Thursday, July 2, 2015

Is LastPass Hacked?

In the middle of June 2015, the password manager LastPass sent a message to their users announcing that their internal security had been breached and a some tens of thousands of records from one of their databases had been stolen.

Yeah, that’s technical PR talk for “We been hacked!”

Does this mean LastPass is worthless? Should you stop using it? Should you change your password?

Answers: No, No, and Maybe.

If your LP master password was weak, you definitely should change it. And if you used your LP master password anywhere else, you need to change every other site you used it.

A “weak” password is anything that looks like it might have come from a dictionary of any major language, including char@ct3r substitutions or random capitaliZation. A strong password should be at least 15-20 characters long, truly random, and include all four character types.

You can get a quick evaluation of how good your password might be at For randomness without any unconscious human prejudices, use a good password generator such as several available at or the one built into LastPass.

For more technical details on this topic, read on here.

What did LastPass lose?
Apparently records were stolen for a small number of their subscribers from a server containing user names, a hash of the user passwords, and the per-user salt used to create the hash.

A hash ensures that bad guys can’t just log in somewhere with the information they stole but have to decrypt your actual password from what they have. The fact that LastPass has a per-user salt prevents them from brute-forcing a dictionary once and comparing the results to their whole take. Instead, they have to individually brute-force (try every possible character combination) each user because the same password for multiple users will result in a different hash.

And now they have access to my account?
Now they can start attacking one person’s account, except that LastPass threw them another delaying tactic. Instead of hashing your password once, or 500 times; they hash it 100,000 times before they save it. This requires anyone trying to test the password they guessed against the hash they stole to spend microseconds on each try rather than picoseconds. Even with specialized computers, they can only test a few thousand possible passwords per second.

Thousands of passwords per second! I’m toast!”

Not necessarily. A simple 6-character password like aaa&1B has 750 billion possible combinations. At 100,000 guesses per second, it could take over 40 days to come up with a match. And that match allows them to break into one account. They have no way of knowing whether the account BoyObama will give them nuclear codes or a teenager’s Twitter account.

Since you have one 12-character password out of half-a-septillion combinations it could take seven times the age of the universe to crack.

How many combinations:
And the number is called:

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at
(cc) 2014- Bill Barnes - Disclaimer - Home Page - Blogs Home

No comments: