LastPass: ONE Iteration hashing for some master passwords

This weeks episode of Security Now discusses people de-obfuscating their LastPass vaults to see what metadata is in the clear as well as tools allowing you to check your own. Turns out there is quite a bit that allows an alarming amount of targeting if you used LastPass for banking, government etc. I’ll quote one of the most alarming bits:

But the FAR more worrisome fact that was revealed when our listeners checked the settings of their LastPass vaults was the degree to which many – and I do mean many – of their password iteration settings were found to be below the 100,100 iterations mark. And in a revelation that I’m still trying to get my head around, I heard from many listeners whose PBKDF2 iteration count was set to 1. Yes, 1 iteration. And thus the shocking title of today’s podcast.

We need to assume that the attackers obtained every user’s account metadata including their vault’s iteration counts. Those counts need to be recorded somewhere because no one’s vault can be decrypted without knowledge of the count. And LastPass would have backed it up since the loss of that would be even worse than the loss of the vault backups themselves. So, assuming that the attackers obtained the iteration counts for every LastPass user, as they probably did from LastPass’ backup, if opportunistic brute force decryption of user accounts was their intent it would be a reasonable strategy for the attackers to start with those LastPass users whose counts were ‘1’. Why would they not?

Unfortunately, there’s a well-known expression to describe the situation in which all of those LastPass users who, at the time of this breach, had their LastPass password iteration counts set to 1. And that expression is “Low Hanging Fruit”.

Episode Notes: https://www.grc.com/sn/SN-905-Notes.pdf

Episode 905 on YouTube:

If you use/used LastPass and you haven’t already, you should change your high value logins/credentials ASAP.

EDIT: Added master to the title for emphasis.

6 Likes

And for those that aren’t aware, this isn’t a one-off “oops”. Lastpass has has a considerable history now of willful negligence. This post is a good summary of why you should absolutely not trust them with your data.

5 Likes

Did the guys at Tom’s miss the news? :thinking:

4 Likes

At least Bitwarden is first. Guess the LP affiliate program is just that good… (cause you know they know).

1 Like

LastPass being #2 on the list from an article that was written 2 weeks ago amidst the speculations going back 2+ months, and the debacle in 2018 is egregious IMO.

BitWarden and KeePassXc are absolute gems in Password management world.

2 Likes

sad to say nothing thats a review/article on toms is independent.
everything is a paid ad.
from the latest article on the whats best gpu, to what 5 dollar gift can i get my techy other.
all ads :frowning:

and its all bought and paid for months in advance in some cases. so its likely just shit timing on toms part :roll_eyes:

2 Likes

I don’t mind affiliate link “Articles” as an alternative to ads.
As long as they say “we make money from the referrals”

Even an affiliate link in a review.
As long as the review is impartial

But alas, is is rarer for impartiality

2 Likes