard copies (“backups”) of the translation across the whole world so that the translation can always be re-created.
Even a sticky note stuck to the monitor seems more secure than storing a password online.
Keepass
Just ordered a 100 pack of post it notes..
Post the deal!
Yeah, what he said. Post it.
Anyone with a weak master password might want to go through all their saved sites and get resetting.
Just everyone with a Lastpass account, weak password or no.
Having a strong Master Password just buys you more time to change everything.
While you're at it, time to dump LastPass and move to an alternative. Whether that be a commercial competitor or Keepass with Syncthing.
They keep getting hit and rather than attackers acquiring less and less each time, they're acquiring more and more.
It's to the point that incompetence can't be ruled out.
Something I was alerted to by the Arstechnica Article
LastPass customers should ensure they have changed their master password and all passwords stored in their vault. They should also make sure they're using settings that exceed the LastPass default. Those settings hash stored passwords using 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2)…
The 100,100 iterations is woefully short of the 310,000-iteration threshold that OWASP recommends for PBKDF2 in combination with the SHA256 hashing algorithm used by LastPass.
I checked the settings in my non-LastPass Password Manager and they were only 100,000 iterations. Now bumped to 400,000
I swapped to using Bitwarden a couple of months ago, but because I hadn't got around to deleting Lastpass I'll still have to go and reset everything. Even if I had I'd still need to I guess, who knows how far back the leaked data goes.
Check your Bitwarden security settings (you have to log in to the website) and increase the default 100000 iterations.
I swapped to bitwarden years ago but couldn't figure out how to delete a LastPass account. Any instructions?
I'm super pissed I have to change easily 100 passwords now.
My master password was 27 characters, wonder how much time that buys with processing power these day's.
My master password was 27 characters, wonder how much time that buys with processing power these day's.
Assuming it's not overly simplistic, it's not worth caring about :)
Eg calculator to show you how length and complexity increases brute force attempt duration
https://www.grc.com/haystack.htm
@reactor-au: Not really.
Even if you applied Moores law indefinitely on computing power increasing, the time taken to brute force a 27 character non trivial password puts it beyond the care factor of even Futurama head in a jar users.
If you're even marginally interested in the technical reasons, there's plenty of links and info on that example page to reference
@SBOB: Cheers I'm good.
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.74 centuries
@figarow: Mines 14 character and it's coming in at 15.67 thousand centuries for a Massive Cracking Array Scenario
As long as it remains secure in my lifetime I'm sweet.
My master password was 27 characters, wonder how much time that buys with processing power these day's.
Until the heat death of the universe lol. You don't need to worry about changing any of your passwords.
@reactor-au: You'll be dead, buried, and corpse half rotted but at least your passwords will be secure.
I guess that's the most important thing.
Also invest in a Yubikey and use this to authenticate any new logins to your password manager.
Even if they have your password they aren't getting in without access to the Yubikey.
What if my Yubikey is lost?
You buy two and keep the backup in a safe place. Both Yubikeys can be registered to the one account.
Does yubikey work with NFC on your phone? I rarely use desktop except at work.
Would one key in each client machine allow Microsoft 365 passwordless sign in without authenticator?
You can get them in different flavours, some including NFC, and in USB C for physical connections to Android phones. Also can get one with fingerprint unlock.
If you are interested in passwordless, check out the Hyatt case study video on Yubico's website. Good explanation of how it's been implemented.
I use a yubikey for work that's always in my work laptop (5 Nano), I have a version that has lightning and USB-C that I carry around on my keyring, (5Ci) which works via lightning connector on iphone and older ipads, and with USB-C on an iPad Pro. I also have a NFC and USB-C version (5C NFC) that you can just touch to the top left of an iphone or plug in as needed. Lastpass allows I think up to four yubikeys to be defined, and you have the option of authorising the device/computer for up to 30 days so it's not like you constantly need to be searching for a yubikey. There is also still the option of having a google authenticator attached to the account if there's some reason for you to think you'll lose access to your yubikeys.
@zambuck: Always keeping it in the device kinda defeats the additional security aspect doesn't it?
Not entirely of course, cause you're secure from electronic attack.
I just have mine on my keyring and a backup at home.
Always keeping it in the device kinda defeats the additional security aspect doesn't it?
