By now, you are probably aware of the need to use a password manager to reduce the risk of all your online accounts from getting compromised through weak passwords and password re-use.
One popular password manager is LastPass. (While I am a LastPass user, I am not writing this under their knowledge or in return for anything from them.)
In recent months, any news related to the breach of a password manager has caused a lot of attention, and rightfully so. If we are to trust all of our passwords to one centralized location, our confidence must be unshakeable.
LastPass has lived up to this solid reputation by offering the correct technology and extreme transparency. This was evidenced earlier this year when they admitted a problem, and even though no data was lost, they notified all of their customers to change their master passwords.
From my own experience, I can state that when LastPass says they do not know your master password, they mean it. I contacted them for help with my account, and there was absolutely no way they could access my account – they are serious when they say they do not know, or store your master password. It should be mentioned that their support was exceptional.
Now, an upcoming talk at Black Hat Europe is going to – once again – challenge what we know about the security of LastPass.
The researchers state that “by reversing LastPass plugins, we found several ways to [compromise the system]. We will demonstrate how it is possible to steal and decrypt the master password. We also found how it is possible to abuse account recovery to ultimately obtain the encryption key for the vault. In addition, we discovered ways to bypass 2 factor authentication.”
In his weekly webcast, Steve Gibson discussed that the exploit used by the researchers was centered on the ability for the LastPass plugin to “remember” a user’s master password. If this is the key to the entire exploit, then the solution is clear.
You should never ask the LastPass application to remember your master password.
If the researchers rely solely on that stored master password in order to complete their attack, then their remaining exploit chain (including the multi-factor and account recovery exploit) will fail. If, however, they can compromise the other areas of the LastPass login process absent the remembered master password function, then this will surely shake the confidence of the LastPass user population.
LastPass uses the motto “The Last Password You’ll Have to Remember.” If I had to make one suggestion to improve LastPass, it would be to remove that “remember password” option from the login plugin.
LastPass has already done enough to ease our lives by giving us the ability to use unique, complex passwords for all of our sites. Is it too much to ask that their clients remember that Last Password?
About the Author: Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock