Dr. Dominik Schürmann
December 23, 2022

LastPass issues that make the incident so bad

What can you do now as a LastPass customer?

Whether you are affected by the leak or not, you can take your security into your own hands. Here are the things you can do now:

  1. Change your master password and the passwords of your most important accounts. The data stolen from LastPass were backups, so if you change your data now, the attackers will only have your outdated data and won't be able to access your accounts.
  2. Enable or renew 2-factor authentication for your most important accounts. This way, no one can gain unauthorized access, even if the person knows your password. If you also have your TOTP secrets stored in Lastpass, you can create a new secret and store it securely.
  3. Pay special attention to phishing emails. LastPass stores website URLs unencrypted, allowing criminals to organize targeted phishing campaigns. If you receive emails from services you use soon, watch out for errors in the mail, address or suspicious links. Do not provide your data under any circumstances!

And if you've finally had enough of all the LastPass security incidents, just switch to heylogin. Thanks to hardware encryption you are safe from brute force attacks. Our data is end-to-end encrypted with advanced cryptography, so only you have access.

If you're concerned and want to switch, download our mobile app in your app store and get started right away. We also have LastPass Import for an extra easy switch. Have questions about our product and want to make sure heylogin is really for you? Then just call one of our hotlines, we are available 24 hours and also over the holidays for you:

+49 176 806 895 02 or +49 531 618 939 95

What happened so far...

LastPass announced more details about the extent of its security incident yesterday, 12/22/2022. It was discovered that their users databases were also stolen. This means that security is now only dependent on master passwords and attackers can carry out so-called offline brute force attacks at their leisure. But what actually happened?

The first security incident occurred on August 25, 2022, when, according to LastPass, source code and technical information was stolen. At the time, there was no known leak of customer data.

That changed in November. According to LastPass, the data stolen in August was used to gain access through an employee. This access was used to access multiple cloud storages and steal users' databases. These databases contain encrypted data, such as usernames, passwords and notes. However, stored URLs were not encrypted. This means that the attackers know which websites each individual user has saved passwords to.

The problem with metadata

The former director of the NSA once said that the U.S. government "kill[s] people based on metadata". In other words, metadata often already reveals a great deal about victims, and this knowledge can be used frighteningly well.

In the case of LastPass, the attacker(s) probably now know the email address of LastPass users. In addition, the website URLs were stored unencrypted, which in combination with the email address is the perfect template for targeted phishing attacks. On the one hand, users can be tricked into entering passwords or even the master password on a website faked by the attacker. On the other hand, the attacker can search through old database leaks of these websites. In the worst case, the user has chosen a master password at LastPass that was already used by the user when registering another account (password reuse attack).

Although IT security experts repeatedly point out that a master password must never be reused, the reality is different. In a usability study by Pearman et al., participants chose master passwords they had previously used when registering on websites for convenience reasons (Sarah Perman, et al., "Why people (don't) use password managers effectively", 2019). And this brings us to the real problem with traditional password managers.

The security depends primarily on the master password

The problem with master passwords

With LastPass, the security of encrypted data depends primarily on the master password. It works like this: A key for the actual encryption of the data is derived from this user-selected master password. This process is called key stretching and LastPass uses 100100 iterations of PBKDF2 (Password-Based Key Derivation Function 2) for this. In old LastPass databases it is 5000 iterations. This derived 256-bit key is now used for encryption with AES-256 in CBC mode. To ensure that this key is not identical for two users who choose the same master password, a randomly generated "salt" is used. In addition to these cryptographic measures, LastPass monitors accesses and blocks IP addresses after several wrong attempts.

Since the databases have now been stolen, possible master passwords can be tried to decrypt the database (offline brute force attack). This attack is no longer slowed down by online protection mechanisms, such as blocking IP addresses. Rather, security now depends solely on the cryptography and thus on the master password chosen by the user. PBKDF2 slows down this attack, but unfortunately it is no longer state of the art and can be accelerated by graphics processors or integrated circuits. LastPass should have switched to the standardized Argon2 or other "memory-hard functions" a few years ago.

Master passwords as 1-factor?

In the end, it is a single factor that separates the attacker from the encrypted data. If less IT-savvy employees are not adequately trained and supported in choosing the master password, the result is fatal. The extent of this will become clear in the coming months when the attacker has cracked the first master passwords and compromises accounts.

What about 1Password and other password managers?

Most traditional password managers have similar models where the security ends up depending on the master password. 1Password is a special case as they have introduced a "Secret Key". This is used along with the master password to derive the key used to encrypt the database. This Secret Key is randomly generated and not chosen by the user. If an incident like LastPass were to happen with 1Password, it would not be possible for the attacker to try out master passwords because he would not have the user's secret key. But this has the big usability disadvantage that the secret key is also necessary to set up 1Password again. Therefore 1Password recommends to print out the secret key and keep it in a safe place.

2-factor authentication?

Many traditional password managers offer optional 2-factor authentication. It is important to understand that this is usually just another online protection feature and does not provide protection in case of database theft. It is not part of the encryption but part of the online authentication.

The situation is similar for the newly announced passwordless logins of these password managers. Normally, the master password chosen by the user is encrypted locally with a server secret and it is only temporarily decrypted upon successful authentication with the server. The master password remains chosen by the user and thus remains insecure. Only one additional encryption layer was built on top of it.

heylogin is different

With heylogin, a master password is no longer necessary. Instead, we used the Secure Element present in modern smartphones, replacing the master password. Secure Elements are security chips that protect secrets from unauthorized access and brute force attacks. When decryption is required, the user is prompted to confirm via their smartphone instead of entering a master password. This dependency makes heylogin a secure two-factor system by design, as login requests must be authorized on a second device: the smartphone. While heylogin's swipe-to-login technique feels like a login method, it actually uses end-to-end encryption from the smartphone to the browser to make passwords available.

So in summary, heylogin is really 2-factor encryption, not just authentication, and works completely without a master password. If our users' encrypted databases were stolen, the attacker would not be able to perform a brute force attack. Finally, security does not depend on the choice of an (insecure) password.

Of course, we also encrypt the website URLs of our users 🙂

heylogin Whitepaper

More details about heylogin can be found in our Compliance Whitepaper as well as in our Security Whitepaper. At the end of January 2023, a new version of our Security Whitepaper will be published, revealing all cryptographic details for security researchers.