SN 904: Leaving LastPass

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

Even though I deleted my LastPass account when the news broke, and have been moving to Bitwarden, I’m prepared to give LastPass the beenfit of the doubt. I have come to this conclusion, even while listening to Steve’s take on things, because what guarentee do we have that the alternative is any better - I mean, really, unless you are going to self host Bitwarden and, possibly, not even then.
It’s all very well telling me Bitwarden is oen source but, to me, that doesn’t matter if you aren’t looking at the code or don’t understand it. That’s assuming the self hosted version is the same as the hosted one

It also occurs to me that LastPass seemed to be doing everything right in the beginning, and people were singing its praises until they weren’t. Just because Bitwarden is open source now doesn’t mean it’ll be so forever and, on that note, how are they making money if they give so much away for free. The $10 plan, which provides the ability to 2FA generation, is probably not as useful as you think since I have to have a separate authenticator for the Bitwarden vault itself.

LastPass’ Vault Format has been “decoded” for a while now. This four-year-old GitHub repo has parsed out almost every field and was recently updated. Only 6 / 38 fields are encrypted.

Unfortunately, it looks trivial to have encrypted most of it as Bitwarden & 1Password both encrypt far more. As Leo & Steve noted, LastPass has stopped caring.

What LastPass stores and is encrypted:

• Item name

• Item folder

• Item notes

• Item username

• Item password

• Item attachments

What LastPass stores and is not encrypted (mostly; other bits look internal):

• Item’s login URL (LastPass’ weak reasoning why they refuse to encrypt URLs)

• Item’s favorite status

• Item’s password re-prompt status

• Item’s last used timestamp

• Item’s last modified timestamp

• Item’s last password change timestamp

• Item’s creation timestamp

• Item’s password is vulnerable

• Item’s password is breached

• Item’s autologin status

• Item’s alert status

• Item’s never-autofill status

• Item’s attachment presence (actual attachment is encrypted)

• Item’s shared to an individual (yes / no)

• Item’s shared to others (yes / no)

• Item’s pw data: LastPass-generated or user-generated (yikes)

• Item’s type (login, secure note, bank account, etc.)

• Item’s support for auto-change passwords

That is quite unfortunate because there’s nothing that can be done now on this plaintext data being exposed. This information, available immediately to the “threat actor”, allows them to make staggeringly simple sorts & priority lists of users. This quote comes to mind:

“If someone tells you who they are, believe them the first time.”

To me a company’s attitude & response when its breached or vulnerabilities are reported to it trumps almost everything beyond having frequent, wide-ranging audits.

There is something (negative) to be said about inertia in tech journalism, particularly in massively popular products. Frank research into LastPass was rarely shared and thus its flaws were rarely discussed. I didn’t learn about these flaws until this breach re-surfaced serious problems by previously-rarely-cited authors.

Do give these a read. They cover most of this Jan 2023 episode of Security Now and this author was cited by Steve a few times:

• Black Hat Europe 2015: Even the LastPass will be stolen, deal with it (Nov 2015)
• LastPass: Security done wrong (Mar 2017)
• cfbao/lastpass-vault-parser: Parse your LastPass vault (May 2018)
• Is your LastPass data really safe in the encrypted online vault? (July 2018)

We have a missing channel that guides & curates information from actively-researching-products to mainstream-tech-news-outlets. None of those critiques stopped LastPass mainstream inertia here or elsewhere:

• PCMag Editors’ Choice (Oct 2022)
• PC World Editors’ Choice (Feb 2022)
• Tom’s Guide Editor’s Choice (Jan 2022)
• Tech Radar Pro Recommended (Oct 2022)
• CNET’s Best Paid Password Manager (2H22)

Meanwhile last week, CNET withdrew their superlative recommendation of LastPass “pending further review”, on which I personally applaud them.

Previously, we had selected LastPass as our “best paid password manager.” However, because of the severity of these incidents, we’ve decided (as of late December 2022) to temporarily remove LastPass from our list of recommendations, pending a re-review of the service in early 2023. Potential customers and anyone who’s uncomfortable with LastPass’s continuing security challenges should take a close look at the alternatives presented elsewhere in this story.

//

Everyone, including we lowly end-users, that trusted in LastPass have an opportune time to reflect and “audit ourselves” on who we trust, where are our blindspots, and whether our consistency should instead be understood as inertia.

As to his spectacular flip-flop on the issue, [Associate Supreme Court Justice John] Harlan said: “Let it be said that I am right rather than consistent.”

(Source)

Because LastPass’ cloud audits were only available if you signed an NDA, CNET reported in 2021.

And while LogMeIn keeps a collection of audits for several of its properties, the company says its additional cloud security audit for LastPass is only available if you sign a nondisclosure agreement.

The source code is private and the audits are missing, but we know LastPass collects some of your data.

Haven’t been on for a while, but I thought the severity of this episode warranted a login.

I mean, I think even Steve might agree with that statement. However, what I took from this episode is not that mistakes were made, but the apparent lack of attention to details, e.g. the fact that the oldest accounts would be more vulnerable because of antiquated numbers of hashes, or weak master passwords. This, combined with blatant downplaying of the severity of the incident (i.e., the fact that so much user data is now permanently available, and the previous statements about the safety of customer data) really erodes some trust.

That is a valid point, and we have seen perversions of companies in the open source community before. I would say that there are two mechanisms that protect against this threat:

1. The core parts of bitwarden are available under GPL/AGPL licenses. Basically, their commits after the license change would technically violate the copy-left provisions. Since the server is AGPL, that means they would never even be able to offer their service using a closed source server without opening legal challenges.
2. A strong community has developed around Bitwarden in the OSS community. The entire server has been rewritten in Rust: vaultwarden (formerly biwarden_rs; this is what you were looking for, @Leo ). That community supported project has 21k stars and over 1000 forks on GitHub.

So Bitwarden couldn’t make it closed without huge downside, and even if they could, there are plenty of people involved in the code who would take it over immediately.

The fact that organizations need security services and get affected by so many attacks makes the traditional open source model of selling to companies pretty viable, I’d say.

Yes, I think this about sums it up.

Now picked up by the New York Times. LastPass refused to issue a comment to WIRED, but obviously couldn’t ignore NYT. And it is difficult to read how self-serving it is:

Karim Toubba, the chief executive of LastPass, declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive vault data encrypted and secured.

Please. His self-serving comments do a major disservice to the cybersecurity community and mainstream users. Plenty sensitive vault data was not encrypted; the system architecture was demonstrably not shown to be “strong”, but in fact lagging behind, un-enforced, and exposed LastPass adamantly stuck by worst practices even after years of responsible disclosure.

LastPass’s public response to the incident thrusts responsibility on the user, but we don’t have to accept that. Although it’s true that practicing “good password hygiene” would have helped to keep an account more secure in a breach, that doesn’t absolve the company of responsibility.

Sorry for the double-post. A lot of news today! PCMag has also temporarily withdrawn its recommendation:

Editors’ Note: Because of the still-unfolding story of LastPass’ recent breach, we have decided to pull LastPass from this roundup. After we have reexamined and rerated the service we’ll consider adding it back.

Now second behind CNET that also removed its LastPass endorsement:

However, because of the severity of these incidents, we’ve decided (as of late December 2022) to temporarily remove LastPass from our list of recommendations, pending a re-review of the service in early 2023.

Tom’s Guide, Tech Radar, and PCWorld haven’t formally rescinded their recommendations.

Just got done listening to the episode. I had moved away from LastPass awhile ago but I never cleared out the vault (until last week when I nuked my entire account). This episode was… well it’s left me with a lot of uncomfortable feelings.

Up until now I was self-hosting my own Bitwarden instance and told myself “you’re a web developer, you probably know what you’re doing and you shouldn’t have your passwords on someone else’s computer”, but I’m terrified of making a mistake so I finally just moved everything to BW’s cloud. I’m thinking the rewards outweigh the risks, here’s hoping!

@Leo I did not expect an apology for advertising LastPass, but I do appreciate it. Shame how things change…

I thought for a moment about self hosting, but I only wanted to do it if I could leave the server on my private lan. But you can’t create new items offline, so it didn’t really work for me. Maybe if I could have figured out a tailscale solution for my wife’s devices as well I would have done it, but I really do think I am bound to mess this up.

Yes, Bitwarden is a single point of failure. But so is Dropbox or any other cloud storage provider. And I’d never sleep again knowing that my hardware was accessible on the internet.

Edit: And to be clear, I ended up going with Bitwarden. After this news, I’ll probably upgrade to a paid plan!

So let me get this straight: In the first lastpass breach, the intruders got a look at the source code. They potentially can unlock vaults offline with their own copy of the code. Then they exfiltrated vaults with plaintext indicators of (1) a proxy for if the password is low entropy, and (2) a proxy for how old the account is. Steve just announced that old accounts are brute-forceable through poor defaults. Doesn’t this mean that bad guys can just filter vaults by the oldest password and compare the brute-force decrypted password field against some dictionary rule to see if they successfully did the job?

Maybe I’m oversimplifying the process here.

Far as I know, once you’re authenticated everything Bitwarden does runs locally (app, extension, etc). So it should work offline but you’ll want to make sure it’s synced at some point. Although I’m very rarely without internet so don’t quote me on this.

I’m not worried about the Bitwarden community (i.e. the software), I’m worried about myself. Too many opportunities for me to frack up the process. I’ve hosted a lot of sites over the years, I’ve seen those things first hand.

I just saw this on the news:

LastPass hit with class-action lawsuit over hack

You can read items offline, but you cannot create a new login when you are offline. So in effect, if I hosted it only on my lan I would have to use a VPN solution to create a new password. I thought that was a bit too hairy for obtaining Wife Acceptance Factor.

Maybe there is an update contained somewhere in that thread since I looked.

Yes, that is my concern as well: I’d make some configuration error that someone could exploit to make me a very unhappy camper. Heck, I’ve had several configuration errors with non-critical apps on my lan that add annoyance. There’s no way I trust myself as a hobbyist over the team at BW, but that’s just a personal thing.

Can someone elaborate on whether or not encrypted passwords can be sorted by length? Can the bad guys distinguish an 8 character vs. 12 character password after it has been encrypted?

Depends on how they’re encrypted. Normal practice when you only need to verify the password (such as when logging in to a site) is to use a secure hash in a loop (PBKDF2 for example) in which case the hash is a fixed size for all passwords.

When you’re talking about retrieving the password in the way Lastpass needs to, then yes, the algorithm for encrypting the password (AES256) uses 16 byte blocks with padding. So they could likely know when the password is shorter or longer than 16 chars, or 32 chars, or 48 chars, etc.

So by default they would likely sort out the shorter length passwords for brute force attempts before moving up to longer ones?

Well they really need your Lastpass master password… which is basically one of those one hashed through multiple rounds of PBKDF2… and so all of them are the same length. I don’t know the specifics of how the Lastpass vault is encrypted, but if they use the same password for everything, it would be a case of them targeting your master password, rather than any specific use of it with content inside.

Basically what they’ll do is take the PBKDF2 rounds that are lowest (first) then try a set of dictionary passwords (as in a list of known weak passwords like “password” and “monkey123” and whatnot.) They’ll use these as a rainbow table, in that they’ll just encrypt them all and make a lookup table. Then they’ll run through everything they have and hope for some hits. Once that pass is done, they’ll move on to the next most difficult rounds, and keep escalating until they get something useful, or they get a juicer target.

you cant hack the master password if you cant get to it, so any local vault, like keepass.info kept stored securely on a adhoc usb stick that runs only when needed beats any cloud or hosted solution. the main risk becomes when you need syncing and sharing.

more modern solutions would include zero trust and token based passwordless and authenticate each new user and give them access rights and rules and this is where paid tiers may come in handy, as not many regular users are tech savvy enough to setup things like vaultwarden and tailscale or netmaker and other zerotier access options.

I used to keep my master password and recovery passwords in a TrueCrypt formatted USB flash drive.

I worked as an admin for an open source security company (they make openVAS, as well as the paid-for security subscriptions on top). I’ve worked in IT for nearly 40 years and it was still a challenge to think about everything and properly document what you are doing and why.

They had their own password management system - a series of directories and files, each file encrypted with the employees’ public keys, if you were given access to a new pasword, we had to go to the file and add your key to the list and when they moved to another project, or left, we had to go through the files and remove their keys. That was way above my head, how exactly that worked, but it did. It was a real PITA though!

As we’ve seen with LastPass, even when you allegedly have experts running the show, you can still make mistakes. If server security is not your day job, I would leave it to someone who knows what they are doing. Heck, server security is my day job and I leave my password management to 1Password.

It depends, if they are high profile, yes. If it is someone’s grandparents, probably not, as it will still take time and money to break into. They will probably analyse which websites are in the safe, to work out whether the safe is worth cracking. Weak encyption + Facebook and a few knitting forums, probably not worth hacking, weak encryption + crypto and banking BINGO, paydirt!

Given each safe has to be cracked separately, I assume that they will perform some sort of analysis on the contents of each safe, to work out which ones are worth investing the time and money into.