No it doesn't. Without a physical Yubikeys, your password can be attempted from any of the 10 billion + devices in the world.
With a physical Yubikey, the attacker would need physical access to your key, severely limiting where the authentication can be attempted from.
Also a physical Yubikey has built in protection against trying the PIN too many times
the attacker would need physical access to your key
yes, this is the bit that you're exposing yourself to.
hence my comment that I keep mine on my keyring ie with me and not with the device I need to unlock.
(plus I need/use mine for work and home use)
Using MFA tokens like the Yubikey doesn't change the risk when the encrypted vault is stolen.
In this scenario, threat actors will use software to crack the encryption key used to encrypt the vaults. They are not trying to authenticate to obtain that encryption key. MFA doesn't help here.
Agree, but my reply was in response to a question about better securing your master password for a vault such as Bitwarden, not about this specific breach.
2FA isn't going to help in this scenario.
They have the data already, they just need to decrypt it.
I was under the impression that Argon2 has surpasses PBKDF2, and it won the PHC a while ago. However, I'm not as up to date with cryptography changes - has something changed?
Just everyone with a Lastpass account, weak password or no.
Having a strong Master Password just buys you more time to change everything.
Nah, if you have a strong master password there is no need to go and change everything.
Test the strength of yours here if you are concerned: https://www.security.org/how-secure-is-my-password/
I switched to Keeper a while back and much prefer it over LastPass
Isn't this just an update on the August breach? Its not a new breach.
It’s being reported as a second breach
Great, my Optus client data is currently somewhere on the darkweb and now my LastPass login data is likely out there now too. Haven't really got much else that can be leaked….
Bodily fluids?
I have those kept in my highly secure vault for safe keeping
Lastpass Breached. Again. Vault Data Accessed This Time
Again? "This Time"? This isn't a new breach OP, this is an update to the one made in August. Did you even read the articles you linked ?
My reading of it is some of what they took last time they used to get in again, this time accessing more, including customer vaults.
Did you read the articles OP linked?
LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.
Source: https://www.bleepingcomputer.com/news/security/lastpass-hackers-stole-customer-vault-data-in-cloud-storage-breach/ (OP's second link)
I read that as the attackers that breached LastPass previously have used some of the stolen information to breach LastPass again.
So, if my take is correct, then yes, again.
Also from further in the same article:
Breached twice in a single year
The cloud storage breach is the second security incident disclosed by the company since the start of the year after confirming in August that its developer environment was breached using a compromised developer account.
Article clearly calls it a second breach.
Great.. this is going to be pretty painful to change all my passwords.
If you used a strong password, you shouldnt need to… Its AES256 encrypted.
For which one ? Master?
They are all strong if I can make them - unlike some banks ING for instance only lets you have 4 digit pin or other banks where they have a limit.. lots of places even government websites have weird limits.
Your vault is AES encrypted using a key derived from your master password. As long as your Master password can't be easily guessed, then you will be fine.
@djsweet: They have the Encyrypted blobs so can brute force them.
A long Password will extend the time it takes to brute force, but does not make it uncrackable.
@ESEMCE: The point is, if you have a strong password, cracking is not practically possible. Sure, if you used Password123! you're boned.
but does not make it uncrackable.
Uncrackable and uncrackable within 1000+ lifetimes of computing power are two very different things.
@SBOB: It's not about algorithm, but it's implementation which you know nothing about and have no control over.
If you believe that various TLAs would allow uncrackable (to them) encryption algorithms to be used by general public I have a bridge for sale.
@[Deactivated]: Their methodology for encryption has been audited in the past, but sure…it could be flawed.
Either way, I use bitwarden and left LastPass when they changed hands years ago, which is open source
If you think LastPass has somehow sold out and included known second party private keys in their encryption algorithm…then excellent reason to use bitwarden.
@SBOB: You think their methodology was much better than their security?
No matter what product you use if you rely on (whether deliberately or not, does not matter) faulty implementation of encryption it does not make any difference.
@ESEMCE: You probably should give some context.
"Extend" does little except provoke fear, especially if the extension is well past 1 human lifetime.
@drfuzzy: I didn't know the maths exactly.
All I know is that there's no need to panic.
Assuming you have a half decent mater password (I can't imagine that anyone already using a Password Manager doesn't have at least this), just change your passwords over the course of the next 6-12 months and you're sweet.
All I know is that there's no need to panic.
That depends entirely on the length of your master password.
Six digits and it's cracked in seconds, seven in minutes, eight in hours, nine in weeks, ten in years, eleven in centuries
@trapper: I genuinely struggle to believe a scenario where a LastPass users' Master Password is anything less than 12 characters.
I genuinely struggle to believe a scenario where a LastPass users' Master Password is anything less than 12 characters.
A 12 character minimum was not enforced by LastPass though, that is the reality.
@trapper: I don't think it matters what the default is.
The nature of a user who is;
a) aware of the existence of Password Manager's
b) has taken the time to research a vendor and set up an account for a Password Manager
c) actually implemented the day to day use of a Password Manager
in my mind at least, immediately puts them into a subset of society who have a heightened awareness of Password Security and are therefore going to use a password longer than 12 characters (even accounts set up 10 years ago when Password Managers were just appearing and a 12 character password might have seemed relatively secure against contemporary hardware)
The only users who might not fall into that category would be those who had assistance from someone who did when their Account was created (ie an elderly relative getting assistance from a son/daughter/nephew/niece/grandchild)
@ESEMCE: Well that's an improvement on the genuine struggle you had earlier.
So we can agree now that many LastPass master passwords were less than 12 characters.
@trapper: No, I'm not sure how you come to that conclusion from what I've written.
I can concede that it's possible, but not that it's likely, let alone common.
Happy to agree to disagree, but would love to hear your argument as to why you think "many LastPass master passwords were less than 12 characters"
(emphasis added)
Added to this, a 12 character password remains relatively secure even today. I certainly wouldn't recommend it, but I wouldn't be overly concerned provided it's complex and not dictionary based.
@ESEMCE: Most systems prevent brute force. It’s not going to allow you to continuously provide guess credentials
@MuddyClear: There's nothing to stop continuous guesses in this case.
They have the encrypted files already.
If postform's database was stolen then it's not a matter of if but when their passwords are readable. If the hackers got the database then they can freely keep hammering it with brute force attempts until they crack it, and the length of time until when will get smaller as time goes on (processing power, new architectures, quantum computing, etc).
That length of time that everyone quotes for encryption is the length of time to attempt every possible permutation - they only need to attempt the correct one. It could be the first one they attempt, it could be the 10 millionth, it could be the last. But with the database in hand it's only a matter of time. And assuming the hackers got contact information also, then they (should?) be trying to lookup, phish or social engineer some more information to steer their brute force attempts to drop that timeframe even further.
That length of time that everyone quotes for encryption is the length of time to attempt every possible permutation
No, half the total time is the way the calculation on brute force time estimation periods are calculated.
my lack of trust in password managers has been vindicated
Hackers have a list of websites that people access and a dump of encrypted blobs of passwords.
They now need to brute force the Encrypted blobs to have anything truly useful.
This will give users sufficient time to change their passwords, albeit a frustrating experience, it doesn't really vindicate anything.
There is no better option outside of a book of passwords (and a set of dice to generate unique, randomised passwords every time you need to set up a new account) or a non-cloud based Password Manager (but still a Password Manager)
There's also different risks with each strategy. The risk of someone finding a book of passwords is very low, but the ease of which it can be used is very high. Local computer goes pop, no more passwords. Typing in long passwords is incredibly inconvenient and encourages short ones.
Lastpass has always been setup so that this exact scenario isn't a problem - so long as your master password is strong. I'm still using the opportunity to update the things I want to secure the most, banks, mobile phone, Google/Microsoft/Apple, OzBargain, govt sites, etc but it's really just a good opportunity. Some of those passwords hadn't been updated since 2014 and I can put in longer ones now.
Your lack of understanding on how password managers encrypt their data blobs has been illustrated……
Using a master password like 'MyLastpassP@sswordIsOzbargain1' would make your encrypted blob effectively worthless well past when the sun is expected to burn out…..
Very good tip!
Every OzBargainer is now using this password, so it may have gotten a little weaker.
How about passwords stored in Chrome browser? Gmail account with 2FA either google authenticator or Authy. No dodgy extensions in the browser + adguard app with adguard dns in phone or next dns in laptop.
Not a whole lot of local security. If someone gets your unlocked phone or sits down at your computer it's pretty easy to access all your data. Also inconvenient if you want to use a different browser.
Great against external attackers, but then so was Lastpass. The problem is whether anyone will ever figure out a way to hack Google and get the same encrypted profile files of users that can be then attacked forever. While Google are much better at security, they're also a much bigger target. I imagine plenty of people are constantly trying to find ways into Google.
It's worth noting that, as far as anyone knows, the hackers haven't actually accessed any data yet. And if they did it would have been due to weak passwords and no 2FA.
There have been some reports of users with strong passwords having some sites breached, but I don't think any have been confirmed to be from their vaults being accessed.
Glad never used Lastpass
This, I'd never use it as my personal password manager. My workplace uses it and I find the Lastpass UX to be utter amateur trash, I'm not surprised that their security competence seems to be at around the same level too.
I think it's questionable for them to suggest those with strong master passwords, who didn't use them elsewhere, have "no recommended actions that you need to take at this time". That rests entirely on the encryption, which is tricky to get right and there are endless cases of flaws in the way it's employed. My keyboard's AES was exploitable. My phone's AES was exploitable. My SSD's AES was exploitable.
Are LastPass better at it than everyone else? Who knows, but why gamble one's accounts on it? Right now there's a big encrypted blob of leaked data with a giant target on it because it's chock full of valid credentials for presumably millions of users and all the entities they have accounts with. That's going to attract some serious hacking talent, and even if there's only a 1% chance anyone breaks in, it's too high given what's at stake.
The upside of an encrypted/hashed password leak (unlike say licence numbers or nude selfies) is users can easily make the most valuable part worthless and the encryption may at least be buying some time to do that, but by holding back on recommending all users change passwords, LastPass is propping up the value of that leaked database and the incentive to break in.
Bottom line: regardless of how strong your master password was, if you have any important accounts in LastPass, change their passwords as a matter of priority. Then make a judgement call on whether to go to the hassle of changing the rest or trust them to LassPass's encryption.
LastPass have shown themselves to be incompetent. It's definitely wise to assume that they could have a flaw in their encryption or that they are net letting on the full truth.
I haven't used LastPass for about 2 years, and my master password was pretty strong, but I spent several hours making sure none of the passwords in my account were valid just in case. It's a small price to pay considering the disaster if my passwords were accessed.
I'd recommend anyone with LastPass, even if you no longer use it, change all passwords starting with the most important sites - banking, email, etc.
I have very little understanding in encryption, but would the passwords stored in lastpass still be at risk if you use 2FA on your master password login?
And what would be considered a strong master password? A unique password that's not used elsewhere, over 12-16 characters consisting of letters, numbers, symbols, no dictionary words, etc?
Basically, the longer and more varied (combining uppercase, lowercase, numbers, and symbols) the better. Dictionary words are OK if they are used with the above criteria, though the more random the better. A good way to come up with a password is to use a phrase that is easy to remember, but add symbols and numbers (or replace certain letters with them). Once you get up to about 14 characters it is effectively uncrackable with brute force with current technology.
Each character you add makes your password an order of magnitude harder to crack. Lowercase only give 26 possible values for each character, but adding uppercase, numbers, and symbols increases that to about 80 or more.
yes they would still be at risk. Lastpass was compromised effectively bypassing all the MFA protections you might have, then they vacuumed up all your data so they can effectively perform offline attacks on it. This is just another example of why I warn people never put anything important in a password manager, forum accounts and web site stuff all good, but never banking and financial stuff.
1) Banking is the last of your worries (and immediately highlights your lack of understanding).
Your most important data is your personal data, like Identification numbers, Medical data (which could be used for blackmail) and things like communication accounts (Email/Social media/Messenging/Telecom) that could be used to further you, and your family and friends, by impersonating you from a trusted account.
2) The risks are incredibly low - as mentioned above, a 16 character long and complex (Letters, symbols and numbers), password is essentially unlikely to be cracked until well after you die. the risks decrease exponentially as you add characters.
