I haven’t written a real blog post in a long time, but this one is floating around in my head and insisting to come out.
For the last few months, I’ve been following closely the breach that occurred at Lastpass. You may have heard about it. It’s been all over the technical news feeds, with lots of fear, uncertainty and distrust. It was of particular interest to me, as a long time Lastpass user. These articles make it sound like Lastpass is the most insecure password manager out there. They advise everyone that their “vaults have been stolen” (not making clear it was the encrypted vaults, and the purpose of encryption is to protect information if it does get stolen). They advise everyone to change every password. They advise people to run screaming away from Lastpass to other password managers.
Their tone strikes me as off. It reminds me of the days when everyone piled on Microsoft for what we later learned was probably no good reason, for Microsoft had been moving in the right direction. Their tone — to me — sounds like risk-adverse panic. They are scaring people away from this product because of a risk that really isn’t as bad as they make it out to be. There are times I wonder if there is an agenda behind those articles (and my mind even wonders at some times if a competing password manager wasn’t behind the attack — after all, you don’t have to do anything with the vaults to damage the market leader — the attack is sufficient).
I’ve read the latest blog post from Lastpass closely. I suggest that you do as well. Here’s what I take away from it.
First, this wasn’t a flaw in the product. The flaw — as it is so commonly — was on the human side. Social engineering was used to attack an employee’s home computer, and that employee hadn’t adequately patched their home computer. This is quite common, and to expect perfection in how people maintain their home machines is wrong. It also seems clear that this employee — and Lastpass itself — was targeted by an adversary. That tells me this wasn’t a typical “scoop up the data and sell it”. This was a targeted spearphishing attack, likely with some specific vaults in mind. That’s evident in how the attack went down, and the fact that the data exfiltrated hasn’t shown up elsewhere. For all we know, this was a government adversary targeting a specific individual they learned had a vault.
ETA: Could the breach have been stopped with a product patch? Possibly. But remember here that the attack was on a home computer, not a work machine managed by LogMeIn. On your home computer, do you install every patch on every third-party product? Most people don’t. There’s some hygiene and education to be done here, but it isn’t a product flaw.
The takeaways from this, for me, are:
- The product is not inherently flawed. It uses a reasonable scheme to protect the vaults, and suffers from the same risks that any product that stores stuff in the cloud faces. The vaults are protected with a strength commensurate with the user chosen master password and iteration count.
- The nature of the attack is something that could happen at any password manager product: targeting developers at home. That’s even true for open source products: open source products may still store user data in the cloud, and that data can be compromised.
- Corporate training may be weak, but corporate training overall is weak, and people are often the weakest part in any company.
- This was targeted attack. If you are a high-value target, I’d be worried. If you are the run of the mill user, I’d be much less worried. It is likely not worth the adversaries effort to attempt to decrypt your vault.
Second, should you change all your passwords? I think the clear answer here is “no”, not all. If you choose to change anything, you should make your determination based on what the password is protecting. Is it a bank or something vital, such as your domain configurations or DNS? Is it your social security account? Is it your email account? Change it. But you should be changing those passwords on a regular basis anyway, and enable MFA. But is the password for something like Slice or Lands End or Disqus. I wouldn’t worry. So they order a pizza on a credit card number they can’t see. You dispute the charge, unless they delivered it to you and you enjoyed it. The risk isn’t there. I’d venture you would only need to change about 20% of your passwords, if you have as many throwaway accounts as I do.
This, of course, is presuming you follow best practices. Create a unique account for each site; don’t rely on your Google or FB login. Have strong unique passwords for every site. Enable MFA where you can. These are all best practices you should know if you’ve been trained. You’re not that weak link, are you?
But do you need to change your passwords? The answer here is: it depends on you and your comfort level. They’ve already got the encrypted vaults. At minimum, you should change your vault master password to something long and strong (I recommend using xkpasswd or the pronounceable password generator and doing further conditioning), change the number of iterations to 600,000, and if you are using MFA, change the randomization seed. Details are in the Lastpass bulletin, and simply provide additional protection going forward. Should you be worried about what was stolen? I’d worry about adversaries using the non-encrypted information for phishing, so be extra careful with texts and emails (but then again, I believe that most of the data scraping attacks are collecting information for spearphishing, as it is easier to convince you to give me the data than to attempt to brute force it. See this XKCD). If you had a really weak master password and low iterations, change your key passwords and look for indications of attack. But remember: you’re likely not the target.
The takeaways here are:
- You don’t need to change all your passwords
- Change your vault passwords, iterations, and MFA seed on general principles.
- If you had a weak master password, change key passwords protecting financial institutions, major accounts (email, FB), and DNS/domain related accounts.
- Take a deep breath.
Third, do you need to run screaming away from Lastpass? Again, that depends on your comfort level. Although their latest communication was good and detailed, they sucked on communication up to this. I attribute that partially to timing, as they were being divested away from LogMeIn and that introduces a certain chaos in corporate communications. But they were also probably holding things close to the vest until they improved processes. Reading their longer time plans, I think they are significantly improving things and so their update product will be more secure. They are certainly retraining their development team. I particularly noted “Working to encrypt URL and URL-related fields in the vault BLOBs.” That’s a good thing.
Moving away from Lastpass has certain costs. There is the friction in moving the vaults (and moving your vault does nothing to protect you from this breach, as the general user information and encrypted vault data was already stolen). Arguably, it puts your data in more places to be stolen, as it doesn’t delete data from backups and such. There are also usability issues (Lastpass is an extremely easy to use product), and with the paid product, the features of the Family plan were excellent.
The takeaways here are:
- Lastpass sucked at communication during the process, but has now finally given good details. They lost trust due to how they handled this, which is a lesson we all should learn from.
- The improvements they have made, and are making, are good and increases confidence in their product.
- They could do more: increased training of employees, increased emphasis on awareness, and increased practical exercises on recognizing phishing are key. Increased restrictions on what computers can connect to them, combined with techniques to ensure those computers are configured properly. Those may be coming, or perhaps they weren’t explicitly mentioned.
- Every user should balance their risk tolerance with their likelihood as a target and the value of the information being protected. Be realistic, and understand the frictional costs in moving platforms.
Am I going to abandon Lastpass? Probably not. But I have changed master passwords, increased iterations, and updated MFA seeds. I’ve also changed passwords on critical accounts, and enabled MFA in more places (using an authenticator app instead of SMS when I can). I’m also keeping an eye out for any anomalous activity, but then again, I always do that.
2 Replies to “🗯️ Thoughts on a Breach”
Thanks for the post. Since the last time I was worried about computer security it was OpenVMS in 2009, I was wondering about my LastPass account.
What is your opinion of Yubikeys? I have it on my LastPass, and as many sites that support it, but am not sure it is anything more than security theater.
We use a Yubikey with Duo for my work computer. It is an example of “Something you have”, so it is just another form of multifactor authentication. It secures a system from a password only attack (and it one reason why I wouldn’t be worried about an account in my vault that was protected by a Yubikey). The LP bulletin didn’t say anything about having to resync the shared secret for the Yubikey, so you’re likely OK there as well.