Password Managers and the LastPass Breach - WST

Keeping track of your various passwords these days is nothing to scoff at. The ubiquitous solution to password generation and storage has been password managers where you only need to remember a single, complex password – your master password. The password manager then handles storing and creating complex passwords for all the accounts that you have created. Many password managers can store your data locally or they can keep those credentials in in the cloud so that you can access them from anywhere. Password managers are not, however, impervious to attacks, and due to their design, they inherit a single point of failure flaw. If a malicious actor can get ahold of your password vault and guess your master password, they are able to access all your passwords.

November 30, 2022, the public was made aware of a breach of well-known password manager, LastPass. Karim Toubba, LastPass CEO, posted on the company blog “In keeping with our commitment to transparency, I wanted to inform you of a security incident that our team is currently investigating.” The post went on to detail that data was accessed in a third-party cloud storage server by utilizing data that had been stolen from LastPass in a similar breach occurring August 2022. The post concluded with a recommendation that customers follow best practice surrounding their LastPass configuration and watch for updates as LastPass continue to investigate the breach.

Fast forward just under a month to December 22, LastPass posts an update to the breach on the company blog. The post explains a high-level overview of the technical route the attacker used to gain employee credentials that allowed the attacker to copy information from backup including “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The attacker was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” The post further specified that “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

So, what should you do if you use LastPass? The quick answer is not much in the short term as the password vault is considered generally secure, particularly if you have used a good master password. We recommend people make sure to enable multi-factor authentication everywhere possible and change passwords for any sensitive accounts such as financial accounts or social media in their vault to be extra safe. All passwords, and especially your master password, should be complex, with lower case, upper case, and special characters in your password. The longer the password, the better.

An option to determine if any particular password is compromised is https://haveibeenpwned.com/Passwords, where you can enter a password to check if it is present in a database containing over 600 million passwords obtained from various breaches. If the password you entered is “pwned,” we recommend changing it for sure.

Longer term, many folks are reevaluating their usage of LastPass’s service, given that the company has suffered several incidents over the last few years. There are other password managers out there with better track records, but it is important to keep in mind that there is never a situation where risk is not present and the best thing we can do is to layer our security. That is the case with password managers, just the same as it is with all controls. Strong credentials and due diligence when choosing your password solutions helps to mitigate that risk. Consider the various solutions carefully and keep an eye on your solution’s official methods for communication so that you are aware of any potential risks discovered. It’s important to note that even with this flaw, a password manager is still a better solution than re-using a handful of passwords for all your accounts, and we recommend using one.

Authored by: Cory Koetter, Sec+, CySA+ and Matthew Cardia, GPEN