LastPass, one of the most widely used password managers, has admitted in recent weeks that the security breach it suffered last year has affected its users’ data. This means that the passwords of ordinary citizens, their emails, their banks, their digital wallets, everything, have ended up in the hands of criminals. Although, in principle, encrypted.
The fact has raised alarm among LastPass users, and others who use similar password managers. At this point, what do we do? Do we continue to trust these solutions? Is it possible to do it another way?
How does a password manager work?
An average citizen today uses several dozen passwords, both in his personal and professional sphere. All of them must be different and sufficiently long, random and complex. In this way, a data breach in a service only compromises the password of the user in that service. And it becomes difficult for an adversary to crack the password by brute force, using common password dictionaries or personal information regarding that user (date of birth, pet name).
This makes it impossible for these dozens of different, long, random and complex passwords to be remembered. So, intuitively, the solution is to “point” them somewhere.
The analog solution is a notebook or notebook, but the problem is that its owners have to protect it very well, since if it is lost or someone steals it, all their accounts will be compromised. And they also have to always carry it with them to be able to access all their applications and services on a day-to-day basis.
The technological solution is the password manager, which allows us to “note” the passwords in digital format, in a warehouse. Where are they kept? There are two alternatives: on the user’s own device or in the cloud. Ideally encrypted strong enough that if the password store is compromised, not all passwords can be easily recovered. Each user will be able to decrypt their passwords when they need to use them through a password or master phrase on which the security of the manager depends.
What we know regarding the LastPass breach
In August 2022 LastPass, with more than 25 million users, announced that it had suffered a security breach. Adversaries had accessed their solution code and other intellectual property, but not their users’ password vaults.
However, during Christmas 2022 they admitted that the attackers had been able to access the personal data of their clients and, what is worse, the backup copies of the password stores of some of them.
The breach notification does not provide the number of users or passwords affected, so we cannot estimate the actual impact of this incident.
The Cipher: The Master Phrase
The LastPass team has tried to reassure its users by explaining that critical information in these stores is encrypted with a key derived from each user’s passphrase. Since 2018, these phrases must be at least 12 characters long, breaking them by brute force (which implies trying all possible combinations) would be very costly in time and resources. It is estimated that it would take several thousand years.
But if this passphrase is otherwise compromised, the passwords in the vaults that have been affected by the breach might be cracked. This might happen, for example, if the attackers were successful using some social engineering technique, for example, of phishing. Or if the user was using the same master phrase on another service that was also affected by a data breach.
So it is up to each affected user to decide whether or not to modify all the passwords that were saved in the LastPass vault. Or at least for the most critical services and apps where you haven’t configured a second factor of authentication (which would make password compromise less critical). It all depends on how confident they are in their Master Phrase and that it hasn’t been compromised.
Additionally, additional uncertainty arises as not all information in LastPass stores is stored encrypted. This means that whoever has access to it will be able to find out, for example, without much effort, the URLs of the applications and services accessed by each user, and even other information that can help to profile affected users or prioritize subsequent attacks.
Obviously it will be more interesting to invest more time and effort in recovering the passwords of a president of the government or a large corporation than of an average citizen.
So should we use a manager or not?
Despite the incident that LastPass has suffered, and the fact that their management of the crisis has probably not been the best possible from the point of view of communication and transparency, the use of password managers is still highly recommended to all users. Together with the activation of a second authentication factor, at least, in applications and services whose security is critical (main mail, bank).
Simply, as in many other cases, you have to find out a little before deciding which is the best alternative for each of us. Right now there are many doubts that LastPass will continue to be for anyone because they have already chained a significant number of incidents. It is important to make a comparison between the different options and assess their price, functionality, flexibility and, obviously, their security, given how critical an incident of these characteristics can be.
Password manager yes, but not just any, used or configured in any way. The security of the master phrase, for example, is critical, and that is our responsibility.
* Professor at the Rey Juan Carlos University. The Conversation.