Right before Christmas, LastPass dropped a bombshell report explaining that bad actors appeared to have made copies of LastPass users’ encrypted password vaults. The information was a little short on key details, probably indicating that the investigation is ongoing and we will learn more in the coming weeks. However, we have already learned enough to know that the data breach did leak some important metadata contained in people’s password vaults and that any users who had less-than-secure master passwords should be worried that the encrypted contents may now be vulnerable to disclosure. That is about as bad as it gets. Today I will speak with a cybersecurity and authentication expert from CISA about this breach: what we know, what we don’t know, what we should learn from the incident, and (most importantly) what LastPass users should do about this.
Bob Lord is a Senior Technical Advisor for the Cybersecurity and Infrastructure Security Agency (CISA) and former Chief Information Security Officer (CISO) for Yahoo.
- SPECIAL REPORT: LastPass Breach: https://firewallsdontstopdragons.com/special-lastpass-breach/
- Twitter thread investigating what’s encrypted and what’s not: https://twitter.com/UK_Daniel_Card/status/1606012536582656000
- Write-up by a security researcher: https://www.pwndefend.com/2022/12/24/lastpass-breach-the-danger-of-metadata/
- Mastodon technical thread #1: https://mastodon.social/@firstname.lastname@example.org/109585049690097599
- Mastodon technical thread #2: https://infosec.exchange/@WPalant/109590750504031700
- My “diceware” passphrase generator: https://d20key.com/
- My blog on creating strong passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/
- How to make stronger passwords: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/
- Classic XKCD cartoons on passphrases: https://xkcd.com/936/
- Consumer Reports Security Planner: https://securityplanner.consumerreports.org/
- Follow me on social media: https://firewallsdontstopdragons.com/contact/
- Send me your questions! https://fdsd.me/qna
- Support me! https://fdsd.me/support
- Subscribe to the newsletter: https://fdsd.me/newsletter
- Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
Table of Contents
Use these timestamps to jump to a particular section of the show.
- 0:00:47: Ep300 giveaway updates
- 0:03:15: interview setup
- 0:08:17: What do we know about the LastPass breaches?
- 0:13:25: Were all LastPass users affected?
- 0:15:03: How is my LastPass data secured, exactly?
- 0:19:53: What is PBKDF2 and why are iterations important?
- 0:23:10: Did LastPass increase the iterations for all users over time?
- 0:26:46: Is any information in my password vault not encrypted?
- 0:29:35: How do I know if my vault password is strong enough?
- 0:36:13: What if I didn’t have a strong vault password? What should I do?
- 0:41:47: Do we have any evidence that people’s vaults have been cracked?
- 0:45:34: Did LastPass handle this properly?
- 0:50:50: What can the government do to help here?
- 0:53:30: Should LastPass users switch to a different service?
- 0:57:11: Will passwordless authentication solve this problem?
- 1:01:03: What are the key take-aways here?
- 1:02:37: My take on the breach and what you should do about it