I just went into my old lastpass account to try and wind down the account, delete everything, and then close the account.
No option to "select all" in the list so I resorted to clicking the check box on by one down the page. I accidentally slightly clicked outside a check box... guess what? Everything gets deselected.
Start over.
Ok start again, maybe I want to list in alphabetical order rather than group by category to minimise mistakes. Whoops, selecting that option deselects everything in the list.
300 odd deleted in batches of 30-40.
When a company's whole application is covered in anti-patterns and dark UX to make it as hard as possible to leave then companies like this deserve to die.
Deleting the account is a bit tricky too.
1. Go into account settings in the top right drop down
2. In the Links area click on "My Account" which spawns a new browser window
3. Click the red "Delete or Reset Account", you can't miss all the red buttons
4. You can either reset your account or delete, choose delete
5. A modal will appear telling you stuff, enter your master pw, a reason why your leaving and then click delete
6. You will be asked twice if you really really want to do this
7. Press ok
I also did not have a "Select all" box but was able to check the first entry, scroll down, hold shift, and check the last box which then selected all items in between. So I removed all of 600 of my accounts in about 20 seconds. Hope this helps someone.
Shift+Click to select a range is so second nature by now I don’t think it would have occurred to me to look for (or on the flip side, create) a dedicated “all” button.
I don't think that's dark UX, it's just shitty UI design. What bugs me the most about LastPass is how it tries to be so damned helpful and offers to fill in credentials on sites that they clearly don't belong to, or offers to save credentials on a site where I alredy clicked "don't save" 1000 times, no really, I don't want to save my private passwords in my company vault thank you very much, why the f$%& don't you have a "don't bug me again" checkbox in this sh*$$y popup?!
BTW, if you're exporting your data, check that it's all there. I had the unpleasant experience of noticing Lastpass either has a buggy implementation or intentionally giving an incomplete export. I ended up needing to manually copy credentials over one by one.
It is a little weird — I vaguely recall that the sort of “diplomatic” answer about password managers has been for a while something like “well, you should use keepass and just keep things local, but if you want to ease of use, lastpass is not too bad.” So that went right out the window I guess.
I mostly use keepass, but for some accounts I don’t really care about I’ve started using the built in Firefox/iOS stuff. Giving that a second thought about now…
That's how I did the last one hundred or so in the end too. Someone also said shift click works to select everything as well, I tried it but it didn't work for me in Safari.
Just deleting the account won't solve the issue anyway.
I am resetting all the passwords for all my accounts. It's super annoying and it will days for me to reset all the passwords. But thankfully I have MFA for all important stuff.
Wow. This is basically the worst case scenario. Attackers got access to the vaults themselves? While they are encrypted, it all depends on how secure your master password is now. Because the brute-forcing has almost certainly already begun.
I switched away from lastpass to Bitwarden a while ago, and have changed many of my passwords since then. But I’ll probably rotate most of my passwords anyway, out of an abundance of caution.
Just FYI, password rotation is currently considered an anti-pattern. I think we can imagine some kind of future where there's a common password protocol that user-facing services could talk that would allow certain entities with blessed access to rotate passwords without the user ever having to know about it, but in the current world, rotating passwords causes most users to use weaker passwords.
Umm, not sure you understand. Yes AES256 is good, if you have a great password.
However if you take 1M users, as them to set a 12 character password with A-Z, a-z, and at least one digit you'll find an astounding lack of entropy. I believe this is pretty close to LastPass's master password requirements.
If you take the most popular 1M passwords and attack the master password you'll find that you've cracked them. With a 2 generation old GPU and the default iterations of 5000 (like several people mention on this post) you can try 300,000 passwords a second. So 3+ seconds per vault and you'd crack a decent fraction of them.
While I agree with your main point, I think confirmation that the URLs weren't encrypted and that they can all be tied to your Lastpass signup information is far from "best case"
I agree this isn’t the worst-case as you mentioned above. However, it is far from the best case scenario which is closer to “only fake testing vault data was exposed”.
The vault leak is acceptable in terms of Lastpass’s formal threat model but could still result in real user pain e.g. targeted spear phishing using plaintext fields like URLs, or compromise for users with weak passwords.
Welp, looks like they were able to copy vaults to crack and, worse yet, they have the unencrypted URLs to choose what to target.
