Lastpass customer vaults taken in last attack.

nlinecomputers said:
Depends if the salts were taken as well. They also need to know the exact number of rounds used. LP says they use 100,100 but I would bet that each vault has a random slight variation on that 100,083 for one 100,113 for next and so on.

Online services are expensive. Buying out 20 or so VM to crack a blob is going to cost $1000 per day. Can't see hackers doing that. Using crypto mining has hardware upfront costs and electric costs. If encrypted blobs were that easy to crack there be no point.
Click to expand...
Buying? I don't think you understand how botnets work sir...

And yes, the salts are important too. But that's the problem with the Lastpass breach, the attackers infiltrated via a dev account. Which dev account? And how much of their codebase were they able to access?

We have to assume the vaults were taken, the algorithms to generate the keys was lifted, and now all they have to do is keep the vaults offline for years while they work away at unlocking them. They'll never break the 256bit AES, but they very much will break the single factor password and generate the required keys, then the entire vault is there.

Between now and then, change all the passwords in the vault. Because while it's still probably at least a decade out for any serious user, it's still a risk to be mitigated. Not something to get into a mad panic over, but a risk to be mitigated.

@britechguy I don't have belief in this, I have certified experience with modern authentication systems and defending them. You however, do not. And it shows. There is no such thing as a secure password that can be easily typed. And in the case of password vaults, do to their access nature they must use passwords that are relatively easily typed. MFA helps only the online access, it does nothing for the actual decryption process, this is a problem.
 
sapphirescales said:
@Sky-Knight They're going after the easy targets. They're not going to devote much time to cracking each vault because they don't need to. It's all about maximizing the number of cracked vaults for how much time is spent. If they can crack 1% of the vaults by spending 2 hours or less on each one, that makes more sense than spending 100 days on each vault to crack the bottom 5%.
Click to expand...
For now? yes, over time that changes. Once these vaults are on the dark web, they're on there forever. Time moves on, techniques advance and eventually, what was once a hard target becomes a low hanging fruit. That's why you invalidate all the known compromised tokens, but again I'm not saying do so in a mad panic, it's just a process to work through over the next year or two.
 
@Sky-Knight

There really is no pearl you will leave unclutched or straw you will not grasp at.

You will, and routinely do, indulge in using the edgiest of edge cases as though that's how you determine a reasonable course of action. It isn't.
 
Sky-Knight said:
Buying? I don't think you understand how botnets work sir...
Click to expand...
You’re the one that mentioned Azure and AWS. While I am sure that there are compromised VMs on both platforms I doubt many are. Both services are pretty good at patrolling for such things.

Sky-Knight said:
And yes, the salts are important too. But that's the problem with the Lastpass breach, the attackers infiltrated via a dev account. Which dev account? And how much of their codebase were they able to access?
Click to expand...
Considering that LP is saying the same advice as you have we have to assume that the salts and rounds used per account were also taken.

To get the certification audits that LP has received the salts should have been separately stored and encrypted in its own right. Guess not though…
 
britechguy said:
@Sky-Knight

There really is no pearl you will leave unclutched or straw you will not grasp at.

You will, and routinely do, indulge in using the edgiest of edge cases as though that's how you determine a reasonable course of action. It isn't.
Click to expand...
Security is made of edge cases, managing them is how I keep my clients in the clear.

@nlinecomputers You don't need a VPS specifically, you just need an account linked to someone else's credit cards. Beyond that, malware in the wind running on who knows what to build a distributed super computer, which is mainly what botnets do now. And no, Azure and AWS are not good at "patrolling" for this stuff, however clients tend to notice quickly because over use will cause a massive increase in monthly spend which tends to get people's attention.

As for the breach itself... I have no idea how it happened. All I know is, I have to assume any data in any vault on the platform will be accessed. The only thing up for debate is how functionally long we have until that access happens. And it's pretty trivial to rotate passwords on critical things in the short go and worry about the rest over time. Heck normal password expiration policies will probably handle most of the risk here.

The hardest part will be identifying which passwords have been rotated and which ones haven't over time. It's going to be silly easy to miss one or several, which can be a timebomb for later, that's a reality I work to avoid the hardest because it's where most intrusions happen.

