Many LastPass users found out on social media or on news sites earlier this week that LastPass experienced a significant security breach. While the password vaults that contain users passwords are not believed to have been compromised, cyber attackers gained access to users’ email addresses, password reminder questions, server per user salts, and hashed master passwords. The breach comes at a time when many security writers have been recommending that people use strong, unique passwords for all the websites and cloud services they use to minimize the damage of a password breach of one service. Many even recommended LastPass as a secure way to remember all of these complex, unique passwords.
We analyzed exposure to the LastPass breach across over 18 million Skyhigh users. Before we dive into those numbers, what does the breach mean for the average LastPass user? First, while the breach is a wake up call for the industry, the average user is likely not to be impacted. LastPass users login to their accounts using a master password, which gives access to the passwords stored in the vault hosted by LastPass. Master passwords are hashed before they leave the user’s computer using PBKDF2-SHA256. LastPass only stores hashed passwords. Passwords are salted as an additional security measure. In other words, a piece of random data is added to the password before hashing it to make it harder for an attacker to compromise.
Unlike encryption, the hashing used by LastPass is a one-way operation. When you encrypt data you can decrypt it using a key. Hashing applies a similar algorithm to scramble data. A properly designed hashing algorithm cannot be reversed. Given the hashed value, there’s no mathematical way to transform it back into the original value. However, when you hash a password, if someone else uses the same password the hash value will be the same for both. This gives an attacker a way to compromise the hash. Given enough computing power, an attacker could compute hash values for many different random letters and numbers. By comparing the hash values they generated with the stolen hash value, they could guess a password.
This is where a salt comes in. In the case of LastPass, the salt is a piece of information added to each user’s password before it is hashed. That way, if two users both have the password “Password1234” the hash values for both passwords will be different. An attacker could pre-compute hash values but the hash makes it mathematically much more difficult to do this at scale. In the LastPass breach, it is these hashed passwords that were stolen. Alone, this may not be very troubling, except LastPass says the per user salts were also compromised. Since both the hashed password and salt were stored together, the benefit of the salt is negated. It’s almost as easy for an attacker to compute passwords and login to a user’s LastPass account to gain access to all of their passwords in the vault as without the salt.
One of the drawbacks of the hashing algorithm PBKDF2-SHA256 employed by LastPass is that it was not designed to protect passwords. SHA is a general-purpose hashing function designed to shrink large amounts of data to a smaller hash value in order to do a comparison or check on the integrity of the data in the shortest amount of time possible. But when you’re trying to protect passwords, you want the calculation of the hash to take as long as possible to thwart a brute force attack. The hashing functional bcrypt was designed for password and by some measures takes 5 orders of magnitude longer to crack. Its design also limits performance gains cyber criminals seek by using GPU hardware to crack passwords.
Another potential risk is the disclosure of password reminder questions. LastPass is somewhat unique in that, rather than offering users a standard set of password reset questions such as your mother’s maiden name, first pet, or favorite teacher, it allows users to type in a free form password reminder for their master password. If users select unsecure passwords such as their favorite teacher’s name, then attackers could use a dictionary of all names to expedite the pre-computation of hash values using the per users salts from LastPass and more quickly determine a user’s master password. They could also more easily perform a phishing or social engineering attack to recover passwords using the password reminders.
In practice, however, most LastPass users (if not all) likely have not had their password vaults compromised. Because attackers only gained access to hashed master passwords and not the passwords stored in the vaults themselves, they would need to login via LastPass to extract them. LastPass has required all users without multi-factor authentication to re-authenticate using their email accounts. Users with multi-factor authentication are protected since even an attacker with their password would need access to their mobile phone to get the secondary password sent to their device at login. Finally, LastPass users can protect themselves by changing their master password and changing that password anywhere else they may have reused it. As an aside, this is a good reminder of the risk of re-using passwords in multiple places.
Nevertheless, the attack highlights that attackers are highly motivated to breach sensitive caches of information in the cloud, especially password managers. Looking at usage data for Skyhigh’s 18 million users, we found that 91% of organizations have LastPass users. The average organization has 173 LastPass users. Let’s take the example of an IT admin who stores passwords for company systems in LastPass. If her password vault were compromised in a future attack, an attacker could gain control over a multitude of systems to steal or even destroy data. We found a company that has 2,635 LastPass users. It’s not hard to imagine if the cyber criminals in this attack had managed to compromise the passwords stored in vaults along with the master passwords, they may have gained access to admin credentials for many core systems and could launch a Sony-style attack on this organization.
More than anything, the LastPass breach demonstrates that passwords are no longer the only protection you need. Used in isolation, they’re not effective anymore. With millions of account credentials for sale on the darknet, it’s necessary for cloud services to offer additional layers of protection. Skyhigh tracks the security controls of over 12,000 cloud services and found that just 15% offer multi-factor authentication, a critical security feature that ultimately protected LastPass users. Our recommendation is that enterprises rate highly the importance of multi-factor authentication to safeguard their users’ credentials when choosing cloud services. Cloud providers need to also be more intelligent about increasing authentication steps required when a user logs in from a different device, another location, or exhibits uncharacteristic or anomalous behavior.