🐈 Elon Musk’s LastPass master password revealed
They had one job.
Runtime: 6 minutesIMDB rating: 7.2/10
This is meoward – an espresso shot of security served directly to your inbox. Please remember to tip your barista.
Remember The Matrix: Reloaded? Fun movie. Not a great movie, but a fun movie. Yeah, the Neo/Trinity love story doesn't really work and the action scenes are a bit drawn out. But it's got rogue programs and the hacking scene was pretty legit.
Think of this email like the Reloaded movie. A fun action-packed sequel with a long, awkward rave/sex scene that no one asked for but you awkwardly watch every time. Enjoy.
SSHv1 servers running strong in 2199.
Pop that red pill and let's follow the white rabbit 🐇:
🔑 LastPass: The last password you (and the threat actors) will ever need.
🎉 2023 and the future of meoward: where this little newsletter is going.
🍪 Holiday snacks: I won't compete with Mom's cookies, but I'm like Messi with that tall glass of whole milk.
Chop, chop. Look lively now.
The LastPass Breach
Back in August, I received an email from LastPass: "Dear valued customer." Since then, LastPass dropped an early Christmas present, and I've felt significantly less valued.
I spent my Christmas changing hundreds of passwords because LastPass have absolutely demolished my confidence in their ability to keep my data secure.
Here's what happened. (Hang tight, it's been a long ride)
Back in August, LastPass sent out an email letting its customers know that:
they detected a threat actor in their development environment
a compromised developer account was used to gain access to the LastPass dev environment
source code and proprietary technical information was stolen
no evidence that any customer data or encrypted password vaults were involved
More like "developer" since it only took one to cause a breach.
These details didn't sound too bad. This certainly isn't the first LastPass breach, and the plot was less exciting than the Uber breach.
LastPass sprinkles in some more reassurance in a September follow-up:
they brought in everyone's favorite big dog, Mandiant
the threat actor's activity was limited to a four-day period in August
there's no customer data or encrypted vaults in the dev environment (which is physically separated from and has no direct connectivity to production)
But on November 30th, we get a vague update from LastPass' parent company, GoTo:
"we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass."
Nothing unusual here. Just a cow. One cow, to be precise.
Then the big news comes on December 22nd.
I can imagine how the conversation went at LastPass:
"hey ya'll know how there hasn't been a solarwinds or log4j event this Christmas?"
"hold my beer"
The December Update
It's a tad disingenuous to call this an update: this is a disclosure. And there's a lot to digest, but here are the key pieces of data:
LastPass production uses cloud-based storage for backups
A threat actor got access to the cloud storage access key and dual storage container decryption keys
The threat actor then stole backups of customer vault data
Vault data includes unencrypted data like website URLs and encrypted data like website usernames and passwords, secure notes, and form-filled data
The security community reacts
Wladimir Palant has this great teardown of the LP PR statement. In it, he raises a couple of interesting points:
LP doesn't encrypt the website URLs in your vault because they don't consider these sensitive data. But in the context of a user's password vault, these are absolutely sensitive! If I was targeting you, knowing all the websites (including any intranet resources) that you have access to would be gold. And LP have been warned more than once about this.
But Palant really nails it with this quote:
"Some threat actor out there has your encrypted passwords, and all that's protecting them is your master password."
Master password, you're our only hope
All we've got left now is the master password implementation.
Time to bring in the crypto bros – no, not cryptocurrency wannabes, I mean the O.G. cryptography nerds.
First, LP updated their required (shudder) 8-character minimum for master passwords to (shiver) 12-characters in 2018. But since the change wasn't retroactive, many existing customers are still rolling with 8-character passwords. None of this is setting my mom up for success.
Second, LP uses 100,100 iterations of PBKDF2 with SHA-256 by default. This number has increased over time, and there's been a few reports of some accounts not having been updated to the new default, so this might be another setting to check (Account Settings -> General -> Advanced Settings -> Password Iterations).
hash the master password with SHA-256 (salting with the username)
perform 100,100 iterations of PBKDF2 to get a re-enforced encryption key
use that key to encrypt the secret vault data with AES-256 bit encryption
Third, LP claims it would take millions of years to guess your master password using generally-available password-cracking technology. But this claim assumes random brute force, and we know using common combinations and word lists can be surprisingly effective.
And the official LP recommendation?
"There are no recommended actions that you need to take at this time."
So what's it all mean?
First, here's my story: I've been using LastPass since 2011. I've spent the last decade convincing family members to use LastPass. My risk analysis went something like this.
Reasons to use a password manager:
They help create strong, unique passwords for every account and login.
They're convenient and I can use it across all my devices.
Reasons to not use:
If they get hacked and their security sucks, I'll have to change all my passwords.
This is speculation, but here's how I see it. Four days in any environment is long enough to find a few nuggets. Just ask my good friend Shann. Give him just one little piece of information, and suddenly he's got the keys to the kingdom. That's just reality.
Yes, it's great that their dev environment is architecturally separate, but unfortunately it's rare that developers have two accounts, or two laptops, or that total separation really exists.
And while LP certainly doesn't directly say it, this sounds like either a lateral movement situation or the August threat actors sold their findings to the November/December threat actors.
So… is this just bad or like, really really bad?
Based on this sequence of events, I've concluded 4 things:
LastPass did not have a handle on the August breach – either they didn't fully determine the scope or failed to fully eradicate the threat actors.
We'll soon see phishing campaigns to "update your compromised password due to the LastPass breach."
If the scope of the breach is only user vaults, the default 100,100 password iterations and a strong password will probably keep you safe, at least for now.
But I think there's probably more to come (cue the jarring chords, shrieking strings, and ominous percussion), and who knows what backdoors or other nefarious things the threat actors might have done.
I'm personally not hanging around to find out. I'm out.
Some honesty to you, the reader
Hey, so I know it's been awhile since I wrote one of these. My bad. I've got a long list of excuses: started a new job, did some travel, visited with friends, and a beautiful, crazy toddler that I want to spend all my time with.
But you didn't subscribe to this newsletter for excuses (I'd call that newsletter "Yeah, but…"), you came here for the content (mostly the memes).
I've learned that writing about security is hard. And I make it a lot harder on myself. There's just a lot of bad information out there, and sifting through it, getting some background on the tech, processing all the opinions – it takes a long time.
Anyway, I'm still figuring this newsletter out. I have some guilt about it. But I'm doing my best.
There's good excuses, and then there's great excuses.
How did you like today's email?