Last week, just before Christmas, LastPass dropped a bombshell announcement: as the result of a breach in August, hackers had gotten their hands on users' password vaults. While the company insists that your login information is still secure, some cybersecurity experts say that it could make people feel more secure than they actually are and that this is just the latest in a series of incidents that make it hard to trust the password manager.
The December 22nd statement from LastPass was full of omissions, half-truths and lies, according to a post from Wladimir Palant. He accuses the company of trying to portray the August incident where LastPass says "some source code and technical information were stolen" as a separate incident when he says that the company failed.
LastPass has a bald-faced lie.
The threat actor could use the leaked data to create a complete movement profile of customers if LastPass was logging everyip address you used with its service.
Gosney wrote a lengthy post explaining his recommendation to move to another password manager. He claims that LastPass has as much knowledge as a password manager could possibly get.
LastPass says its zero knowledge architecture keeps users safe because the company doesn't have access to your master password. The phrase is misleading according to Gosney. Most people think of their vault as a database where the entire file is protected, but with LastPass, your vault is a plaintext file and only a few select fields are secure.
If you reuse your LastPass password on another site, it would take millions of dollars to break it.
LastPass should be aware that passwords will be cracked for some of their customers, writes Palant. The customers clearly didn't follow their best practices. He says that LastPass hasn't necessarily enforced those standards. Despite the fact that it made 12-character passwords the default, Palant can log in with an eight-character password.
"They commit every 'crypto 101' sin."
Both Gosney and Palant have differing opinions on the issue. Gosney accuses the company of committing "every 'crypto 101' sin" with how it manages data once it's loaded into your device's memory.
The company's post paints its password-strengthening algorithm as "stronger-than-typical" It is thought that the standard will make it harder to brute- force guess your passwords as you would have to perform a certain number of calculations on each guess. The lowest number I have seen in any current password manager is 100,000.
When your password is stored on the server for a total of 200,001, Bitwarden will add another 100,000 iteration to its app. You have to have a secret key and a master password in order to use 1Password. If anyone gets a copy of your vault, they can't access it with the master password alone, so it's uncrackable, according to Gosney.
It was confirmed last week that older accounts may only have 5,000 iterations or less of security. It's hard to take LastPass' claims that it takes millions of years to crack a master password seriously. What about people who have been using the software for a long time? If LastPass hasn't issued a warning about or forced an upgrade to those better settings, then its "defaults" aren't useful as an indicator of how worried its users should be
The fact that LastPass has ignored pleas to protect data is another sticking point. Knowing where people have accounts could be used to target them. The threat actors want to know what you have access to. Then they could target the people who are worth their time and money. The example of a password reset link that isn't properly expired is one that he points out.
You can tell a lot about a person by what websites they visit. If you used LastPass to store your account information, what would it be like? Is it possible to determine what area you live in based on your utility provider accounts? If you used a gay dating app, would it endanger your life?
Several security experts, including Gosney and Palant, seem to agree that there is no proof that cloud-based password managers are a bad idea. The response seems to be in response to people who evangelize the benefits of completely offline password managers. A company that stores millions of people's passwords will get more attention from hackers than one individual's computer will, and getting at something that isn't on the cloud is a lot harder.
Running your own password manager can be a lot more difficult than people think. If you lose your vault via a hard drive crash, backing it up increases the risk of it being stolen. You should have told your automatic cloud backup software not to uploading your passwords. It's a bit of a pain to sync an offline vault between devices.
It is recommended by both Gosney and Palant that people switch to another password manager because of how LastPass has handled this breach and the fact that it is the company's seventh security incident in a little over a decade. They don't care about their own security, and much less about your security, Gosney writes, while Palant wonders why LastPass didn't detect that hackers were copying the vaults from its third-party cloud storage. Additional logging and alerting capabilities have been added by the company.
LastPass said that most users won't have to take any precautions after the incident. The recommendation was called "grossNegligence." He says that anyone with a simple master password, a low number of iteration, or a high value target should change their passwords immediately.
Do you think that is the most enjoyable thing to do over the holidays? It is not possible to say yes. Someone stole your password and accessed your accounts.