So I'm making a note to look into a password age report from Bitwarden, because should this sort of thing happen to Bitwarden I'll need a nice list of passwords from oldest to youngest to ensure I don't miss any. Because I assume all systems will be breached and I need a plan to mitigate that. The only thing Lastpass has done that I don't agree with is the speed of their announcements. I'd prefer they'd have come clean sooner of the scope of the breach, but it's entirely possible they just didn't know. Still, I must assume they delayed for their own benefit and not their customers, which is just another wrinkle int he plan. I assume Bitwarden will do something similar in the future, so I'm just trying to plan ahead a bit.
 
Last edited:
What's the working theory on how the vaults will (eventually) be unlocked?

I imagine a scenario where the hackers can look at the unencrypted bits and see things like email addresses and URLs to figure out which vaults are of high value. Then they'd attack those vaults with a botnet's brute force to crack the password.

LastPass has about 30 million users, or 30 million vaults. Seems like it could be an eternity and then some. Or not I guess if somehow they find a bug in the algorithm and can crack all 30 million vaults at once.

Just seems to me that any one particular user's vault, even with this breech, has an infinitesimally small possibility of being exposed.

If I'm way off base here feel free to correct me.
 
I've been a LastPass reseller for a couple years. Most of my clients though are residential so 6.00 a month is a bit much when they can get it directly for 3.00. I've looked into Bitwarden and I'm looking at Keeper as well.

So far, I'm deciding if I want to leave LastPass and if so, move where.
 
timeshifter said:
What's the working theory on how the vaults will (eventually) be unlocked?
Click to expand...

I've yet to see one specific to LastPass, but see this academic article, On The Security of Password Manager Database Formats, for a general discussion with several of the vault formats of some of the major players in the field.

In the end, your assessment, "has an infinitesimally small possibility of being exposed," is the very worst case scenario, and not likely at all. To call it a remote infinitesimal possibility is an overstatement.

None of these password managers use encryption methods that are not well-known to begin with. If there were a problem were the algorithms to become known, we'd already be dead in the water. But we're not, because with a sufficiently strong vault password, which has a direct impact on the actual vault encryption, it's just not ever going to be broken in any reasonable period of time with current technology.
 
Sky-Knight said:
Security is made of edge cases, managing them is how I keep my clients in the clear.
Click to expand...

Security is not "made of edge cases" as far as making day-to-day decisions about risk management.

Edge cases, particularly ones as absolutely unlikely as the ones you routinely grasp at as though they're sure to happen, are NOT a part of accurate risk management or analysis.

Probabilities that rapidly approach zero are not something one spends any time worrying about in real-world situations. That way lies madness and tons of utterly unnecessary worry and work.
 
britechguy said:
Security is not "made of edge cases" as far as making day-to-day decisions about risk management.

Edge cases, particularly ones as absolutely unlikely as the ones you routinely grasp at as though they're sure to happen, are NOT a part of accurate risk management or analysis.

Probabilities that rapidly approach zero are not something one spends any time worrying about in real-world situations. That way lies madness and tons of utterly unnecessary worry and work.
Click to expand...

We've had far too many conversations on this forum for me to ever expect you to understand just how wrong you are. We're never going to agree, and your assessment of the relative risks is insane. It very much is the technical equivalent of not trusting vaccines, which is why I keep bringing it up. Case and point? Your comments about the algorithms not being well known, it's AES it's well known. There are details about now it's leveraged that may or may not be known, but because a developer machine was compromised to gain access one must assume the entire code tree was stolen.

@timeshifter There are many theories on that, but the most aggressive says 3-5 years to see the first real volume of vaults being accessed. Any vault that has a bonkers hard password on it could very well be decades if not hundreds of years out. But we can't know because we don't know exactly what was taken.

In this situation I'm telling people to change their master password, any other passwords used to access the vault, and all passwords stored in the vault for mission critical services immediately. The rest can be rotated as time allows over the next year or two just out of an abundance of caution.

Any passwords in the vault that have MFA options don't even need the password changed, they just need the MFA secret rotated. Which underscores the wonder of phone signon, because if this sort of thing happened with AAD all you have to do dump all the authenticators and reenroll. The data stolen is now worthless, yet the end user's login process didn't change at all to impact their day. It's wonderful.

This is also a great time to replace randomly generated gibberish passwords with three word passphrases too. This sort of thing happens, it's going to happen again, I'm not a Lastpass user, partner, or customer. But if I was I wouldn't use this event alone to make the decision to leave. Their lack of transparency involving this event, THAT is what's upsetting me.
 
