dark bedroom with macbook lit-up mac logo

I don’t care if they get my encrypted passwords

Sam Rueby Security, Uncategorized 0 Comments

Everyone has heard by now that LastPass was hacked.

EVERYONE PANIC

Wait- why? A lot high-traffic tech blogs eat this stuff up. Security is a big deal right now. The majority of people don’t fully understand security (they know they want it, but not how it works). So that’s an easy recipe to take some key words that fire people up, throw it in a post, tell them they’re doomed and make several suggestions that we’ve all heard a million times. “Change your password. No stop, not your dogs name. Not your birthday either! NOT PASSWORD123 either!” Queue the ridiculous password requirements: must start with a letter, lowercase, capitals, some digits, a few symbols (but not any of these symbols), isn’t a dictionary word, doesn’t rhyme in any language, max length of 12 (I still have no idea why anyone limits password length). You don’t actually need anything except length: secure passwords can be easy.

But this isn’t my point. What did LastPass actually say?

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

That sounds way scarier than it is. Security isn’t just about keeping people out. It’s also about if they get your encrypted stuff, you’re still safe. LastPass somehow becoming compromised is expected: they’re where all the gold is kept. If you rob someone coming out the bank, you might get away with it and if you do, you made some money. Or you could rob the actual bank and obtain a lot more. All LastPass has to do to keep your data protected is to have several layers: break through any one layer, you still have a while to go.

Does LastPass have layers? They sure do.

  • They store your passwords, but they don’t have a clue what they are.

Seriously. If you forget your master password, you’re pretty much out of luck. Which is the benefit of using strong encryption (in this case, 256-bit AES). First they’ll try to provide you with a hint (the hint that you provided to him, which is only helpful if you made it helpful!) If that doesn’t help, they’ll try to guide you on gaining access on a computer which you’re stilled logged into LastPass. But after there point, there’s no recovery.

  • It’s not just encrypted, it’s strongly encrypted

They use salted 256-bit AES for your encrypted data and SHA-256 with a ton of rounds of PBKDF2 for your password hash. Encryption is somewhat of an arms race. The fact that anything can be decrypted means it’s vulnerable and anything is vulnerable to brute force. The only thing preventing brute force is time and compute power. As computers becomes faster, encrypted data becomes more vulnerable. This is why LastPass also increases the amount of PBKDF2 iterations they perform as time goes on. We use less-intense encryption while communicating with our online banks.

  • Your stuff isn’t decrypted on their servers.

Which is a pretty good idea. Otherwise they would have to make extra-super-sure their servers aren’t compromised. Then they would have to worry about the decrypted data being securely transferred to your computer. At that point, let’s hope your computer isn’t compromised. By only having the data decrypted on your computer, the only thing to worry about is that your computer is secure. That’s way less things to worry about!

  • If that wasn’t enough, they offer 2-factor authentication

Which means that even if someone beat you until your yelled your master password and the attacker ran away, they still wouldn’t be able to get in your account unless they stole your phone too.

So I wouldn’t care if hackers got my encrypted data

Because if we trust encryption at all, then even if they have it they can’t use it.

But LastPass could have done better

Yeah, I shouldn’t have heard via Gizmodo. Yeah, their server’s shouldn’t be getting DDOSed by people legitimately trying to change their passwords. But I would still recommend LastPass to everyone. My 100-character randomly-generated passwords are significantly safer than the same 4 passwords I used to always use. So don’t listen to silly websites that tell you LastPass isn’t safe, or to go back to writing your passwords on post-it-notes. Make a long master password and turn on 2-factor and you’re done.