The LastPass security breach controversy continues. After an independent security analyst described statements made by LastPass as “half-truths and outright lies,” rival password management company 1Password has also weighed in …
LastPass claimed that cracking users’ master passwords would take millions of years, but 1Password says that this isn’t true for most users. Indeed, it says, it would cost just $100 to crack the master password of a typical LastPass user.
A LastPass security breach was revealed back in August. At the time, the company said that no customer data was accessed.
Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
Instead, said LastPass, an attacker took part of its source code and “some proprietary LastPass technical information.”
However, it subsequently emerged that the attacker then used this information to gain wider access to LastPass systems, and was then able to access customer data.
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.
LastPass last week revealed the extent of that data – and it was far worse than had been suspected.
The company has shared that copies of customers’ password vaults were obtained along with names, emails, billing addresses, phone numbers, and more.
The company went to great pains to point out that the password vaults used strong encryption, and could not be accessed without customers’ master passwords.
These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.
However, independent security analyst Wladimir Palant this week took issue with no fewer than 14 of the claims made by LastPass, describing them as “full of omissions, half-truths and outright lies.”
In particular, he said it wasn’t true that it would take “millions of years” to crack master passwords and get access to all of a customer’s logins. He estimated that the actual time needed for a targeted attack would be around two months.
LastPass security attacked by 1Password
1Password’s principal security architect Jeffrey Goldberg says in a blog post that even this over-estimates the difficulty – and says that if someone wanted to crack a typical LastPass customer’s master password, the process would cost only around $100.
Goldberg uses the same reasoning as Palant: real-life master passwords for most users are not random – and password crackers know this.
The cracking systems will try things like
2b||!2b.titqlong before they try things like the machine created
Passwords created by humans are crackable even if they meet various complexity requirements. So if you (or another human) created that 12-character password, it doesn’t matter if there are 272 different possible 12-character passwords. What matters is whether yours is going to be among the few billion that attackers try first.
He says that most passwords can be cracked in fewer than 10 billion guesses, and that this could be done for around $100.
1Password master passwords cannot be brute-forced
Goldberg says that with LastPass, the user’s master password is the only thing needed to access all their logins – but this is not true of 1Password, which combines a user-selected master password with a machine-derived secret key. Both are needed to access a user’s password vault.
The Secret Key is created on the user’s own device, and never leaves it. The user doesn’t know what it is. 1Password doesn’t know what it is. An earlier blog post explaining how it works uses the example of a hypothetical user Molly, who uses a weak master password.
Molly’s 128-bit Secret Key gets combined with her rather weak password on her own machine. It’s secret from us and our servers. Recall that no secrets are transmitted from Molly’s 1Password client to our servers when Molly signs into her account. It isn’t merely that we never store her Secret Key – we never even have the opportunity to acquire it.
This is similar in concept to how Apple Pay works. Your iPhone or Apple Watch tells the payment terminal that it has verified your identity on the device.
The Verge notes that LastPass hasn’t even required longer-standing users to update their passwords from the early days when security requirements were far lower. Additionally, the plain-text information stored by LastPass could itself prove risky to users – including the URLs of the websites they visit.
What if you used LastPass to store your account info for a niche porn site? Could someone figure out what area you live in based on your utility provider accounts? Would the info that you use a gay dating app put your freedom or life in danger?
It’s clear that the LastPass security breach was not only far worse than initially revealed, but that the company engages in a number of practices I would personally consider unacceptable. These include storing a great deal of personal data in plain text, and making misleading statements about their security – such as suggesting that 100,000 PBKDF2 iterations is “stronger than typical” when it is, in fact, the absolute minimum standard that could be considered secure.
1Password clearly has a financial interest in attacking its rival. However, the arguments made by the company are sound – especially when it comes to comparing a standalone master password versus the Secret Key approach. It’s similar to the way that iOS doesn’t ever actually know your passcode, or your Face ID data – it simply gets a yes or no response from the Secure Enclave.
Based on what we now know, I would not consider LastPass as a password manager. (And yes, I use 1Password, but pay full price for it just like any other user.)
- A website or app asks you to identify yourself, and prove your identity.
- Your iPhone receives that request, and activates Face ID.
- If your face matches, your iPhone tells the website who you are,
and that it has confirmed your identity.
FTC: We use income earning auto affiliate links. More.