Last edited:
I started using Bitwarden back in 2021 and I am kicking myself for not using it earlier. I had all my passwords in my head as I was paranoid to either write them down or save them in my browser. That didn't help because I was either reusing passwords or resetting them all the time not anymore lol. I use the iPhone app constantly.
 
Just for the heck of it I've been testing out other password managers and they all freaking SUCK! Like seriously, WTF is wrong with these other services? Bitwarden's Chrome/Firefox extension doesn't allow you to paste your password, then click away and get the 2FA code and paste it into the extension too because when you click out of the extension when it's on the page asking for the 2FA code, it takes you back to the enter password screen and erases the password you entered! This makes Bitwarden completely useless to me as I don't have a simple, easy to type and remember password.

I tried Roboform and every time I turned around there were issues. For some unholy reason the iOS version wouldn't accept my password if I pasted it into the app, only if I manually typed it. And it asked for my password CONSTANTLY no matter what I was trying to do. I'm sure there's a way to reduce the number of times it asked for my password but at that time I was so frustrated from typing my 100+ character password manually like 20 times that I just gave up on it. It also just randomly forgot my master password on my computer. Remember, I'm copying and pasting it so there's no way for me to "forget" the password. I had to reset it, wiping my vault in the process. This happened twice. I don't know WTF is going on there but it's like the software lost my password.

I tried another password manager (I don't remember which one) and it wouldn't allow you to remove your phone # as a MFA method for getting access to your password manager!

In total I tried probably 5 different password managers and they all had major deal-breaking issues. At this point @callthatgirl's Notepad system is looking pretty appealing! I'm not even joking.
 
I've never had a single issue with Password Safe (and it's Android port, and there is an iOS port, but I don't use iDevices).

You can choose to use 2FA using YubiKey or OnlyKey, or not.

One of my clients that I just saw yesterday uses DashLane, and it's quite slick.
 
When I help a client with a password manager, I instantly look at my fake watch and say "tick tock"....the password managers never almost have the updated password and they insist it's there, I keep the clock running. Therefore, making me the most expensive password resetter in the world. 🤣
 
It took some serious tooth pulling to get my wife to use Bitwarden, but once the idea of it stuck... both of us now wonder how the heck we lived without it. MFA protected access to a vault that has everything in it is entirely too convenient to ignore.
 
Sky-Knight said:
It took some serious tooth pulling to get my wife to use Bitwarden, but once the idea of it stuck... both of us now wonder how the heck we lived without it. MFA protected access to a vault that has everything in it is entirely too convenient to ignore.
Click to expand...
I have used 1password for the last year and i feel the same. I only need to remember 1 master password, i keep the secret key...well, secret and backup up in multiple places (including a paper copy). I have the account protected by yubikey for new device logins and the app is integrated with Windows Hello and biometrics to unlock.

I use the 1password MFA for accounts and it will auto fill most accounts using the web browser extension. To some this may seem counter intuitive but when you need a hardware key, secret key and strong master password to login to my account on a new device the chance of anyone getting in is pretty slim to even get to the point they can use the generated OTP. The app locks every 10 mins as does my laptop (when idle obviously!). Its probably more secure than my phone.
I like the integration with haveibeenpwned.com. One improvement would me to add the username generator they have on their website (https://1password.com/username-generator/) into the app for when i want to use a completely random name.
 
sapphirescales said:
I don't think I tried 1password. Is there a way to disable the automatic lock? I'm not a moron so I won't lose my computer or allow it to be stolen so I don't need such security. Same reason why I don't have a lock of any kind on my phone.
Click to expand...
I'm pretty sure you can, 10 mins is the default so I left it.
They do a 14 day free trial and all the major browsers have the extension.
I've got a business account which gives me a free personal account
 
You must log in or register to reply here.

Similar threads

nlinecomputers
LastPass: DevOps engineer hacked to steal password vault data in 2022 breach
Replies
10
Views
811
nlinecomputers
nlinecomputers
Porthos
A ransomware gang made $260,000 in 5 days using the 7zip utility
Replies
1
Views
882
Sky-Knight
Sky-Knight
S
Cisco PIX - Cannot Hit Mapped SSL From a device in outside interface's subnet
Replies
3
Views
2K
teksquad
T
Kitten Kong
  • Sticky
Questions and Answers relating to Microsoft Licencing Guidelines.
Replies
3
Views
12K
Rosco
Rosco
Back
Top