Last Monday, LastPass reported intruders had managed to successfully penetrate the company’s internal network and exfiltrate users’ email addresses, password reminders, server per-user salts and authentication hashes.
LastPass said it did not believe users’ individual password vaults were at risk, however, it recommended all users update master passwords and adopt two-factor authentication.
So will this attack be a nail in the coffin for LastPass?
As a security consumer, a revelation like this can be somewhat troublesome and may leave you contemplating what repercussions this attack might have on you from here on.
LastPass' blog post on the attack suggests the biggest threat comes from the compromise of server per user salts, which are used to add additional entropy to the encryption solution.
Entropy is a measure of disorder in an encryption system, which makes it harder to reverse engineer without the secret keys that unlock it.
These salts should be considered as the second key for unlocking your password vault, making the overall cryptographic system stronger than it would have been if it was protected by your password on its own.
With your unique salt known to potential attackers, as well as your email address, they have a better chance of being successful with a brute force dictionary attack against your vault.
Are you vulnerable?
How likely is it that you are now at risk of being compromised? Let’s take a whistle-stop tour of LastPass’s set-up routine and evaluate some of the threats you may be subject to.
When you first download the installer you are invited to create a new account. This involves registering your name, email address and master password that you will use to unlock your password vault.
The installer says your master password should contain symbols, digits and both upper and lower case letters, and offers a password strength indicator to show you how secure your choice is.
The main issue is that the password policy is not enforced. I tested it by typing in my full name, with the letters all in lower case, and it reported that it was a full strength password.
The fact that it could easily be compromised by a simple dictionary attack didn’t stop the installer from representing to me that it was an excellent choice.
This is bad security practice as it gives users a false sense of security while not enforcing the underlying policy that makes the overall system strong. It would be easy to enforce the complexity policy, which in turn reduces the chances of a brute force attack being possible.
The next stage of the installation is to load the LastPass plugin in your web browser, then log into the LastPass server. The default LastPass login screen is a standard username and password dialog; however, there are a few excellent ancillary methods for logging in that I was really impressed with.
It’s just a shame the default one is so insecure in comparison.
At the bottom of the standard dialog screen there is a link to “screen keyboard”. This alternative login screen would reduce the likelihood of a keylogger successfully capturing your password should your machine already be compromised.
Banks, such as Westpac, already use onscreen keyboards for this purpose, making their banking solution a lot stronger than your average experience. They also offer another alternative for logging in that is even harder to find but is the strongest option of them all.
This is know as the one time password and is an excellent feature to allow you to create a pre-populated list of passwords to access your vault from untrusted computers.
For example, if you have to log in from an internet café or hotel lobby, you should assume the machine is hostile, so combining the onscreen keyboard with a one time password considerably reduces the likelihood of extant threats being successful.
The final piece of the log in puzzle is that you can also use a second factor of authentication, such as the Google Authenticator, RSA SecurID and Microsoft’s Authenticator App.
Enabling these options means that even if your master password was compromised, the attacker couldn’t access your vault without having direct access to this second form of authentication as well. This is virtually impossible, so it’s a pretty good solution.
The reality is that LastPass is still a good solution for managing long, complex and impossible-to-remember passwords, and I would certainly not recommend running for the hills at this stage.
You always need to consider that LastPass is a prime target for hackers since a full compromise of user data would fetch a pretty bounty on the black market.
However, in this case the company has done everything by the book, and its communication with users and the press has been timely and honest. Its assessment of the risk also seems technically sound.
There are definitely ways LastPass could still improve its solution, with enforcement on strong security policies that would help tighten everything up enough to make it neigh on impossible to compromise the system using traditional attacke.
Perhaps thw user community should lobby LastPass to make these changes as an improvement after the cleanup of this incident.
Passwords remain the biggest threat we face online, yet there is still no viable alterative that can displace them.
However, much research is continuing in this area, with the primary industry body, the FIDO Alliance, pulling together hundreds of big brands to participating in making this a reality.