Lastpass customer vaults taken in last attack.

[nlinecomputers]

What I am I missing? Is there anything anywhere anymore that doesn't lock the account after 3-5 bad password tries? You can't hammer a server with millions of tries for 5 days. Those days are long gone I thought.

The vaults we're stolen. They are in the hands of the hackers. There is no server to restrict decryption attempts.

 

[Diggs]

So the discussion is about the password for encryption on the vault? (Sorry, guess I should have been following more closely.) I still have to think that would be a pass-phrase and could hardly be broken with brute force. Still.....

 

[nlinecomputers]

So the discussion is about the password for encryption on the vault? (Sorry, guess I should have been following more closely.) I still have to think that would be a pass-phrase and could hardly be broken with brute force. Still.....

[TIP] - Password Entropy Calculator

https://www.omnicalculator.com/other/password-entropy With the LastPass breach, there has been lots of talk about how strong your Master Password is. This site lets you calculate how much entropy your Master Password has and you don't have to input your master password into the site(a bad...

www.technibble.com

Compute for yourself how strong your password is.

 

[John Kennedy]

I'm in the process of switching to NordPass as a result of this breach. My master password is 15 characters with all character types, so I'm not worried about my vault being cracked any time soon, but LastPass has had enough problems and been slow enough about disclosing them that I'm no longer comfortable staying there. Great product with great ease of use for a reasonable price, but company practices will always scare me. Nord seems to have a fairly good track record on that side.

Handy graphic for password strengths from 2021 attached.

 

[britechguy]

Handy graphic for password strengths from 2021 attached.

It is indeed handy, but much of what they consider yellow I personally consider green. Anything in the "X years" class is way more than secure enough for virtually anything as far as a password goes.

The probability of a brute force attempt to crack a password vault that takes years to crack ever going through to completion is effectively zero. The only instance where that amount of time might be taken is for a very high value target, and most very high value targets will be changing their passwords on anything that requires a high degree of security far more frequently and probably using 2FA, too.

We must guard against the probable, not every remotely possible, but highly improbable, compromise(s).

 

[britechguy]

I still have to think that would be a pass-phrase and could hardly be broken with brute force. Still.....

Therein lies the problem. If someone has used a strong password (passphrase) then the probability of a successful brute force cracking of the vault is very low, and the timeframe in which it could be successful makes it such that the data accessed should all be stale by the time anyone could get to it.

But those idiots who used 1234, or similar, as their vault passwords, and they do exist, are in big trouble. But if you used a vault password such as 2389MyVaultFluffy& (117.98 bits entropy, 7 quadrillion years at https://www.security.org/how-secure-is-my-password/) should not be losing sleep.

 

[alexsmith2709]

Therein lies the problem. If someone has used a strong password (passphrase) then the probability of a successful brute force cracking of the vault is very low, and the timeframe in which it could be successful makes it such that the data accessed should all be stale by the time anyone could get to it.

But those idiots who used 1234, or similar, as their vault passwords, and they do exist, are in big trouble. But if you used a vault password such as 2389MyVaultFluffy& (117.98 bits entropy, 7 quadrillion years at https://www.security.org/how-secure-is-my-password/) should not be losing sleep.

To side with @Sky-Knight a bit here, the problem with sites like that is they dont state what spec computer they use to work out the length of time to crack.
One of my passwords states it would take 200 trillion years to crack. I wont lose sleep, even if the latest hardware means it could only take 100 years to crack, but this may lead to a false sense of security for some. The entropy of my passwords are all over 100, i use my password manager to generate most passwords, but my master password is easy for me to remember.

As professionals we should promote the use of strong passwords and inform people of the risks of using weak passwords.

 

[nlinecomputers]

To side with @Sky-Knight a bit here, the problem with sites like that is they dont state what spec computer they use to work out the length of time to crack.
One of my passwords states it would take 200 trillion years to crack. I wont lose sleep, even if the latest hardware means it could only take 100 years to crack, but this may lead to a false sense of security for some. The entropy of my passwords are all over 100, i use my password manager to generate most passwords, but my master password is easy for me to remember.

As professionals we should promote the use of strong passwords and inform people of the risks of using weak passwords.

Exactly, all those password test sites, all the infographics assume ONE CPU. IF you can leverage many CPU/GPUs the time to break drops dramatically. But the costs to build and run such mega rigs is unlikely to be spent long term. Botnets of course are free but unreliable as nodes can be destroyed by owners as they are found. I think the LP breach is unlikely to result in anyone getting hacked. However the unencrypted data that LP was collecting is going to result in targeted spearphishing attacks.

