LastPass Data Breach – Are Password Managers Still Secure?

If you’re a user of the LastPass online password manager, you might have noticed some rather alarming headlines in December about a security breach at the company.

This was a serious incident whose origins date back to an earlier notification in the summer. The gist of a rather long and sometimes confusing story is that the company has admitted that over a period of time in 2022 hackers were able to steal a copy of encrypted customer password vaults plus unencrypted data such as website URLs for each site stored in vaults, user email addresses, and IP addresses.

It’s not the first security issue at LastPass, but to date, these have generally been vulnerabilities or oversights of a type most applications will suffer from time to time.

How Big a Breach Was This?

Owned by GoTo (previously called LogMeIn, which bought LastPass in 2015), the company is the market leader in the booming online password manager sector, with up to 33 million paid and unpaid users worldwide. This includes 100,000 SMB customers, each of which uses the product to protect anywhere from dozens to hundreds of employees.

As with all online password managers, LastPass stores the encrypted vault containing passwords and secure notes in its cloud. This is true for individual accounts but also for business accounts. If you are an SMB, each user vault is stored by LastPass, and the implication is that the hackers now have a copy of that vault.

These vaults are encrypted to a good standard (AES-256 with PBKDF2 at 100,000 iterations) and can only be unencrypted using the user’s master password, which only the user knows. LastPass does not have access to this and therefore cannot lose it, so-called ‘zero knowledge’ security. If that master is long and complex, it will be safe.  However, the hackers can still try one or more of the following attacks:

1. Try to steal the master password using a crafted phishing attack (the hackers have the user’s email address so know who to target).
2. Try to target weaker master passwords (Since 2018 LastPass’s default has been 12 characters, but a higher number is definitely advisable).
3. Target weak passwords inside the encrypted vault directly using brute force attacks (they know which sites are secured because they have the URLs).

Some SMB customers use LastPass Federated Login Services. This means they don’t have a master password, instead using their company Active Directory (AD), Google Workspace, or other third-party directory service or account password. This password isn’t affected, the company says.

Why LastPass Matters

As with its rivals, LastPass has been around for more than a decade of slow but steady growth. Around 2019 something changed, and user numbers spiked across the sector as individuals and businesses became more aware of the advantages of using this type of service. A breach in LastPass matters – if hackers can breach a company as big as LastPass perhaps they can do the same to others, undermining the sector’s reputation for security.

Password Manager History

Password managers started life decades ago as simple standalone applications for the tiny number of experts who needed to store lots of passwords and wanted something more secure than a spreadsheet. Over time, they acquired more features such as the ability to auto-generate long, complex passwords, and to autofill and capture browser passwords/logins. Other innovations included the ability to share passwords, security alerts regarding data breaches, and business-friendly features such as centralised management, more advanced encryption, and support for different forms of multi-factor authentication (MFA).

Password Managers Are Good for Security

For SMBs and individuals alike, password managers remain a very good idea. Password management has long been a problem for small businesses lacking IT resources. Traditional password management systems are very centralised, which generates overhead and bottlenecks. Password managers allow more room for users to self-manage while setting appropriate central policies regarding password length and complexity.

The auto-complete feature of password managers – auto-filling password fields on stored sites – also offers some visual protection against phishing attacks because this function only works with genuine domains. On a phishing site, the domain won’t be recognised and LastPass won’t offer autofill.

Password managers also make it easier to capture all logins being used by employees for shadow applications. That means that admins can see which sites they are using. Password managers detect password reuse, spotting that someone is using the same password repeatedly. In short, admins can see how employees are using passwords without getting in the way.  

How Should SMBs React to the LastPass Breach?

1. The attackers now have a lot of metadata on LastPass’s user base as well as an encrypted copy of the password vault. Even if a secure master password protects this, it is still a good idea to change this password. This re-encrypts the database, which means that should anyone somehow phish this new master password, it won’t unlock the stolen copy of the vault.
2. However, the danger is that at some point in the future attackers somehow decrypt the stolen copy, revealing the passwords. For that reason, it is probably a good idea to change the password for each site stored in the vaults. This will be a big chore although it is probably only necessary to change important passwords initially, for example, email, banking, or cloud services.
3. The most important protection, however, is to ensure that multi-factor authentication is enabled. Frankly, using anything (including password managers) without MFA is unwise these days. What matters is to employ a strong type of MFA, for example, a token for critical accounts and at least an authentication app for others. (SMS authentication is no longer seen as resilient enough to resist a determined hacker).
4. Double-check that the default for employee master passwords is long and secure. The default is 12 but older master passwords might still be shorter – there is apparently nothing that forces anyone to upgrade older master passwords to make them more secure.
5. PBKDF2 iterations make a password harder to guess using brute forcing but it seems that older accounts might not have had this applied. If yours is less than 100,000, you are more vulnerable to this type of attack.

Final Words

The LastPass breach is the first time anyone has managed to compromise a company in this sector on any scale. In theory, password vaults remain secure, as do master passwords. But the idea that even encrypted data remains in the hands of hackers is disturbing because it underlines the grey area where assumptions have yet to be tested. Password managers are a convenient way to protect and manage passwords with a number of advantages for SMBs over traditional password systems. But this incident hack reminds us that no security platform or company is without risk.  

To access the LastPass blog please click here.