LastPass master passwords compromised (?)

[Wrichik Basu]

Several users received email warnings of unfamiliar login attempts and even logins to their LastPass account. The question arises whether the LastPass master password has been leaked in a data breach. According to LastPass, the passwords were not leaked and this was a regular "stuffing attack" in which a bot tries to access accounts using passwords from past data breaches. The company has also said that no account has been compromised, and that, some false alerts were triggered by an error in their system, which, they claim, has been fixed. But people still reported suspicious activity, even after changing their master password. Some reported that they were unable to change the master password or disable/delete their accounts.

More information can be found in this tweet-thread:



Maybe it's a good time to change the master password if you are using LastPass. I tried changing mine, and got an error, but it seems to have changed as I got logged out from the LastPass extension on Chrome and had to log in again using the new password.

 

[jack action]

This is why I do not trust an online password manager. All my passwords are on my computer, not someone else's, stored I-don't-know-how. I don't know if it is the best, but I used KeePassXC.

 

[anorlunda]

All my passwords are on my computer, not someone else's, stored I-don't-know-how.

I think you misspoke Jack. When you log in, a remote site has to compare the PW you typed with the PW on file (or the functional equivalent, the PW hash). So if no remote computer has it, you can't use it.

 

[glappkaeft]

I think you misspoke Jack. When you log in, a remote site has to compare the PW you typed with the PW on file (or the functional equivalent, the PW hash). So if no remote computer has it, you can't use it.

In a correctly designed system the only thing stored on the remote site should be a salted and hashed (100s-100s of times using as good algorithm like SHA-256) value. That way the password cannot be leaked in a security breach.

 

[jack action]

I think you misspoke Jack. When you log in, a remote site has to compare the PW you typed with the PW on file (or the functional equivalent, the PW hash). So if no remote computer has it, you can't use it.

No, what I meant is that my password manager is on my computer, not on some server that is filled with maybe millions of people's passwords, thus very tempting for hackers to try to get into this server. My password manager still fills the authentification process (both on my computer or some distant server) like any online password manager.

It has to be very personal for someone trying to hack my computer to get only my passwords.

 

[berkeman]

In a correctly designed system the only thing stored on the remote site should be a salted and hashed (100s-100s of times using as good algorithm like SHA-256) value. That way the password cannot be leaked in a security breach.

That's what I thought, but I don't know much about how passwords work on the Internet.

But it seems like a counterexample would be the accounts that I have (including some work website accounts, which presumably are well-designed) where when you have to change your password, they will not let you just change the last letter, for example. This seems to be pretty commonplace, but would contradict them only storing a well-hashed version of the password, no?

 

[anorlunda]

This seems to be pretty commonplace, but would contradict them only storing a well-hashed version of the password, no?

To change your password, you must type in the old and new PWs on the same page. So at least temporarily, they have access to the text version of your PW.

Or is the hashing done on the client computer before transmission?
If yes, then your hash *is* your password and anyone leaking your hash has access to your account.

 

[DaveE]

My take is that it doesn't matter how the technology works, or how well it works. Companies and systems are built and maintained by humans, and humans are fallible. Witness nearly every security breach in recent history. The consumer software industry is predicated on the "move fast and break things" model. One password for everything, stored in one database sounds like a monumentally stupid idea to me.

So, some of my passwords are in the cloud, some on my machine. But if you want any of my important (financial) PWs, you'll have to decipher the slightly cryptic handwritten notes in the little PW book in my desk drawer.

I view this as nearly entirely an issue of humans and organizations, not technology. I'm waiting for someone to show me I'm wrong.

 

[glappkaeft]

I generally don't like those policies too much (often they are applied in a way that promotes bad password hygiene) but if you are a little paranoid (which is seldom wrong when it comes to security) changing the password occasionally (say one/twice a year) will defeat the type of attack where the black hats breaches the remote site and acquires your hashed password.

If the password never changes the attackers could then dedicate lots of time and/or enormous amounts of computer power to brute force crack your hash. If the hash is salted and the password is good this is more of a theoretical risk but for organizations in real life it provides some risk mitigation against users with bad passwords (and might be required for IT insurance purposes etc).

All this of course assumes the remote site does a good job securing the password however there is a reason https://plaintextoffenders.com/ exists.

 

[glappkaeft]

To change your password, you must type in the old and new PWs on the same page. So at least temporarily, they have access to the text version of your PW.

If you don't trust the site that far you shouldn't use it. ;)

Generally the password would be encrypted, sent to the server, decrypted, salted/hashed and then the password should be forgotten by the server. One improvement of that method is client side hashing where the client will salt and hash the password before sending it and then the server does addition hashing before comparing it to the database. Not sure how common that is in practice but it has some advantages if the remote site is compromised.

Or is the hashing done on the client computer before transmission?
If yes, then your hash *is* your password and anyone leaking your hash has access to your account.

Yes, that would be completely useless (same as storing it in plain-text) so I hope no one does that.

 

[sysprog]

To change your password, you must type in the old and new PWs on the same page. So at least temporarily, they have access to the text version of your PW.

Or is the hashing done on the client computer before transmission?
If yes, then your hash *is* your password and anyone leaking your hash has access to your account.

The hashing is done on the (presumably trusted to flush the plaintext as soon as the hash is genned) target machine, and via SSH, it is never transmitted in plaintext.

 

[Vanadium 50]

More misinformation

Fixed that for you.

LastPass does not store master passwords on their server.

 

[sysprog]

Fixed that for you.

LastPass does not store master passwords on their server.

They do store hashes of them, right?

 

[Vanadium 50]

No, They store functions of the site passwords that when combined with the master password - which they do not know - yields the site password.

 

[sysprog]

No, They store functions of the site passwords that when combined with the master password - which they do not know - yields the site password.

I see the distinction, but wouldn't those functions be hashing functions? Perhaps I'm using a different definition of that from yours. The way it was done with ACF2 in the '80s $-$ compute a key from the plaintext input (in essence this was a hashing function), discard half of it so that the process couldn't be reversed, and store the result in a database. Then at logon, repeat the process, and compare the result against the stored key $-$ if they matched, good to go; if not, password incorrect. Of course, this meant that some (highly probably non-typeable) alias existed for the password, but that was not considered to be a problem.

 

[anorlunda]

One improvement of that method is client side hashing where the client will salt and hash the password before sending it and then the server does addition hashing before comparing it to the database. Not sure how common that is in practice but it has some advantages if the remote site is compromised.

Yes, that would be completely useless (same as storing it in plain-text) so I hope no one does that.

Please explain. First you say client side hashing is an improvement, then you also say it is completely useless.

 

[Ibix]

Please explain. First you say client side hashing is an improvement, then you also say it is completely useless.

I think what @glappkaeft said was that client-side hashing with no further hashing on the server-side was useless, for the reason you suggested. But transmitting a hashed and salted password over a secure connection for further hashing and salting is an improvement.

I don't have an opinion on the topic - not my field - but I think that's what he said.

 

[Wrichik Basu]

In a correctly designed system the only thing stored on the remote site should be a salted and hashed (100s-100s of times using as good algorithm like SHA-256) value. That way the password cannot be leaked in a security breach.

Out of curiosity, how were passwords leaked in the past, for eg. Adobe and Zomato? Did the hackers actually take the hashed passwords and de-hash them? If so, the encryption algorithm must not have been very strong.

No, what I meant is that my password manager is on my computer, not on some server that is filled with maybe millions of people's passwords, thus very tempting for hackers to try to get into this server. My password manager still fills the authentification process (both on my computer or some distant server) like any online password manager.

I get it, but is that very useful at the end of the day? Most people need their passwords on multiple devices rather than one PC only. I can sync them manually, but every time I add a new login credential, or change a password, it would be a headache to change it everywhere manually. Moreover, good password managers like Google (and LastPass, but you have to pay for the feature) automatically monitor password breaches and inform you if a password has been leaked anywhere.

LastPass does not store master passwords on their server.

Good to know that.

 

[jack action]

Most people need their passwords on multiple devices rather than one PC only. I can sync them manually, but every time I add a new login credential, or change a password, it would be a headache to change it everywhere manually.

Full disclosure, I only use one device, but if it wasn't the case, you can still save your password as a file (created and encrypted by the password manager) in the cloud when you make a change (which shouldn't happen that often). Your passwords are still online, but it's on your own personal space where nobody knows what to expect, as opposed to a server dedicated to saving passwords which is a tempting challenge for a hacker.

I really have a trust issue when it comes to letting others manage my private life.

Moreover, good password managers like Google (and LastPass, but you have to pay for the feature) automatically monitor password breaches and inform you if a password has been leaked anywhere.

