(Source: Getty Images)
Given the service's strong encryption and multi-factor authentication offerings, risk of data loss is minimal, though

On Monday password storage service LastPast announced some troubling news -- it had detected signs of a possible network breach which may involved partial exfiltration of its database of encrypted passwords.  On an ironic note, users' "last password" -- the master password -- won't truly be their last, as the service has advised that its millions of customers change the master password to protect catastrophe, should the master passwords in the exfiltrated trove be cracked.

I. A Strong Reputation

This is only the second time in its seven year history that the service has been forced to advise customers to change their master passwords.  But the good news is that things could have been far worse, were it not for the service's vigilance and aggressive approach to securing its solutions.


LastPass is a cross-platform service developed by Fairfax, Virg.-based Marvasol, Inc.  Marvasol's CEO Joe Siegrist writes in an official blog:

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.... We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection. Thank you for your understanding and support.

While the breach inevitably provokes some jokes (given the company's name) at the expense of users, it's the first slip in some time for the service's developer, who carries a rather sterling track record when it comes to security.

LastPass was found in 2008.  It sought to bring visibily and cross-platform access to password management software.  

LastPass on phone
[Image Source: CNN]

Password management tools had been quietly picking up steam since the late 90s.  Championed by Apple, Inc. (AAPL) and the Linux open source community, the idea of a password manager to manage both local and online credentials has picked up steam over the past decade.  The premise of these services was simple -- it's easy to forget passwords, but it's dangerous to give in to the temptation of storing your passwords digitally in plaintext or in handwritten notes (which remain vulnerable to social engineering).  Rather, in theory it's best to store all your passwords in a single robustly coded encrypted vault accessible with a strong master password.

LastPass and its ilk proved to be gamechangers to this nascent niche.  Early implementations were lacking were often tied to specific platforms, as well as being barebones in their feature set and lacking in dedicated customer service.  By contrast, LastPass provides a service accessible on most major mobile platforms, with dedicated supports for a variety of popular browsers on the traditional PC.  The services today claims over 76 million active users in 113 countries, making it perhaps the top third-party password vault by usage.


It is apparent that for the password vault to deliver superior security, securing the database of encrypted passwords and the master passwords is of paramount performance.  And when it comes to that LastPass is perhaps the best in its field, with relatively few security hiccups.

The last major concerns came in early 2011.  First, in February 2011, security research Mike Cardwell discovered a hole in the LastPass site's security which could be exploited by cross-site scripting (XSS).

To its credit, LastPass acknowledged the danger and responded very aggressively, closing the hole within hours by becoming an early adopter of the HTTP Strict Transport Security (HSTS) protocol (RFC 6797), a set of algorithms designed to protect against attacks aimed at stripping HTTPS encryption via either cookie hijacking or downgrade attacks (attacks that rely on triggering legacy compatibility procedures in the HTTPS protocol).  It also adopted virtually all of the other mitigating protections suggested by Cardwell.  Full details can be found here.

Following that scare, in May 2011 LastPass announced proactively that its vigilant monitoring of outbound network traffic on one of its servers had spotted peculiar patterns that could be indicative of a breach.  As with the latest breach, LastPass advised users to change their master password.  And while it found no concrete evidence of a breach or exfiltration effort, it also took the affected server(s) offline and rebuilt them, adopting additional safeguards and monitoring designed at preventing data exfiltration.

II. Mitigating Factors

That approach seemed to work and things remained problem free for the next four years.  But now that winning streak has been broken by news of a confirmed breach.

The wording of the company's blog suggests that compared to the May 2011 traffic oddities on its network, this time around the detected patterns were more strongly indicative of an attack and potential exfiltration attempt.  The good news, is that unlike most data breaches, even if the worst case -- partial or complete password database exfiltration -- occurred, there's still a number of mitigating factors that make it unlikely for the vast majority of customers to be immediately at risk.

First, even if attackers get the master passwords, they may be foiled by the multi-factor authentication (e.g. a text message sent to your phone) which many of the service's users have already embraced since LastPass's widespread introduction of the cross-platform authentication tools in 2011.


Second, LastPass's only account clearly indicates that it was using industry-leading encryption practices, which will make it far more daunting to crack any master passwords that might have been exfiltrated.

Joe Siegrist
LastPass CEO [Image Source: BisNow]

The company writes on its blog, the encryption of the hashed master password table was very strong.  States Siegrist:

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2+-SHA256*, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

+ = PBKDF2: Password-Based Key Derivation, a key derivation function from security firm RSA which is compatible with salts and a variety of hashing functions.
* = SHA256: the 256-bit version of the U.S. National Security Agency's (NSA) public secure hashing algorithm

LassPass encryption

In layman's terms, this means first of all that LastPass was using a much stronger form of encryption than that generally used by most corporations -- even those who provide popular online services.  Thus, while it's probably a wise precaution to change your password as the service suggests, the risk of actual abuse via any potentially ill-gotten data is very low.

III. Unbreakable?

Not convinced?

Given the glaring lack of security at many top corporations when it comes to user data, skepticism is understandable.  But such ubiquitous insecurity stems heavily from greed (corporations not wanting to pay for solutions), sloth (admins not wanting to implement sounds data handling procedures), and ignorance/incompetence (e.g. using weak/breakable forms of encryption such as unsalted MD5, which basically are no safer than plaintext in practical terms).

Take the recent breach of the U.S. federal government.  The key problem was not the breach itself, so much, but the utter incompetence with which the federal government handled valuable data.  According to reports it was storing social security numbers, full names, and birthdays in unecrypted plaintext database entries.  Ultimately this may have led to the compromise of 4.1 million past and present federal employees.

By contrast, LastPass's commentary suggests that it upheld a higher standard.  But don't take my word for it, let's consider the technical details of what it would take to break the encryption procedure described by Siegrist in his blog.

