top of page
  • Writer's pictureAPT Big Daddy

Why I’m worried about the LastPass breach

Updated: Sep 21, 2022

But not in the way you may think.


Ok, all my lovely cyber people, we need to talk. As you are all painfully aware, LastPass was breached. I know, gasp, right? While the news isn’t entirely surprising to anyone who has worked in cybersecurity, as they are a company that provides password vaults for their customers, the response from those less than technical was outrageous and terrifying to security. So many article comments on LinkedIn had comments like “Well I don’t know why you would ever trust a 3rd party password manager”, “Cloud is just another person’s computer this is why you shouldn’t ever use these services”, or my personal favorite “Why use LastPass? What’s stronger than your brain??”. If these comments don’t scare you, they should. The worst part was that the last one came from a founder and CEO of a cybersecurity services firm. I wouldn't trust their advice if I had to go out on a limb. Most cybersecurity professionals will tell you that a strong, secure password is the best way to prevent your accounts from getting hacked. They will also probably tell you that you need a unique, robust, and secure password for ALL your online accounts. Even with MFA, you still have a possibility of being breached if you constantly reuse the same password (or password pattern) across your accounts. There is such a thing as MFA fatigue, which is especially dangerous if you use push notification MFA instead of code based. At the end of the day, password reuse is the number one danger to your security, yet it’s the most common issue we see as emulated criminals and cyber castle defenders.


The TL;DR is “You only need to get breached once to compromise all your accounts if you reuse the same password or password pattern.”


Since this is the greatest danger to security, our ways to combat this have been through Password Managers like LastPass, Keeper, and BitWarden, to name a few. While they may be on the cloud, their password vaults are encrypted at rest and use, so even if a threat actor steals a vault, they will still need to crack the master key, which would involve breaking the encryption used on it. Which last I checked, AES256 + salt is still a mathematically secure encryption method. On top of encrypting the stores, these vendors don’t store your Master Passwords, so there is nothing for threat actors to steal in that regard either. LastPass actually has a great little page explaining this “zero knowledge” implementation (https://www.lastpass.com/security/zero-knowledge-security). While this is specific to LastPass, the other cloud-based password managers are similar in deployment.


Still, so what? Why should we be pushing cloud-based password managers? Now that everyone basically works from home, why not recommend the return of the Password Sticky note? Or even browser or locally-based password managers. While each has its advantages to security, and at the end of the day, I recommend ANY password manager over NO password manager, it all comes down to ease of use and security implementation. Browser-based password managers have had many security problems in the past, and even still, Chrome’s implementation decrypts the password and stores it in plaintext in memory. While one could argue you need to be already on the host to exploit it, WHY EVEN GIVE THE THREAT ACTOR THE OPTION?! Similar issues arise on local password managers like KeyPass, where the implementation is at least overall secure, it requires an application, and applications can be exploited. Ultimately yes, while it may be someone else’s “computer” it’s still a secure implementation that requires way more steps to gain access to your most valuable information.


Now let’s take a step back for a second and argue why you would want a password manager in general. (this is more for you, less password tech-savvy people) For those who aren’t aware, password cracking has come an incredibly long way in the past few years, and it’s no longer dependent on just the length of your password. Many of you may have already seen this chart.


But what if I told you the chart is a lie? While yes, in theory, an 18-character password with Numbers, Upper and Lower case letters, and Symbols would take seven quadrillion years to crack from conventional methods, most passwords really look like this chart.


(Thank you James Stahl, for this hilarity)


You may be saying well, why is that? The reason is that brute force cracking passwords is no longer a thing. There are WAY more effective and efficient passwords to crack, and that comes down to “rules.” One of the best rule sets comes from NotSoSecure and their “One Rule to Rule Them All” (https://github.com/NotSoSecure/password_cracking_rules). My teams have used this in prior engagements(per request by clients) to showcase how easy it is to crack passwords and reached well over 10% crack success within 24 hours in very secure domains with good password policies (the whole two upper, two lower, two numbers, two special characters, 12 characters long). These cracking campaigns were also done on a laptop with an Nvidia 2060M, not some high-end super cracker like soon-to-be JunkRat. If that number doesn’t seem high to you, trust me, it’s high. Each of those passwords should have taken 34K years to crack, but again that’s all just theory.


To better envision how rules work, let’s take the most common password, “password.” Alone it would be instantly cracked, but let’s spice it up and go with the most common variation to this “P@ssw0rd”. This, in theory, would take 6 minutes, a much better starting point. Now we know that seven characters just isn’t enough, so let’s add the most common variation to all passwords, the “double number special character edit.” Now it’s P@ssw0rd11!!. This, in theory, would take “400 years”. With a password cracking rule set a new dictionary file would be created with every variation of "password". So now our word list becomes "p@ssword11!!", "P@ssword", "P@ssw0rdSummer", and so on and so on. This means we don't need to do cracking as we can just use a large password word list like COMB (Culmination of Many Breaches) to be our baseline and apply a rule set to it. This creates so many more password combinations AND cracking passwords this way is much more efficient and effective than brute force cracking. Not to mention a hell of a lot faster. So how do we force threat actors to use brute force cracking attempts on our passwords? How do we avoid falling into the password cracking rule set space? Password security really comes down to two factors, Entropy (also known as chaos) and key space (the character length). Password managers generate this well. Imagine smashing your face on the keyboard and that's your password. It would probably look like this “/5tv4cfy 89rw3uhn” (I actually used my face for that). That password has plenty of chaos and plenty of key space. Though how are you going to honestly remember multiple of those? I bet you could remember one but multiple? For every website and account? Hell to the no. This is why password managers are so important. If you aren’t using one, there is a 2x4 with the words “board of education” waiting in my office for you.


I know we jumped off the path of the LastPass breach there, but it was to prove a point. Password managers are critical to the current fight against password and account compromise. There just isn’t a better and more affordable solution out there right now; looking at you hardware keys, start being cheaper. This negative response to LastPass is more damaging than what may appear on the surface. The fact is, LastPass themselves openly admitted to the breach. They explained their whole situation and put it out there and if they are to believed did not lose any customer data. More than what can be said about Target. Is it scary that even a dev at LastPass can likely be phished? Hell yeah, but they apparently quelled the threat through speedy response and action. The reason I’m so scared is the renewed calls for idiotic practices like password reuse or memorization. The great Larry the Cable Guy once said, “ You can’t fix stupid." He’s right but damn it; I’m going to try.


Use a password manager, people!




386 views0 comments

Comentarios


bottom of page