LastPass, LostPass, or HallPass

I believe that all of our readers have heard about the LastPass Breach. There is a lot of seriously flawed information out there on social media. Yes, it appears to be true that customer password vaults were obtained by threat actors. But what does than mean to you? How bad is it? That depends on you. Given a reasonable password you probably have nothing to worry about. Let’s first talk about three well-known types of password-cracking attacks.
  • Dictionary Attacks/Passphrase Token Attacks
  • Brute Force Attacks
  • Optimized Brute Force Attacks
Dictionary/Passphrase Token Attacks If you are using common sentences or words, you’re dead in the water. Your password probably fell in seconds or less. But, with a simple yet well-chosen password, a dictionary attack cannot succeed. A common dictionary attack will try to crack your password using words and sentences that have been found on lists of compromised passwords. Some other phrases and sentences may also be used. A passphrase token attack is a special kind of dictionary attack that tests combinations of words regardless of existence on lists of breached passwords or how common a phrase is. There’s a simple defense against such attacks. Make up a word. For example, “Big cats wear leopardtards.” Leopardtards, a play on the word leotards, is a word I made up specifically for this blog. The passphrase itself is 26 characters. Remember, you still need a high character count in a passphrase to defend against brute force attacks too. Unless the word leopardtards is in the dictionary used by the attackers, the password is 100% uncrackable by dictionary/passphrase token attacks. The use of foreign language words helps, but how much they help will depend upon the language chosen and the commonality of the words used in each language. I have an important password that uses words from two obscure languages, as well as English language words. Note that unless you use a made-up word, use five or more words in a passphrase, or at least one word that is not one of the 20,000 most commonly used words. It’s a math thing. Don’t forget that the passphrase must still be long. I count 16 characters as the minimum to meet length criteria. I like to exceed minimums. From time to time, people will claim that foreign language words don’t help because their dictionary has words from foreign languages. That means they have to increase the size of their dictionary. The larger the dictionary the more time it takes to test every word. Brute Force Attacks Brute force attacks attempt to use every combination of characters until the combination matches your password. This is not a problem for short passwords. But LastPass requires a password that is a minimum of 12 characters. Let’s assume your password is all lowercase or all uppercase letters. There are 26^12 possible permutations of characters. Because LastPass has a 12-character minimum character count, a smart person would not try anything less than 12 characters. So, we end up with 26^12-26^11. About 91.7 quadrillion permutations. At 1 billion guesses per second, one a single extremely fast computer, your password would last about 3 years at best, but quite possibly longer. If you want to use all single-case letters, make your password or passphrase at least 16 characters long, please. No matter what combination of character sets is used, 16 probably should be your minimum character count, but I would never use less than 20 for a password manager master password. Now, I can tell you the minimum amount of time it will take to crack your password if it is 13 characters and, let’s say, 10 billion attempts per second are tried. First, the attackers have to try 95^12-95^11 permutations before they move on to a 13-character password. At 10 billion guesses per second, your password would last at least 1.7 billion years. That’s how long it would take to try every possible permutation of 12-character passwords before moving on to the 13-character passwords. Use at least 16 characters anyway. Optimized Brute Force Attacks. There are probably many methods to optimize a brute force attack. I’m going to use a simple example. If you know of other examples, let me know. I can optimize a brute force attack by eliminating characters that are not commonly used in passwords. I’d probably start by only including 10 to 15 of the most commonly used symbols. I’d probably eliminate some number of less commonly used upper and lowercase letters. Yep, some passwords will be uncrackable, but the low-hanging fruit will have the greatest chance of falling relatively quickly. Here’s why you’d optimize a brute force attack. A 12-character password can have 95^12 permutations if all character sets are used. If I eliminate 18 symbols and 10 letters, I am now working with a 67-character set, or 67^12. A much smaller set, but it will miss some passwords and it will still not be a viable attack against a 16-character password. But use a minimum of 20 anyway. A passphrase can make that easy to remember, and for many, easy to type too. Do note that passwords will fall more quickly when multiple computers are used in parallel. If 1000 computers are used, my passwords might only last a couple of million years. The horror, the horror. My password is more than 20-characters. I’m not particularly worried. I’ll change my password anyway for the simple reason that part of security is discipline. While current guidance says that you don’t have to change your passwords frequently, it’s still a good idea to change them periodically. Unless you know the password encryption practices of a site storing passwords, change yours immediately after there’s a breach. In this case we know that LastPass is using extremely strong encryption. Discipline is the only reason I’m changing my master password. So, I’m not very concerned about lost passwords. Despite the serious lapse of security architecture that allowed the vaults to be stolen, LastPass learns and is heavily battle tested. LastPass is a big, fat, juicy target for cybercriminals due to the size of the customer base and the value of the stored information. As such LastPass may be the most attacked password management company in the world. LastPass has been breached several times, and through all of this the security architecture used to secure the vaults has fended off the attacks. There is no such thing as security, there’s risk mitigation. LastPass has well mitigated the risk of my password vault being compromised. So yeah LastPass, I’m giving you a hall pass this time. This type of hall pass – https://dictionary.cambridge.org/dictionary/english/hall-pass. If you’re thinking of another type of hall pass, pull your mind out of the gutter or just giggle. Your choice 😂 Ironically, if a large number of people leave LastPass for other password managers, an increase in market share may make them juicier targets too! The other companies probably have exceptionally great vault security, but I don’t think they are as well battle-tested. If you want to leave LastPass because you’ve been spooked, or don’t trust the company. Go for it, you’ll probably make a good choice for a replacement, but the breach doesn’t really cause me much concern. If I leave LastPass it will be because I found a manager with desired features that LastPass doesn’t have. If you think anything in this blog is incorrect, want to express support, or want to ridicule me, I’m @randyab on Twitter, and “Randy (no sales pitches please) Abrams” on LinkedIn. Randy Abrams Senior Security Analyst