> The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.
Hm, with all that talk about "zero knowledge architecture", I thought your vault file would be encrypted "in one piece", not just the passwords. If they have the URLs in clear text, that's not really zero knowledge, now is it? And why do they need the URLs anyway, when I can share the passwords just fine from my local PC? Statistics?!
Honestly, URLs are a potentially massive threat vector themselves.
Are the urls associated with individual users either directly or in a bucketed fashion? Seems like no to the former but the release leaves a lot to be desired.
LastPass is an enormous target, obviously. And, I guess, the inevitable has happened: Encrypted trove of passwords is "out there".
Let's assume one's master password is strong. And that LastPass knows how to encrypt data. We're really down to whether 256-bit AES can be brute forced, right? And I guess understanding phishing attacks.
I mean, yes, wouldn't it be great of LastPass took the measures with its development environment years ago? So put another way: Lack of operational excellence hopefully is made for in strong encryption. I hope.
contains both unencrypted data, such as website URLs,
No I think this is the worst that could have happened short of loosing the clear-text passwords. Noone is going to stop the attackers from looking for high-value login URLs and than spear-phish the password for the offline vault.
Forcing a password reset onto customers is not going to help LastPass here.
'form-filled data' includes 'Payment cards' section I believe, which should then make securing your cards an even larger priority than having to change your passwords
No, as stated, they don't encrypt the URL. This is likely so that, regardless of what you have entered for your "when is master password required" settings, the browser plugin can highlight when it knows that you've entered a password for a site.
To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
I just checked my account and it says 5000 not 100,100 -- there's no way I would go in and change that setting, so this is pretty disingenuous. They must have changed defaults at some point
I do think the default a long time ago used to be very low. I know I went in at account creation and set it to something way higher than it's default at the time.
Looking now though, it says 100100 for me. But i also know i changed my master password at some point, so maybe i got reset to the current default.
According to [1], there were 5,000 client-side rounds of SHA256 in key derivation in June 2015.
It does sound like a missed opportunity to have an at-login upgrade mechanism to upgrade KDF rounds that can be carried out seamlessly or near-seamlessly during the login process. Or at least actively nudging users to change password and thus raise their KDF rounds that way through the default.
One would think that the UI where one routinely enters their master password could silently double as a start using the new default UI, as the change-password UI seemingly does.
If it’s a tradeoff between login speed and security, it seems reasonable to allow users to chose where they want to land between the two, at least within reasonable parameters.
Decryption is done on user device so default iteration is set not to be too slow on slower devices. If your all devices are fast enough, It's good to configure it.
From what I understand, yes. PBKDF2 is the algorithm that goes from password->key. This key is then used to encrypt the vault. Guessing the key itself is impossibly difficult. Attackers will instead try to guess the password, run their guess through several thousand rounds of PBKDF2, and attempt to use those keys to decrypt the vault.
The algorithm is designed to be run in iterations to be tunable. more rounds takes a lot longer. this makes for both a slower login, but also slower brute-force attempts for the attacker. The attacker can likely still generate guesses in parallel, but each individual password guess will take considerably longer against more iterations.
Lastpass changed the old default for a good reason. I'm surprised they didn't update all accounts to at least the new default.
It means the master password can be brute-forced about 20 times faster, so about effectively a loss of about 5 bits of security, compared to an account where the number of iterations is actually 100K.
I have an older account, it was 500 when I went to check. I'm livid that LP didn't do a reup on the encryption when they moved to 100k cycles. They've basically hosed every customer that's been with them for a while.
mine was set to 500 (not 5000) as well. I'd moved on from lastpass earlier this year but didn't delete my account... though I suppose in that case I'd wonder if I'd deleted in time, or if they really deleted all my info.
Also frustrating that they decided to drop this update on December 22.
with URLs and last-accessed times being plaintext? I suppose "items in your vault" is doing a lot of work there if they don't count urls as "in" the vault.
I'd like to point out to users who have 2FA on their LP access and think they are safer, that does not protect the vault in a compromise like this, it only enhances the security of delivering the vault, the attackers here already have the vaults. Vaults are only protected by password.
