As cybersecurity breaches become increasingly common, password management services, like LastPass, are upping their game. The company has recently been forcing some users to extend their main access key to a minimum of 12 characters. This move is purportedly aimed at incorporating their newest security improvements and ensuring the safety of their customers. Critics, however, argue that this step is akin to a PR gimmick and offers little help to the numerous early adopters who fell victim to a security breach in 2022.
How Many Times Will LastPass Get Owned?
LastPass suffered a significant breach in November 2022, when hackers managed to steal password vaults that contained both encrypted and plaintext data for more than 25 million users. The fallout has been a series of high-profile, six-figure cryptocurrency thefts. The victims are largely security-conscious individuals from the tech industry, raising suspicions that hackers have successfully decrypted some of the stolen LastPass vaults.
$3M Went “Poof.”
One notable victim saw over three million dollars in his cryptocurrency account vanish. This individual, a LastPass customer since the platform’s nascent years, stored his cryptocurrency seed phrase with LastPass and had a eight-character master password that was neither altered nor reinforced over time.
The Adblock Plus creator, Wladimir Palant, led a research that pointed out LastPass’s missteps. He highlighted that many original customers were not migrated to advanced security encryption protections granted to new customers over time.
An essential setting on LastPass is the iteration count or the number of times your master password is cycled through LastPass’s encryption protocols. Higher iterations equate to a beefier shield against offline attackers trying to decrypt your master password. For older users, this setting was set between 1 to 500 iterations by default. In contrast, customers who signed up in 2013 were assigned a default iteration count of 5000. In 2018, this count was further leveled up to 100,100, and more recently to 600,000. However, customers affected by the 2022 breach claim that their account’s security settings were never forcibly upgraded.
Palant criticizes the messaging from LastPass as not effecting real change, dismissing it as blaming the users rather than implementing rigorous safety measures. He has observed that changing master password length or even the master password itself won’t help those affected by the 2022 breach. Instead, he feels the victims need to change all their passwords, a recommendation LastPass has yet to make.
LastPass CEO, Karim Toubba, explained that the changes were designed for improved protection of customers’ online vaults. Toubba added that since the company does not store the master passwords and its encryption is robust, clients cannot recover their master password if they lose it. However, hackers that get ahold of the encrypted vault data could execute unlimited ‘brute force’ password-cracking attempts against the encrypted data.
Additionally, password cracking becomes easier for perpetrators like bitcoin mining operations, which have large-scale computational assets. This would put LastPass users with weak passwords (less than 12 characters) and lower iterations at significant risk, especially since the LastPass vaults were stolen last year.
Asked why the security settings were not forcibly upgraded for some users, Toubba mentioned that a “small percentage” of customers had corrupted items in their password vaults which interfered with successful upgrade.
Research Community Suggests Not Blaming Users
Nicholas Weaver, a researcher at the University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis, blamed LastPass for not upgrading the iteration count for existing users and shunning off the responsibility onto the customers. He is of the belief that LastPass has lost credibility over the years due to such security failures.
In response, Toubba suggested that the data shows that most of their customers comply with their recommended guidelines, thereby reducing the risk of successful breach attempts. However, the continued lack of a recommendation for all users to change their passwords housed in the encrypted master vault can leave one wondering whether LastPass is indeed prioritizing its customers’ security needs.