 

[alexsmith2709]

Exactly, all those password test sites, all the infographics assume ONE CPU. IF you can leverage many CPU/GPUs the time to break drops dramatically. But the costs to build and run such mega rigs is unlikely to be spent long term. Botnets of course are free but unreliable as nodes can be destroyed by owners as they are found. I think the LP breach is unlikely to result in anyone getting hacked. However the unencrypted data that LP was collecting is going to result in targeted spearphishing attacks.

Yep. Only people using weak dictionary word passwords are likely to get hacked, and thats if the people in possession of the vaults test every vault....which will still take a long time given how many customer LP had. I agree, the unencrypted data will lead to phishing/spearphishing attacks, but people should be mindful of those anyway.

 

[Sky-Knight]

Exactly, all those password test sites, all the infographics assume ONE CPU. IF you can leverage many CPU/GPUs the time to break drops dramatically. But the costs to build and run such mega rigs is unlikely to be spent long term. Botnets of course are free but unreliable as nodes can be destroyed by owners as they are found. I think the LP breach is unlikely to result in anyone getting hacked. However the unencrypted data that LP was collecting is going to result in targeted spearphishing attacks.

Not anymore, K8S nodes in a docker container automatically orchestrate over the swarm without any load loss. And before you ask... YES the botnets are that sophisticated now. Infrastructure as code is that powerful, and it's here today.

But I should be clear my comments are regarding the master password for the vaults that were stolen. For literally anything else, use a weak password, MFA it... move on. We only need to worry about strong passwords where it's being directly use for cryptographic purposes. Authentication has other, better mechanisms.

 

[nlinecomputers]

Not anymore, K8S nodes in a docker container automatically orchestrate over the swarm without any load loss. And before you ask... YES the botnets are that sophisticated now. Infrastructure as code is that powerful, and it's here today.

Which means that they are not doing many iterations to hide their use. This tilts the attack in our favor as they CAN'T fully leverage the full power of the PCs/VMs they have compromised. They are deliberately running slowly to hide. That's not an advantage when you need to perform as many computations as fast as possible because you need to perform billions of them a minute.

 

[britechguy]

Well, I'll keep eating my popcorn awaiting a single documented case of one of these vaults actually being hacked that had a strong password of at least 12 characters on it.

I'll be the size of several elephants before that ever happens if it ever happens.

 

[Sky-Knight]

Which means that they are not doing many iterations to hide their use. This tilts the attack in our favor as they CAN'T fully leverage the full power of the PCs/VMs they have compromised. They are deliberately running slowly to hide. That's not an advantage when you need to perform as many computations as fast as possible because you need to perform billions of them a minute.

You can hide more easily with orders of magnitude low power nodes than you can fewer higher ones. Machines have plenty of spare power to do work without being noticed.

But even in the spaces we're talking about those resources are valuable, they aren't going to commit those resources unless they think they can get a return. Likely targets would be large companies, but on the smaller scale everyone here, if you're publicly known to do tech support you're a high value target because a breach lets them compromise more systems while also extorting you directly.

Since reputation is the true currency of our industry, people get really quiet and are very fast at pulling out their wallets in the hopes no one notices. Rather like how Lastpass behaved... It's destructive and short term thinking, but it's also what most that have been hit so far have done.

 

[britechguy]

they aren't going to commit those resources unless they think they can get a return.

This. I have been saying this over and over and over again. And there is very, very little of value that can come from trying to crack password vaults where you have no idea who the owner is, or know that the owner is some random John or Jane Doe. The juice is not worth the squeeze.

That's why this is all such a tempest in a teacup. Real risk of actual damage is very low indeed.

 

[alexsmith2709]

This. I have been saying this over and over and over again. And there is very, very little of value that can come from trying to crack password vaults where you have no idea who the owner is, or know that the owner is some random John or Jane Doe. The juice is not worth the squeeze.

That's why this is all such a tempest in a teacup. Real risk of actual damage is very low indeed.

But in regards to lastpass, they can get a good idea because things like urls were not encrypted. If you see some vaults have some high value URLs attached to it, im guessing they are going to give those a go. As mentioned above, spearphishing will also be used if the password takes too long to crack.

I've not used this tool (i dont have a lastpass account), but i've seen some that have, but if you want to see whats unencrypted in your vault, you can use this https://github.com/cfbao/lastpass-vault-parser

 

[britechguy]

If you see some vaults have some high value URLs attached to it, im guessing they are going to give those a go. As mentioned above, spearphishing will also be used if the password takes too long to crack

I don't disagree with either of those assessments. That being said:

1. Those who have obvious high-value information are the most likely to have strong passwords for their vaults and also to have changed those for high value accounts very quickly after a compromise like this one.

2. Spearphishing is a constant and those who are high-value targets should, in 2023, be well aware of this practice and how to recognize it.

I'll still be sitting here with my popcorn waiting for the first documented instance of one of those password vaults being cracked, period, and even longer waiting for any to be cracked that had strong passwords on them.