3) The benefits are incredibly high because each site has a unique password that is similarly long and complex, therefore impacts from hacks like Optus are minimised versus someone who uses the same password everywhere (no matter how long or complex), or uses a pattern in all their passwords.
Wow you have a fundamental lack of understanding of security. Firstly where did I ever say trusted accounts aren't important? I would never put email etc in a password vault. You fundamentally lack understanding of the risks of password vaults, they are a single point of failure, if your machine is compromised then you lose EVERYTHING in seconds and may not be aware of it till they have taken everything you have. The reality of studies conducted on password safes is people are stupid, they don't have some awesome strong master password, they more often then not reuse a password from some other service they have previously used and don't have a very strong password.
Password safes are great especially for lazy people or those that have a tendency to reuse passwords, just don't put anything important in them.
Firstly where did I ever say trusted accounts aren't important?
You didn't specifically, but you did by implication of listing financial products as the most important.
"but never banking and financial stuff."
f your machine is compromised then you lose EVERYTHING in seconds
Disagree.
With Yubikey 2FA enabled, my password vault remains secure even on a compromised machine where they could keylog my Master Password.
And my autofilled passwords remain hidden from the keylogger! (go look it up)
My vault is secure AND my passwords are secure, even in this heavily compromised scenario!
Compare this to any other scenario where a keylogger would capture each password as it is entered.
Password Manager wins again
The reality of studies conducted on password safes is people are stupid, they don't have some awesome strong master password
Got a link for these alleged studies?
It seems illogical to me that someone who is aware enough of password security to;
a) know of the existence of Password Managers
b) take the time to implement a Password Manager into their life
would then use a weak Master Password to secure said Password Manager.
Password safes are great especially for lazy people
Lazy?
Only compared to someone who is willing (and able) to remember at least 10 long, complex passwords to secure their digital life and hand type them each and every time.
I can't think of a better alternative. even in your worst case scenario above!
Happy to discuss further and be shown to be wrong.
@ESEMCE: I am well aware of Yubikeys and I use them for both work and home, They aren't perfect though, plenty of exploits in the past have utilised post MFA authorised tokens, not to mention even Yubikeys have had their own vulnerabilities in the past like the pin bypass. autofill passwords are not protected when they are pasted into the browser, only while stored, once autofilled they can be captured by trojans or keyloggers.
heres one study. It is rather favourable saying only 1 in 4 reuse passwords with the trend on the rise (still a lot) others in the past have had it much much higher. Never underestimate the stupidity of people. https://www.security.org/digital-safety/password-manager-ann….
Add in incredibly poor security coding by some of these companies like last pass which until recently had the master password in plain text in memory and you should treat these products with the appropriate amount of care. They are great for people that can't do proper password hygiene (as long as they can be convinced to use these properly). However keep important stuff out of them, use strong unique pass phrases for those and you will be a far better security position than with a password manager alone.
but you are most welcome to keep believing your security is fool proof.
autofill passwords are not protected when they are pasted into the browser
They're not pasted in, so are not able to be captured by keyloggers.
There are attacks that can intercept the process by which Password managers insert passwords, and maybe even as you say to bypass MFA but we're now into advanced level hacking, not simple keylogging.
If an attacker with such upper echelon skills is so embedded in my systems, at least as far as I can see, I'm already royally screwed anyway.
keep believing your security is fool proof.
This is absolutely not the case, I'm fully aware that nothing is 100% secure and that it is all about risk minimisation.
But it's as good as I can manage with my meagre capabilities and is far better than any of the alternative options that I can think of.
What is your recommendation?
Finally your linked study has 40% of users using Chrome or Safari/iCloud "Password Managers" (plus another 16% "other", could these be mostly other browser based ie Firefox, Brave, Vivaldi "Password Manager "users?)
Personally, I do not consider these to fit the description. They are 100% about convenience, not about security.
I'd love to see the breakdown of improper use of Password Managers by type of Password Manager as I'd be happy to take the bet that of the 50% of users improperly using them, more than 90% fall into this questionable categorization.
Got another that looks solely at genuine Password Manager options with security front and centre?
Thanks OP. Sounds like the eventual conclusion from the increasing number of data breaches is that people should just go back to pen and paper and physical safety vaults. Very inconvenient, but a password manager being breached is even more so.