undefined | Better HN

0 pointsg_p3y ago0 comments

The passwords are encrypted by a per-user key. That per-user key is derived from a password through a password based key derivation function (PBKDF). In essence, an iterative hashing function.

Many users don't use "good" passwords, so you use a high number of iterations on the KDF, to make it harder to brute-force an account's password.

Lastpass initially used 5000 rounds of KDF for old accounts. That's not a lot, especially today. They increased it over time to 100,100 iterations (which is better).

The data stored in a password vault is encrypted by a per-entry key, derived from this user password. If a user's password is weak, predictable, re-used, etc, then attackers now have an opportunity to decrypt the contents of their vault. Up until now, attackers generally have been assumed to not have access to user vaults, as that requires authentication (maybe including MFA).

No local software has been compromised, but getting a hold of the server-side backups makes it possible to try to brute force user's passwords in a way that was prevented by server-side rate limiting and MFA.

There is also some side information leakage from the server-side copies of users' vaults, like the URLs of websites in a given vault not being encrypted, and vaults being tied to user identities and contact info.

This tweet thread suggests/implies that at least one user has had a password compromised from information held in an encrypted vault. There's no evidence yet of a compromise of the locally installed software, but it emphasises the importance of changing passwords, moving to new wallets if seeds were exposed to Lastpass etc.

0 comments

camtarn3y ago

Just checked on my own account, which I set up in 2012. Mine was configured with only 500 rounds of KDF - eep.

g_pOP3y ago

Eek. It is quite incredible they didn't have any kind of KDF upgrade system built into the login process, under the guise of "log in again please". And presumably no prominent permanent notification of your 500 rounds of KDF (!!)

Edit:

https://web.archive.org/web/20120320015133/https://helpdesk.... confirms that the default was indeed 500.

According to https://www.infosecblog.org/2012/06/lastpass-and-pbkdf2/, there are even some old accounts with a single round of sha256 (!)

camtarn3y ago

It took rather a long time - a couple of minutes - to re-encrypt all my passwords, which presumably is why they didn't do it on login. But yeah, a notification sure would have been nice!

1 more reply

j / k navigate · click thread line to collapse

0 pointsg_p3y ago0 comments

The passwords are encrypted by a per-user key. That per-user key is derived from a password through a password based key derivation function (PBKDF). In essence, an iterative hashing function.

Many users don't use "good" passwords, so you use a high number of iterations on the KDF, to make it harder to brute-force an account's password.

Lastpass initially used 5000 rounds of KDF for old accounts. That's not a lot, especially today. They increased it over time to 100,100 iterations (which is better).

0 comments

camtarn3y ago

Just checked on my own account, which I set up in 2012. Mine was configured with only 500 rounds of KDF - eep.

g_pOP3y ago

Edit:

https://web.archive.org/web/20120320015133/https://helpdesk.... confirms that the default was indeed 500.

According to https://www.infosecblog.org/2012/06/lastpass-and-pbkdf2/, there are even some old accounts with a single round of sha256 (!)

camtarn3y ago

It took rather a long time - a couple of minutes - to re-encrypt all my passwords, which presumably is why they didn't do it on login. But yeah, a notification sure would have been nice!

1 more reply

j / k navigate · click thread line to collapse