When I worked at LogMeIn (previous owners of LastPass), I relocated to Budapest and worked in the same building as LastPass' engineering (I was in another division though). Getting a sneak peek of how the sausage is made gave me the hibbie jibbies and I switched to 1Password there and then. It appears like I dodged a bullet.
They haven’t had the history of security problems that LastPass has had, and they’ve taken steps to handle this kind of situation by including an extra per-user key to stymie password guessing if someone does get the vaults:
I stopped using them when they switched to subscription-only but I think it’s in their favor that they have planned for a nightmare scenario rather than assuming it won’t happen.
Yeah I thought the same. I don't think 1Password is immune to security issues. However, after seeing several things I did not like in LastPass development, I decided 1Password was the safer bet. Knock on wood, they claim they've never been hacked and I hope it stays that way.
Moving from one cloud based password manager to another is hardly a solution. Use password managers which locally store the file and then sync them with gdrive/Dropbox. You can also add another layer of encryption to the file to be extra safe.
I cannot talk about specifics obviously since I was an employee. I can only say I did not see the sw engineering and infrastructure rigour I'd expect from a service that is managing very sensitive information.
> “The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both _unencrypted data, such as website URLs_ …”
Other threads here have discussed the potential for this collection of sign-up information and URLs to be used for blackmail and to discover hidden services.
There is another major problem: mapping these URLs to existing breach dumps. The attacker now has a list of email addresses and associated URLs. From existing breach dumps (haveibeenpwned.com), they can now try all known passwords associated with these email addresses on all of these URLs. Many passwords stored in LastPass are repeat passwords, and they will gain access to many services without any brute force needed.
There will be a class action lawsuit for this gross negligence in security and false and misleading documentation and marketing materials.
My hope is that LastPass is forced to liquidate all assets and distribute them to their former customers, in addition to being liable for damages and wasted time related to migration to another password managememt solution, not to mention suffering related to any potential blackmail or disclosure of proprietary information.
> "...The announcement doesn’t get to the part about the vaults being copied until /five paragraphs/ in. And while some of the information is bolded, I think it’s fair to expect that such a major announcement would be at the very top."
Readit News
No option to "select all" in the list so I resorted to clicking the check box on by one down the page. I accidentally slightly clicked outside a check box... guess what? Everything gets deselected.
Start over.
Ok start again, maybe I want to list in alphabetical order rather than group by category to minimise mistakes. Whoops, selecting that option deselects everything in the list.
300 odd deleted in batches of 30-40.
When a company's whole application is covered in anti-patterns and dark UX to make it as hard as possible to leave then companies like this deserve to die.
Deleting the account is a bit tricky too.
1. Go into account settings in the top right drop down 2. In the Links area click on "My Account" which spawns a new browser window 3. Click the red "Delete or Reset Account", you can't miss all the red buttons 4. You can either reset your account or delete, choose delete 5. A modal will appear telling you stuff, enter your master pw, a reason why your leaving and then click delete 6. You will be asked twice if you really really want to do this 7. Press ok
I hate Lastpass so much.
I mostly use keepass, but for some accounts I don’t really care about I’ve started using the built in Firefox/iOS stuff. Giving that a second thought about now…
<button class="itemCheckbox" tabindex="17" aria-label="Select"></button>
You should absolutely be able to crypto-shred your data from such an important service. This experience sounds awful.
I remember deleting my acct. not sure if I manually deleted entries before though.
That said - if a data breach includes backup access… is your account ever really deleted?
Also make sure to go to Advanced Options, View Deleted Items, and purge them from there.
for (item of document.getElementsByClassName('vault-item-displayname')) { item.click() }
I am resetting all the passwords for all my accounts. It's super annoying and it will days for me to reset all the passwords. But thankfully I have MFA for all important stuff.
I switched away from lastpass to Bitwarden a while ago, and have changed many of my passwords since then. But I’ll probably rotate most of my passwords anyway, out of an abundance of caution.
This is literally the best case hack scenario.
Why? Because we already know that encrypting something using their strategy is essentially uncrackable.
AES256 is quantum resistant.
The worst case would be silent exfiltration from the LastPass application via malware to steal user master passwords.
In the security game, the crypto is the strongest part, the crypto-system is the weakest part.
However if you take 1M users, as them to set a 12 character password with A-Z, a-z, and at least one digit you'll find an astounding lack of entropy. I believe this is pretty close to LastPass's master password requirements.
