LastPass Passwords Are Crackable for $100, Says Rival 1Password
Posted December 29, 2022 at 4:11pm by iClarified
LastPass recently disclosed that an attacker obtained access to customer password vaults in a severe security breach.
The attack stems from a security incident in August 2022 when a hacker was able to access some source code and technical information from their development environment. That information was used to target an employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
LastPass notes that encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password. The service claims that if its best practices are followed it would take millions of years to crack a vault's master password.
If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture.
In a post today, rival 1Password claims that many master passwords will cost just $100 to crack because they aren't machine generated.
That "millions of years" claim appears to rely on the assumption that the LastPass user's 12-character password was generated through a completely random process. Passwords created by humans come nowhere near meeting that requirement. As I have been saying for more than a decade, humans just can't create high-entropy passwords. Seemingly clever schemes to create passwords with a mix of letters, digits, and symbols do more harm than good. Unless your password was created by a good password generator, it is crackable.
1Password says its service is different because it uses a Secret Key.
--
The most relevant facts about your Secret Key are that
1. It is created on your device when you first sign up.
2. It never leaves your devices.
3. It is woven into your account password when deriving the keys needed to decrypt your data.
4. It is high-entropy (128-bits).
The consequence of 1 and 2 is we (and therefore anyone who breaches us) have no access to your Secret Key whatsoever. The consequence of 3 is that an attacker would need to have or guess your Secret Key to decrypt your data. And the consequence of 4 is that it is not going to be guessed.
--
More details in the full post linked below. If you're interested in 1Password, a personal account costs $2.99/month.
Read More
The attack stems from a security incident in August 2022 when a hacker was able to access some source code and technical information from their development environment. That information was used to target an employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
LastPass notes that encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password. The service claims that if its best practices are followed it would take millions of years to crack a vault's master password.
If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture.
In a post today, rival 1Password claims that many master passwords will cost just $100 to crack because they aren't machine generated.
That "millions of years" claim appears to rely on the assumption that the LastPass user's 12-character password was generated through a completely random process. Passwords created by humans come nowhere near meeting that requirement. As I have been saying for more than a decade, humans just can't create high-entropy passwords. Seemingly clever schemes to create passwords with a mix of letters, digits, and symbols do more harm than good. Unless your password was created by a good password generator, it is crackable.
1Password says its service is different because it uses a Secret Key.
--
The most relevant facts about your Secret Key are that
1. It is created on your device when you first sign up.
2. It never leaves your devices.
3. It is woven into your account password when deriving the keys needed to decrypt your data.
4. It is high-entropy (128-bits).
The consequence of 1 and 2 is we (and therefore anyone who breaches us) have no access to your Secret Key whatsoever. The consequence of 3 is that an attacker would need to have or guess your Secret Key to decrypt your data. And the consequence of 4 is that it is not going to be guessed.
--
More details in the full post linked below. If you're interested in 1Password, a personal account costs $2.99/month.
Read More