Cybersecurity breach
[Image Source: Symantec]

Salted SHA256 is basically impervious to brute force attacks (which hash all possible passwords, looking for a matching hash), as outlined by the response from "emboss" on this StackOverflow question.  Hashing a 65kb (2^16) block of 12-byte passwords (1 byte = 1 character (letter) in c++) with 20 byte salts took roughly 2^-2 s on the commenter's computer in 2012.  As a 256-bit hash has 2^128 values to consider, a worst case brute force evaluation would take 2^126 seconds -- countless billions of years.
For now SHA256 hashing (pictured) is considered unbreakable via brute force attacks.
[Image Source: OpenCores]

Given that human language is typically used in passwords and that human language is low-entropy (predictable), the next simplest attack would be a rainbow table (dictionary) attack, which reduces the effort needed to brute force by orders of magnitude.

The salt (which LastPass confirms it used) helps to increase the entropy by mutating the value of the hashed password via a looping process.  While small salts, such as the 12-bit sales used on early machines can still be dealt with via terabyte-size rainbow tables, modern salts scuttle that possibility.  SHA2's bcrypt and crypt methods in Linux typically use a 128-bit salt (16 byte).  Thus salted SHA2 passwords are generally immune to rainbow tables.

Salt shaker
A long salt, like the kind associated with SHA2-256, acts as kryptonite to rainbow table attacks.
[Image Source: Shutterstock]

Still there remains substantial risk -- even with such strong encryption -- if the user chose a predictable password (e.g. "password", "darthvader", etc.).  Tables of millions of such common passwords can be found online and hashed, making more limited tables attacks feasible on such "bad" passwords.

Worst passwords

Bad passwords are harder to protect, even with strong encryption.
[Image Source: Obsessive Consumption]

Alternatively, it may be possible for hackers to eventually exploit an algorithmic weaknesses, such as attacking the "preimage" (which require you to have the hash) or hash collisions (if you lack the hash) (aka "birthday attacks").  As whoever exfiltrated the master password database (assuming it was exfiltrated) likely has the hashes, the less expensive preimage attacks could be potentially employed.

Indeed, while SHA2-256 remains resistant to such attacks, security researchers may soon be able to break it via preimage attacks.  Currently the best effort against SHA2 comes from security researchers at Sony Corp. (TYO:6758) who in 2012 broke [PDF] 57 of the 64 rounds -- or roughly 9 out of 10 rounds.  Given that seven years ago (in 2008) only 24 of the 64 rounds (less than 4 out of 10) could be broken, it's clear that algorithmic attacks are on the verge of breaking SHA2.

Once forced to use graphics processing units (GPUs) for parallel acceleration, attack algorithms hav been boosted by the advent of specialist hardware (ASICS, or application specific integrated circuit) focused on bitcoin mining (which uses the same hashing algorithms, in effect to generate cryptocurrency via brute-forcing a specific number of hashes).  Presently the best shipping [source] hardware is the AntMiner S5, which boasts 1.155 TH/s (over a trillion hashes per second) (~2^40 hashes per second).  This ASIC solution retails for $370 USD.

Antminer S5
The AntMiner S5 can process a trillion hashes a second. [Image Source: BitMainTech]

The 100K rounds of additional hashing with salt would require additional effort to break, but suffice it to say that with modern innovations like GPU computing, SHA256 passwords may be susceptible to collision or preimage attacks using hashing ASICS.  In fact, government agencies such as the NSA may already be able to break SHA256 (although perhaps not w/ the level of salting described by LastPass).

Suffice it to say, though, that any current unpublished capability to break salted SHA256 hashed passwords would likely take days to crack a single password, meaning that unless your email address indicated you to be a high profile target (or got very unlucky in that they picked you out of millions of users at random to attack), you likely have nothing to worry about in the present context.

That said, it's hard to say how crackable the master password table -- state of the art as its encryption may currently be -- will prove to be in a couple decades.

Aside from algorithmic, hardware, and other conventional advances that might enable faster cracking, there's the esoteric threat of cracking algorithms on a quantum computer, which could effectively reduce cracking even very large hashed passwords to a matter of seconds.

D-Wave quantum computers
Quantum-computers' risk to traditional passwords is largely an existential question, as the development of quantum cracking algorithms would effectively force a vast shift in security. [Image Source: Google]

Both the NSA and the Chinese government are reportedly pursuing this capability in an attempt to further realize their spying ambitions.  If they succeed, one can all but assume that in time such tremendously expensive solutions would become commonplace enough for large criminal consortiums to have access to one, allowing them to be used as a tool in traditional private sector cybercrime.

Of course, such concerns are largely existensial, as any generalized dehashing algorithm on quantum computer hardware would render all traditional passwords useless, forcing the industry (including LastPass) to replace conventional passwords with novel alternatives (e.g. randomly generated musical passages; pseudorandom images; or congitive (question-answer) passwords).

Encryption key
LastPass's strong encryption is much appreciated given its possible data loss. [Image Source: Gizmag]

The take home?  While a password change is a probably a sound suggestion to be exceedingly cautious, chances are no one is getting your master password, even if they're very experienced and have access to the best (and most expensive) password cracking solutions.  That should help security conscious folks sleep a little sounder.

Source: LastPass [official blog]

"Young lady, in this house we obey the laws of thermodynamics!" -- Homer Simpson

Latest Headlines
Google Pixel 2XL will reportedly cost less.
September 20, 2017, 6:17 AM
IFA Berlin 2017 Tech Show
August 25, 2017, 6:13 AM
Two great updates from Google
August 20, 2017, 6:42 AM
Sony’s 4K OLED Smart TV
August 13, 2017, 6:20 AM

Latest Blog Posts

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki