Tuesday, June 23, 2015

Say It Ain't So LastPass!

   There are so many data breaches happening each week that it's easy to become numb to all the announcements.  Sometimes one or two dominate the news because of the size or importance of the breach.  Sometimes there is confusion in the media about the breach or the significance.  Sometimes the experts don't agree.

   I think most people have heard about the OPM - Federal (US) Office of Personnel Management - breach in which personal information on over 4 million people, including security clearance information, possibly dating back to 1985 was stolen in attack on federal computers.  Everyone agrees that this one was big and bad.  But also in the news was the breach of information at LastPass, and there is far less consensus on the impact.

   LastPass is a password vault - a program that lets you store all your passwords in an encrypted "safe".  I've talked about password vaults many times in the past.  I have always recommended the use of a password vault and I still do.

   First, let's discuss what happened.
   LastPass did a good job of handling this issue by issuing a notification to users as soon as they knew about the problem.  They have made it clear that neither cleartext master passwords (the vault password) nor the encrypted vaults themselves were stolen.  What was taken was information about users including email address, password reminders and the encrypted master password.  The encrypted vaults were not stolen.

   As a result, that means there are three main attacks that can be tried on individual LastPass users:
  1. Phishing - the attackers can craft convincing emails with malicious links and send these to LastPass users.  As always, you need to use care with links sent in an email.  We've talked about that in the past.
  2. Using the reminder - I've also talked about password reminders.  That is a phrase or word that might trigger your memory if you forgot your password.  These shouldn't be trivial enough to lead someone right to your password, as we've seen in the past.
  3. Breaking the encrypted master password - well, not exactly... as we've discussed before, the actual attack is to figure out how the password was encrypted, guessing a password, then encrypt that and see if matches the stolen crypto-text.  However, because of the way LastPass encrypts, this will be difficult if not impossible depending upon two things: how good your master password is and how you have LastPass configured (more on this below).
   A bit more on that third point.  There are two big differences between this breach and many of the others we've seen.  First, the actual individual password vaults were not stolen.  Next, in a "normal" password breach, all the passwords are encrypted the same way.  So it's easier to use password guessing to break multiple people's passwords.  LastPass encrypts each person's information differently.  That makes the breached data less valuable to the attacker and less troublesome for us.  I won't go into to the details of how LastPass works and why this is so, but you can read about that here and here.

   So, the bottom line in my opinion, is that LastPass is still fine to use.  In fact, it's better than fine.

   That said, if you are a LastPass user there are four simple things you should do now:
  1. Change your Master Password - this way even if your old master password is guessed, you're covered.  Here are instructions.
  2. Use Multi-Factor authentication - this is a great thing to do for all your important accounts.  Instructions for LastPass are here.  You can also set up multi-factor for sites like FacebookTwitter and others.
  3. Increase the encryption iterations - under Account Settings, click Advanced Settings, then increase the number in Password Iterations.  The default is 5000.  Make it much larger as this increases the difficulty for an attacker.  Steve Gibson had some good advice in a recent Security Now podcast episode 512 - he said to choose a value that doesn't end in zero to further decrease the odds of a successful attack.  Here's more info on this setting, but you don't need to understand all the details to just increase the number.
  4. Run a LastPass security check - you can check both the strength of your site passwords as well as checking for duplicate passwords by running a security check.  Instructions are here.
   Finally, here's an article with a few more advanced tips.

   So, if you're a LastPass user, try the steps I've listed above and know that you are taking appropriate steps to protect your secure logins.

No comments:

Post a Comment