If you have a different password for every site, each being a meaningless word with 256-bit entropy, I'm not worried about breaches. Good companies have strong security measures and will tell you if they had a breach. Bad companies with bad security measures and wouldn't tell you if they had a breach? Who cares? You probably have nothing important there and your password is next to impossible to guess, unique and non-reuseable. That is the whole point of using a password manager.

Also with my password manager on my computer, I can use it with programs on my computer. When a login window opens, I just hit Shift+Alt+A and the password is typed automatically. I'm not sure if an online password manager can do that or if it only works in a browser.

 

[pbuk]

I think what @glappkaeft said was that client-side hashing with no further hashing on the server-side was useless, for the reason you suggested. But transmitting a hashed and salted password over a secure connection for further hashing and salting is an improvement.

I don't have an opinion on the topic - not my field - but I think that's what he said.

Yes I agree that that is at least what he meant.

This link has a useful diagram illustrating what LastPass actually does: https://www.lastpass.com/security/what-if-lastpass-gets-hacked

Out of curiosity, how were passwords leaked in the past, for eg. Adobe and Zomato? Did the hackers actually take the hashed passwords and de-hash them?

No, in general it is impossible to recover the original text from a hash (it is however possible, given enough computer power, to find a plaintext that may or may not equal the original text that hashes to the same value).

Generally password hash leaks are exploited by dictionary attacks: the attacker calculates the hash for passwords that people are known to use (e.g. from previous leaks) and looks for them in the database. Salting makes this harder because you have to recalculate the dictionary hashes for each target.

This is why you are advised to use passwords that are unique. If a hacker gets hold of a million password hashes then the 30% that have passwords like "password123" are going to be the ones that are compromised, and 300,000 compromised accounts are plenty.

The Adobe leak in 2013 was different: firstly there were plain text hints in the data base such as "my dog my birthday". This enabled use of a much shorter dictionary for each target. Secondly, and this is the disastrous part that (together with a couple of other egregious breaches such as at LinkedIn) led to a review of password handling throughout the industry, Adobe didn't use hashes, they stored encrypted passwords. Once attackers had worked out the encryption method and key (from guesses using the password hints), they were able to reverse the encryption process and decrypt all 3 million records. Truly shocking and Adobe's technical reputation was permanently damaged by the incident.

 

[sysprog]

This link has a useful diagram illustrating what LastPass actually does: https://www.lastpass.com/security/what-if-lastpass-gets-hacked

Here's the diagram from that page:

 

[Vanadium 50]

The way it was done with ACF2 in the '80s

That may describe how Amazon deals with passwords, but what does it have to do with LastPass?

 

[sysprog]

That may describe how Amazon deals with passwords, but what does it have to do with LastPass?

ACF2, the Access Control Facility, is a mainframe data security product. In the diagram, in post #21, linked to by@pbuk on post #20, you can see that LastPass does PBKDF2 hashing, which is in principle like what ACF2 did in the '80s to do a one-way hashing function using a DES block cipher (nowadays, it uses XDES+proprietary). (ref: https://en.wikipedia.org/wiki/Cryptographic_hash_function)

 

[Vanadium 50]

Yes, but how does this matter? It's a fact, but not a relevant fact.

The key point is that LastPass can't leak a master password because they can't leak what they don't know.

 

[anorlunda]

Generally password hash leaks are exploited by dictionary attacks:

I disagree when generally means the number of stolen passwords rather than the number of attacks. In some server breaches, tens of millions of login credentials are stolen at the same time. With the dictionary attack, you can only discover one password at a time.

Big companies and governments have a long history of dragging their feet notifying regulators and customers about a breach. Special laws had to be passed to force them to notify promptly, but even those laws are very hard to enforce. Companies and governments have financial and reputational motivations to conceal breaches.

It matters less every day because so many are switching to multifactor authentication. Soon we may even see mainstream sites with no passwords at all because of all the factors in multifactor, the password factor may be the most problematical.

 

[sysprog]

I agree in re the "key point" -- the rest of what I said was to clarify the line of inquiry that I started in post #13.

 

[pbuk]

I disagree when generally means the number of stolen passwords rather than the number of attacks. In some server breaches, tens of millions of login credentials are stolen at the same time. With the dictionary attack, you can only discover one password at a time.

I was thinking of a dictionary attack on the stolen (hashed) credentials.

 

[anorlunda]

I was thinking of a dictionary attack on the stolen (hashed) credentials.

Isn't that the same? You only get one login per successful dictionary attack.

 

[Vanadium 50]

An update - they had another attack. No passworeds were stolen (since they don't store them).