How LastPass Protected Passwords and What's Different - Post Compromise
A few days ago, LastPass announced a potential data breach on their corporate blog.
A network traffic anomaly was detected from one of their non-critical servers. A while later, a similar anomaly was detected from one of their databases, but in the opposite direction.
At this time, it’s unknown what data, if any, was taken or how this impacts the security of their databases, but through understanding how LastPass works and the changes they have implemented in order to further protect their users, we can better understand the risks and challenges that a security service like LastPass faces on a daily basis.
LastPass is a software as a service solution that attempts to make the difficulty of storing, creating, and protecting passwords to applications easy.
A user installs a local version of LastPass on their workstation. Setup will have the user create a master password that is used to unlock the username and password database when required.
Once the user has the application on their system, this software will detect username and password fields on web pages and applications. The software will then prompt the user to either use an existing set of saved credentials from that site, or to save a newly enter set of credentials that are setup.
Communications between the client and LastPass’s data centers are secured using a 256-bit AES encryption over SSL. Because of the model for how they protect and store data, LastPass doesn’t store any application usernames and passwrds within their data centers.
Instead, data is encrypted an stored locally and LastPass stores the customer e-mail address and master password which is used to decrypt the local store.
Know this, we can assume that the biggest risk towards LastPass customers is that their master passwords may have been stolen. Encryption and a one-way salted hash protected those passwords.
With this technique, if a password file was stolen, that file could be brute forced to attempt to determine the password for each file.
Dictionary words, common passwords, and weak passwords would be fairly easy to break, and more complex passwords would be more difficult, but not impossible, to brute force as well.
In light of their recent news, LastPass has now initiated a full password reset for all users. Reset and new passwords will now be hashed using Password-Based Key Derivation Function v2 (PBKDF2). This technique uses SHA-256 hashing with a 256-bit salt and 100,000 rounds of pseudo-randomization and salting.
In comparison, the BlackBerry uses 1 round and the Apple iOS 4 uses 10,000 rounds. With this implementation, password cracking becomes extremely difficult.
There will likely be a number of other security controls that will change for LastPass due to this event and this echo’s the attacks a number of newsworthy attacks.
As we wait to learn what data was compromised and if this compromise will lead to spear phishing, client-side data theft, or just a knee-jerk reaction to be safe than sorry, we can learn a lot through this experience.
We need to understand, more deeply, how security solutions that make our lives easier work, and more importantly, how they protect our information.