The reality of the situation is that it's a low risk of actual compromise of accounts, particularly if reasonable precautions are taken in promptly changing passwords for high-value online accounts.

The information in many of those vaults, in terms of the high-value targets, is already so stale as to be worthless. For those that had MFA/2FA on them in addition, it was not of much use to begin with.

I simply presume that those in the IT industry, banking industry, credit card industry, etc., know and follow best practices for securing their accounts and/or password vaults. If they don't, in 2023, then they should not be in the positions they're in. You have to have been living under a rock not to understand what you need to do after years, and years, and years of reporting on all kinds of compromises, both electronic and social engineering.

 

[alexsmith2709]

I don't disagree with either of those assessments. That being said:

1. Those who have obvious high-value information are the most likely to have strong passwords for their vaults and also to have changed those for high value accounts very quickly after a compromise like this one.

2. Spearphishing is a constant and those who are high-value targets should, in 2023, be well aware of this practice and how to recognize it.

I'll still be sitting here with my popcorn waiting for the first documented instance of one of those password vaults being cracked, period, and even longer waiting for any to be cracked that had strong passwords on them.

The reality of the situation is that it's a low risk of actual compromise of accounts, particularly if reasonable precautions are taken in promptly changing passwords for high-value online accounts.

The information in many of those vaults, in terms of the high-value targets, is already so stale as to be worthless. For those that had MFA/2FA on them in addition, it was not of much use to begin with.

I simply presume that those in the IT industry, banking industry, credit card industry, etc., know and follow best practices for securing their accounts and/or password vaults. If they don't, in 2023, then they should not be in the positions they're in. You have to have been living under a rock not to understand what you need to do after years, and years, and years of reporting on all kinds of compromises, both electronic and social engineering.

Thats a lot of assumptions. The Okta "hack" last year disproves point 2. Its reported that social engineering was used for that. Phishing/social engineering still works on a lot of people, high value or not. Im sure there are many high value targets who use a weak password.

We may never know if any vaults are cracked or any users are victim to phishing attacks unless the hackers go public with that info. If someone is phished because of the unencrypted urls in a lastpass vault, im sure lastpass will turn around and say its nothing to do with them.

Yes, strong passwords mean you're probably fine, but the reality is, not everyone uses strong passwords, even though who hold high value information. I agree, perhaps they shouldnt be in the position they are, but who's going to fire a CEO for using the password "Summer2022"? I dont think its a case of living under a rock, its the believe of thinking you're not a target and that it'll never happen to you.

99.99% of people will be fine, whoever did this hack may not ever try cracking the vaults, it may have just been done to prove a point. If nothing else its a lesson for everyone to always use a strong password and thats enough of a scare for some people. Its certainly damaged the reputation of lastpass.

 

[britechguy]

@alexsmith2709:

I say the following with no snark nor ill-intent toward you, but the following always applies: You can't fix stupid.

Choices have consequences, and if those in positions of responsibility are not willing or able to pay attention to things that have been going on for years (decades, really) now and take the appropriate preventive measures, I can't fix that, you can't fix that, no one but the person doing the stupid can fix that.

I flat out refuse to give anyone a pass on this anymore. These issues are not new news.

 

[alexsmith2709]

@alexsmith2709:

I say the following with no snark nor ill-intent toward you, but the following always applies: You can't fix stupid.

Choices have consequences, and if those in positions of responsibility are not willing or able to pay attention to things that have been going on for years (decades, really) now and take the appropriate preventive measures, I can't fix that, you can't fix that, no one but the person doing the stupid can fix that.

I flat out refuse to give anyone a pass on this anymore. These issues are not new news.

I agree with you.

Things we know:
People will always use weak password as its easier to remember and like you said, you can't fix stupid.
Password crackers now have more power available to increase the speed of their operation so many of those checker websites are giving a false sense of security.
Lastpass didnt encrypt all data so it will be easier to phish some accounts. This data can be used to profile people which may lead to passwords being found out.
The majority of lastpass users will be fine, but if you had a weak master password, change all passwords stored in your vault as well as using a stronger master password.

 

[nlinecomputers]

Thats a lot of assumptions. The Okta "hack" last year disproves point 2. Its reported that social engineering was used for that. Phishing/social engineering still works on a lot of people, high value or not. Im sure there are many high value targets who use a weak password

That’s LastPass’ mistake. That’s SolarWinds’ mistake. Both high value security companies both who fell victim to multiple phishing attacks in a targeted campaign. Both who were bought out by Venture Capitalists who made cutbacks on services, hardware, training, and personal before they got attacked. What companies should do usually costs money to invest in no direct return and is often the first to fall victim accounting trying to cut expenses. With a recession on the horizon it is only going to get worse.