1 votes
Overblown reaction to LastPass "hack"
06 May 2011
So I've been watching the reaction to the news that the LastPass servers could have possibly been compromised. Needless to say, there's been a certain level of ignorance coming from people who don't understand the technical details of LastPass.
1. All of the information on their servers is encrypted
LastPass uses very secure encryption, it's at the same level as popular products such as KeePass or TrueCrypt. I've been looking into it, and these are the details I could find: AES-256 encryption, SHA-256 for hashing. The key used to encrypt your passwords is derived from your username, password, and a random salt. I couldn't find any details on the size of the salt or key iterations. However, in reaction to this possible intrusion, LastPass mentioned in their blog that they will be beefing up the encryption.
2. LastPass doesn't know your "master" password.
This is very important to understand - LastPass doesn't know your master password. All of your information (accounts and passwords) is locally encrypted on your PC using your master password before it's uploaded to the server. This means that the information stored on their servers cannot be decrypted without your password, which they don't have. So as long as you choose a strong master password, there's no threat of hackers decrypting and reading your account details.
To put this in perspective, the threat here is no different than if you were to upload a KeePass database or TrueCrypt volume to a Dropbox account.
So what is the real threat here?
Those who should be worried are those who chose weak passwords for their LastPass account. A dictionary attack involves using a large list of words and common passwords, testing them one by one until they guess a password correctly. Even this would be time consuming since LastPass uses salted keys, they would have to test each password against each account, one at a time.
There's also a threat of phishing attacks. LastPass does know your e-mail address, and it's possible they could have been compromised if LastPass was indeed hacked. A likely phishing attack will involve e-mails that appear to be from LastPass, asking users to change their password and providing a link to a fake website. So if you use LastPass, watch out for these types of phishing scams.
The only other thing I can say about LastPass is that it is an obvious target. My example of uploading KeePass to a Dropbox account is inaccurate in the sense that hackers are unlikely to hack Dropbox looking for files containing passwords. They're much more likely to attack LastPass and performing a dictionary attack or phishing attack.
1. All of the information on their servers is encrypted
LastPass uses very secure encryption, it's at the same level as popular products such as KeePass or TrueCrypt. I've been looking into it, and these are the details I could find: AES-256 encryption, SHA-256 for hashing. The key used to encrypt your passwords is derived from your username, password, and a random salt. I couldn't find any details on the size of the salt or key iterations. However, in reaction to this possible intrusion, LastPass mentioned in their blog that they will be beefing up the encryption.
Quote
We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.
http://blog.lastpass...tification.html
http://blog.lastpass...tification.html
2. LastPass doesn't know your "master" password.
This is very important to understand - LastPass doesn't know your master password. All of your information (accounts and passwords) is locally encrypted on your PC using your master password before it's uploaded to the server. This means that the information stored on their servers cannot be decrypted without your password, which they don't have. So as long as you choose a strong master password, there's no threat of hackers decrypting and reading your account details.
To put this in perspective, the threat here is no different than if you were to upload a KeePass database or TrueCrypt volume to a Dropbox account.
So what is the real threat here?
Those who should be worried are those who chose weak passwords for their LastPass account. A dictionary attack involves using a large list of words and common passwords, testing them one by one until they guess a password correctly. Even this would be time consuming since LastPass uses salted keys, they would have to test each password against each account, one at a time.
There's also a threat of phishing attacks. LastPass does know your e-mail address, and it's possible they could have been compromised if LastPass was indeed hacked. A likely phishing attack will involve e-mails that appear to be from LastPass, asking users to change their password and providing a link to a fake website. So if you use LastPass, watch out for these types of phishing scams.
The only other thing I can say about LastPass is that it is an obvious target. My example of uploading KeePass to a Dropbox account is inaccurate in the sense that hackers are unlikely to hack Dropbox looking for files containing passwords. They're much more likely to attack LastPass and performing a dictionary attack or phishing attack.
0
