Should You Use LastPass Considering ALL Its Problems?
I’m a big believer in that everyone should use a good password manager (when you can’t use phishing-resistant multifactor authentication). This is because without a password manager, most people use either fairly weak passwords and/or reuse the same password or password pattern across multiple sites. These risks are greater than the average risk of having all your passwords compromised at once due to using a password manager (at least right now).
LastPass, long one of the most popular password managers, suffered yet another breach at the end of last year (https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/). According to some sources, this is at least the 7th publicly known vulnerability or breach for LastPass. A CVE database shows 12 total publicly reported vulnerabilities (https://www.cvedetails.com/product/45589/Logmein-Lastpass.html?vendor_id=9363).
A high number of vulnerabilities is concerning, although the most popular software product in any software category usually gets successfully attacked the most. There are few exceptions to this rule. So, LastPass getting successfully attacked the most doesn’t concern me as much if they are quick to patch found vulnerabilities, respond quick to breaches, and are transparent with customers. LastPass has a mixed record on fixing reported vulnerabilities and it would be better if they were more transparent and didn’t have as many breaches to begin with.
When people asked me if they should stop using LastPass after the latest breach, I replied (https://www.dhirubhai.net/pulse/just-how-bad-recent-lastpass-compromise-roger-grimes/) that simply based on what occurred in the latest attack, probably not. Although if you had less than a 12-character master password with some complexity you need to change both your master password and all your stored passwords.
More Serious Additional Allegations
This was before Jeremi M. Gosney posted about a host of other problems (https://infosec.exchange/@epixoip/109585049354200263) with LastPass. Jeremi’s excellent post should be read by anyone using LastPass. Here’s a summary of some of Jeremi’s claims:
·????????LastPass collects lots of user personal information it really doesn’t need to collect
·????????LastPass doesn’t’ encrypt most of your data in its protected vault
·????????LastPass uses a weak implementation of AES symmetric encryption, including:
o??Proprietary implementation of AES, details not shared
o??Only 128-bits of entropy
o??ECB mode or unauthenticated CBC, which can leak information
o??Padding Oracle vulnerabilities
·????????Multiple master password, hash, or key leaks in GUI or memory
领英推荐
·????????Buggy browser extensions
·????????API vulnerabilities
·????????Slow or no response to security vulnerability reports
I don’t know if these issues have been independently confirmed or whether or not LastPass has addressed some of them or not, but if they are current and substantiated, they are concerning. Jeremi recommends people use other password managers without these problems and he refers to a particularly popular alternative that I like as well.
One of the problems of switching to another password manager is that it may or may not have big problems as well. I mean we only know of LastPass’s problems because it’s the latest one successfully attacked in the news. Just because something isn’t attacked as much doesn’t mean it doesn’t suffer from the same problems or other big risks. Absence of news on a particular product doesn’t mean it doesn’t suffer security risks as well.
What you want to see from any vendor, especially any password vendor, is that they take security very seriously, both within their product and also their hosting environment. All their developers should be trained in secure coding and they should use secure, type-safe, development languages, with strong defaults. You want to hear that they take any reported vulnerabilities seriously and that they respond quickly. You want to hear that they fix weaknesses and have strong security defaults. Any vendor having this sort of approach to security is better than one who doesn’t.
Getting Back to Jeremi’s Claims
One of the biggest claims Jeremi makes is LastPass’ weak implementation of AES encryption used to protect user passwords. Jeremi claims some of the reported weaknesses have been fixed, although only on new vaults and not backported to protect old vaults.
Weak implementation of encryption, especially “homegrown” implementations of well-known encryption standards, like AES, are indeed concerning. But I would be more concerned about almost all other reported vulnerabilities versus being concerned about weakly implemented cryptography.
Why?
With some notable exceptions over the decades, weak cryptography is rarely how hackers take down users. Even fairly weak cryptography is stronger than most of the mitigations. Attackers are almost never attacking even known weak cryptography as the way they get to users and resources. It’s far easier to socially engineer an end-user, compromise the end-user’s desktop, or attack almost any other attack vector than it is to attack the cryptography. Why hack hard when you can hack easy?
I think any weaknesses in LastPass’ cryptography need to be fixed, if not fixed already. And LastPass needs to be transparent about its cryptography protections and algorithms used. Not being transparent about what they use and how they implement it is causing trust issues and trust issues with a password manager are not good.
But when is the last time you heard of a big hack that occurred because of a weakly implemented cipher?
Remember that the vast majority of successful hacking occurs because of social engineering and unpatched software…90% or more of all attacks involve those attack vectors. And those attack vectors would work against any password manager, not just LastPass. So, it’s OK to be concerned about LastPass or to use something else than LastPass, but if you aren’t concentrating on the far larger threats (i.e., social engineering and unpatched software) than you’re nearly as likely to be compromised by hackers or malware as someone that uses LastPass. LastPass has issues, but they aren’t the biggest issues you need to worry about. A good security researcher focuses on the right things first and best.?
Submitted a few very needed FR with LastPass today as a partner (around the latest news and other viable needs). ?I would say the passwords at greatest risk in the vault are the ones that do not have vendor provided or/and protected by 2FA/MFA. Checking the password iterations if you are using an older account is probably goal # 1 to rectify.
Exploring & Learning
2 年Hello, Roger Grimes thank you for sharing this. Have you ever checked out any alternatives before? A lot of password managers out there. Let me know if I can help!
Senior Security Analyst Emeritus - Kinda Retired
2 年I think you want to look integrity in a company, LastOas competitor 1Password had delivery a complete lack of integrity. Aside from exploting the beach for marketing purposes be sleazy, the fact that it's sleazy at best, Jeffrey Goldberg, the principal security architect at 1PAssword, decided that lying to exchange the FUD was fine. Quoting "If you consider all possible 12-character passwords, there are something around 2^72 possibilities" A 12-character password using the 95 printable ASCII set, has 95^12 possible permutations. Jeffrey deliberately understates the number of potential passwords by over 5 sextilion potential paswords. It wasn't by mistake that he said that. He knows it's wrong. I went back and forth with him on Twitter. I asked him point blank, are there not 95^12 permutations? He refusescto answer the question. He refuses to correct the blog. Ask him 20 times if the claim is correct, he won't answer the question. If you want a company with integrity, it isn't 1Password. The CEO has been advised, but perhaps he's on vacation, or perhaps he doesn't care about honesty. Jeffrey also doesn't know the difference between combinations and permutations. In his position he really should.
SVP, Information Security Officer
2 年If you are looking at it from a risk perspective I would say "no", both on the cyber and vendor front. They had one main job which is to secure your passwords and they failed in doing it.
Digital Identity Crusader, Inventor, Entrepreneur, University Lecturer & ????er
2 年LastPass’ architecture is endemic in IAM sector. The sector needs to move away from centralized storage of credentials. The thinking needs to change. Looks at Passkeys from Apple. Backed up centrally. ??. Centralized storage of credential architectures create single points of failure that when compromised impact millions of users. So is LastPass to blame. You decide!?