Come on, encrypt all the metadata. Why are the website URLs just sitting around? That’s just negligence.
But taking a step back, this is an even older conversation of “why rob banks, because that’s where the money is”. This was a very persistent and targeted attack. Sure, maybe the backups shouldn’t be on a “storage volume” and a blob store would be a better fit to enforce contingent authorization. But once a hosted service is too attractive can any of them resist all attacks? Something for me to ponder, I really do like 1Password.
When using cloud based password managers, people like to say “it depends on your threat model!” But whose threat model is “Eventually I will lose all my PII that I store in this service and I can’t mitigate the threat”? If it’s a question of trade-offs and probabilities, hey you’re more likely to forget strong passwords or use weak passwords than have 1Password or LastPass hacked, firstly I’d say the metadata is as important to protect so their designs matter, secondly this trade-off is unsatisfactory because the sheer attractiveness of the hosted services is tilting the probabilities too far towards the services being compromised.
I don’t know about the numbers, but I know a large enterprise mandating lastpass as the only pw manager for all employees. They are def. a valuable target.
I want to push back a bit on the framing here – analyzing “how strong” a hash/KDF is when the data set is in the attacker’s possession is not particularly useful, because it’s always game over at that point.
And in this specific case, as I’m understanding the data set, the attacker only needs to crack the hash of each vault’s master password, and those tend to be human-chosen passwords, which means the weak point is not and never was the KDF. Using a “better” KDF or “better” parameters/iterations/etc. is going to be only a microscopic speed bump to an attacker cracking all the “password1” and “mypasswordvault” and “lastpass2022” stuff that’s bound to be in there.
Realize I’m a bit late, but I don’t agree. As a meta-point, I don’t think asking “is it game over?” isn’t a very good framing. A better question is “which people are how vulnerable?” This pushes us towards a distribution of risks, rather than a binary “everyone’s screwed”/“everyone’s ok” judgment.
You are correct that with virtually[0] any hash, it is game over for people with sufficiently weak passwords. And with a sufficiently strong password, you’d be fine with even a very weak hash.
But to your point, suppose someone uses a diceware password with two numbers at the end, but they don’t use enough words. They don’t reuse the password, it isn’t in any list of pwned passwords. Then it absolutely matters what hash you’re using. The hash in question lets someone test 7.6 billion passwords/day. A stronger one would cut that by multiple orders of magnitude. One mastodon post spells this out in more detail: https://hachyderm.io/@epixoip@infosec.exchange/109570449350805745.
The best I can steelman your position is that the number of people using these…let’s say “medium strength” passwords must be so small it doesn’t matter. I don’t know. It’s possible, but I suspect there many people who’ve used mediocre but not terrible passwords.
[0] I’ve not seen someone run the analysis of what cracking a dump like this would be if they were using argon2 or something similar that’s resistant to GPU cracking. You can still crack “password”, but I believe you can’t feasibly use a dictionary of 500 million leaked passwords (the size of the pwned passwords database). I’m less confident about this observation than the rest of this post.
The core issue here is that, from what I’ve read, the Lastpass master passwords were not salted, which means that calculating the hash for, say, password1, cracks every vault that used that password. And that’s why I said the KDF is not the weak point – no matter what KDF was used, many human-chosen master passwords are going to be cracked quickly under those circumstances.
Salting them makes it significantly harder for the attacker. Requiring a combination of the master password and some other factor – as other password managers appear to do – is far stronger. But in terms of “how screwed are you”, if the storage format was unsalted insert literally any KDF here, the answer is always “totally screwed”.
Use your OS / browser password management. You’re already trusting them to handle your passwords safely. They have bigger & (apparently) better security teams. If you’re lucky they’re under an FTC consent decree, meaning there’s some actual regulatory oversight on their security & privacy practices.
That’s reasonable advice if you exclusively use a single OS ecosystem and a single browser and you have no plans to change platforms.
It works less well if you use, say, Firefox on Windows and Safari on iOS. Third-party password managers such as LastPass make it pretty pain-free to have a shared credential store across devices and platforms.
OS/browser password managers also tend to have much weaker sharing features. Those are critical for a lot of business use cases but are useful even for individuals, e.g., spouses sharing the credentials for the bank website to access a joint bank account.
I use chrome on Linux & Windows & Android and when I use iOS i can access my chrome passwords through the iOS password manager mechanism. It’s imperfect, but better than using some dodgy nonsense like 1password or LastPass.
If I was bought into the Apple ecosystem I’d just use their icloud password thing.
For sharing passwords, at least in the family, depressingly you’re probably better off (and safer) using a shared spreadsheet in a cloud service run by a competent company who’s fighting off nation states and organized crime.
For business use cases do LastPass et al have the kinds of audit trails and controls that you really need? I haven’t used them in years so I don’t know.
Come on, encrypt all the metadata. Why are the website URLs just sitting around? That’s just negligence.