If you take the most popular 1M passwords and attack the master password you'll find that you've cracked them. With a 2 generation old GPU and the default iterations of 5000 (like several people mention on this post) you can try 300,000 passwords a second. So 3+ seconds per vault and you'd crack a decent fraction of them.
The vault leak is acceptable in terms of Lastpass’s formal threat model but could still result in real user pain e.g. targeted spear phishing using plaintext fields like URLs, or compromise for users with weak passwords.
Afaict They use pbkdf-sha256, with 100k rounds. which is not bad, but i think a memory hard function like argon2 would be much much better.
So its not terrible, but its not amazing either
> The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.
Are the urls associated with individual users either directly or in a bucketed fashion? Seems like no to the former but the release leaves a lot to be desired.
Let's assume one's master password is strong. And that LastPass knows how to encrypt data. We're really down to whether 256-bit AES can be brute forced, right? And I guess understanding phishing attacks.
I mean, yes, wouldn't it be great of LastPass took the measures with its development environment years ago? So put another way: Lack of operational excellence hopefully is made for in strong encryption. I hope.
Forcing a password reset onto customers is not going to help LastPass here.
Early on, they only did 500 rounds of AES which significantly weakens you even with a strong password.
So, I've had to change my master password and now I'm in the process of updating all my passwords :(
By not forcing a re-encryption when they uped the number of rounds, LP has hung all their old time customers out to dry with this leak. It's not ok.
This is why a company’s bug bounty should be the sum of the assets protected by the data they have, for all their customers, minus $1.
Sounds crazy? Don’t store all passwords at the same place.
Can someone confirm my understanding that 1Password does in fact encrypt the entire vault, including the URL/domain associated with each login?
I just checked my account and it says 5000 not 100,100 -- there's no way I would go in and change that setting, so this is pretty disingenuous. They must have changed defaults at some point
Looking now though, it says 100100 for me. But i also know i changed my master password at some point, so maybe i got reset to the current default.
It does sound like a missed opportunity to have an at-login upgrade mechanism to upgrade KDF rounds that can be carried out seamlessly or near-seamlessly during the login process. Or at least actively nudging users to change password and thus raise their KDF rounds that way through the default.
[1] https://blog.lastpass.com/2015/06/lastpass-security-notice/
This kind of meaningless voodoo is a big red flag for any "security company".
The algorithm is designed to be run in iterations to be tunable. more rounds takes a lot longer. this makes for both a slower login, but also slower brute-force attempts for the attacker. The attacker can likely still generate guesses in parallel, but each individual password guess will take considerably longer against more iterations.
Lastpass changed the old default for a good reason. I'm surprised they didn't update all accounts to at least the new default.
Deleted Comment
Also frustrating that they decided to drop this update on December 22.
And how do they square "Zero-knowledge security" and the diagram in https://www.lastpass.com/security/zero-knowledge-security
with URLs and last-accessed times being plaintext? I suppose "items in your vault" is doing a lot of work there if they don't count urls as "in" the vault.
https://infosec.exchange/@epixoip/109570669464755692
The big question with this is of course if 1Password's sausage is made any better.
https://support.1password.com/secret-key/
I stopped using them when they switched to subscription-only but I think it’s in their favor that they have planned for a nightmare scenario rather than assuming it won’t happen.
Other threads here have discussed the potential for this collection of sign-up information and URLs to be used for blackmail and to discover hidden services.
There is another major problem: mapping these URLs to existing breach dumps. The attacker now has a list of email addresses and associated URLs. From existing breach dumps (haveibeenpwned.com), they can now try all known passwords associated with these email addresses on all of these URLs. Many passwords stored in LastPass are repeat passwords, and they will gain access to many services without any brute force needed.
There will be a class action lawsuit for this gross negligence in security and false and misleading documentation and marketing materials.
My hope is that LastPass is forced to liquidate all assets and distribute them to their former customers, in addition to being liable for damages and wasted time related to migration to another password managememt solution, not to mention suffering related to any potential blackmail or disclosure of proprietary information.
> "...The announcement doesn’t get to the part about the vaults being copied until /five paragraphs/ in. And while some of the information is bolded, I think it’s fair to expect that such a major announcement would be at the very top."