Some of you may have seen in the news about the LastPass latest breach.
What happened? This time hackers stole users’ entire password vaults as part of the data that was taken.
Oh, crap. Yes crap, but it’s not immediately terrible, or at least not as bad as it might sound. All password vaults are strongly encrypted using your master password as the key. If you used a complex master password, decryption will be quite difficult.
Okay, so I should change my master password? That’s a good idea to protect new passwords, but that won’t help with what’s already been stolen. The vaults that were stolen were encrypted with whatever your password was when they were stolen.
Righhhht. What should I do then? Don’t panic. Over the next few months, you should change the passwords you have stored in LastPass just in case the vaults are brute-forced or otherwise cracked at some point in the future. Focus on accounts that do not have two-factor authentication first as they’re the most vulnerable.
I’m curious, worried, bored, or some combination of these. Tell me more. Your vault is protected with AES-256, but the vault key is different. The encryption used to derive your vault key and authentication key is based on the master password + username and a 1-way hashing function called PBKDF2. This vault key and master password are never known to LastPass and are not stored anywhere on their systems. The one-way hashing function is done 100,100 times and is CPU intensive. This makes guessing your correct master password or vault key very difficult and time-consuming, with estimates of many, many years to brute force it even with today’s GPU cards.
The vault contains URLs, usernames, and passwords. It also contains secure notes. The passwords and notes are encrypted, but the other information such as URLs and usernames are not. This adds value to the data in that hackers could, for example, filter and sell lists of users that have Bank of America accounts, or other such metadata. Chances are that the unencrypted metadata of the vaults will be sold instead of dedicating resources to cracking vault keys or master passwords. Though state actors may use the data to select specific targets to brute force their vaults. We currently do not know who stole the data, or if it will show up for sale.
With ever-better GPUs, and optimizations used to brute force attacking PBKDF2, it is conceivable that some vaults could be cracked in a few years, and passwords based on dictionary words or weak passwords could be cracked much faster.
Director of Security Services
Mainstream Technologies Inc