But taking a step back, this is an even older conversation of “why rob banks, because that’s where the money is”. This was a very persistent and targeted attack. Sure, maybe the backups shouldn’t be on a “storage volume” and a blob store would be a better fit to enforce contingent authorization. But once a hosted service is too attractive can any of them resist all attacks? Something for me to ponder, I really do like 1Password.
When using cloud based password managers, people like to say “it depends on your threat model!” But whose threat model is “Eventually I will lose all my PII that I store in this service and I can’t mitigate the threat”? If it’s a question of trade-offs and probabilities, hey you’re more likely to forget strong passwords or use weak passwords than have 1Password or LastPass hacked, firstly I’d say the metadata is as important to protect so their designs matter, secondly this trade-off is unsatisfactory because the sheer attractiveness of the hosted services is tilting the probabilities too far towards the services being compromised.
Does LastPass have a lot more users than 1Password? I ask because they have a lot more security breaches.
I don’t know about the numbers, but I know a large enterprise mandating lastpass as the only pw manager for all employees. They are def. a valuable target.
Does this count as dead for the purposes of the Official LastPass Death Pool?
Nope, none of the browser extensions have broken.
See also this analysis of how strong pbkdf2 is as they used it: https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/.
I want to push back a bit on the framing here – analyzing “how strong” a hash/KDF is when the data set is in the attacker’s possession is not particularly useful, because it’s always game over at that point.
And in this specific case, as I’m understanding the data set, the attacker only needs to crack the hash of each vault’s master password, and those tend to be human-chosen passwords, which means the weak point is not and never was the KDF. Using a “better” KDF or “better” parameters/iterations/etc. is going to be only a microscopic speed bump to an attacker cracking all the “password1” and “mypasswordvault” and “lastpass2022” stuff that’s bound to be in there.
Realize I’m a bit late, but I don’t agree. As a meta-point, I don’t think asking “is it game over?” isn’t a very good framing. A better question is “which people are how vulnerable?” This pushes us towards a distribution of risks, rather than a binary “everyone’s screwed”/“everyone’s ok” judgment.
You are correct that with virtually[0] any hash, it is game over for people with sufficiently weak passwords. And with a sufficiently strong password, you’d be fine with even a very weak hash.
But to your point, suppose someone uses a diceware password with two numbers at the end, but they don’t use enough words. They don’t reuse the password, it isn’t in any list of pwned passwords. Then it absolutely matters what hash you’re using. The hash in question lets someone test 7.6 billion passwords/day. A stronger one would cut that by multiple orders of magnitude. One mastodon post spells this out in more detail: https://hachyderm.io/@epixoip@infosec.exchange/109570449350805745.
The best I can steelman your position is that the number of people using these…let’s say “medium strength” passwords must be so small it doesn’t matter. I don’t know. It’s possible, but I suspect there many people who’ve used mediocre but not terrible passwords.
[0] I’ve not seen someone run the analysis of what cracking a dump like this would be if they were using argon2 or something similar that’s resistant to GPU cracking. You can still crack “password”, but I believe you can’t feasibly use a dictionary of 500 million leaked passwords (the size of the pwned passwords database). I’m less confident about this observation than the rest of this post.
The core issue here is that, from what I’ve read, the Lastpass master passwords were not salted, which means that calculating the hash for, say,
password1, cracks every vault that used that password. And that’s why I said the KDF is not the weak point – no matter what KDF was used, many human-chosen master passwords are going to be cracked quickly under those circumstances.Salting them makes it significantly harder for the attacker. Requiring a combination of the master password and some other factor – as other password managers appear to do – is far stronger. But in terms of “how screwed are you”, if the storage format was unsalted insert literally any KDF here, the answer is always “totally screwed”.
Use your OS / browser password management. You’re already trusting them to handle your passwords safely. They have bigger & (apparently) better security teams. If you’re lucky they’re under an FTC consent decree, meaning there’s some actual regulatory oversight on their security & privacy practices.
That’s reasonable advice if you exclusively use a single OS ecosystem and a single browser and you have no plans to change platforms.
It works less well if you use, say, Firefox on Windows and Safari on iOS. Third-party password managers such as LastPass make it pretty pain-free to have a shared credential store across devices and platforms.
OS/browser password managers also tend to have much weaker sharing features. Those are critical for a lot of business use cases but are useful even for individuals, e.g., spouses sharing the credentials for the bank website to access a joint bank account.
I use chrome on Linux & Windows & Android and when I use iOS i can access my chrome passwords through the iOS password manager mechanism. It’s imperfect, but better than using some dodgy nonsense like 1password or LastPass.
If I was bought into the Apple ecosystem I’d just use their icloud password thing.
For sharing passwords, at least in the family, depressingly you’re probably better off (and safer) using a shared spreadsheet in a cloud service run by a competent company who’s fighting off nation states and organized crime.
For business use cases do LastPass et al have the kinds of audit trails and controls that you really need? I haven’t used them in years so I don’t know.