Cybersecurity analysts are accusing LastPass password manager of downplaying the severity of recent information leaks, which have been going on since August. In the view of different specialists, the company responsible for the app hides information or does not tell the complete story of the compromises, in order to hide responsibilities and prevent users from fleeing to other similar solutions.
Wladimir Palant, cybersecurity expert and original developer of AdBlock Pro, for example, criticizes LastPass’s lack of association between the leak of part of its source code in August and the recent compromise of users’ encrypted passwords. In his view, the two cases are not only related but demonstrate that the company was unable to contain the intrusion, leading to an even greater breach in its systems.
Researcher Jeremi Gosney, who is part of Yahoo’s digital security team, pointed out that LastPass did not give due importance to password compromise. They are encrypted, yes, and cannot be obtained without the master key that only the user — and not even the company — possesses. According to him, however, it was not explained that this credential needs to be protected, follow best practices and not be shared in other services.
The feeling of false security, he points out, is given by the pronouncement, which does not explain the possible use of brute-force attacks against simple master keys or the possibility of using common combinations. Additionally, exposures on other services can also lead to an opening of the LastPass “vault” if the credential is shared; Gosney also indicates that only parts of the users’ files are encrypted, facilitating social engineering work and the crossing of leaked volumes.
Thus, he points out, an environment is created in which the user can be blamed for security incidents, while LastPass should know that a series of user credentials will be unlocked. There was a lack of explanation, indicated Gosney, and also previous measures to avoid compromises, repetitions and the use of insecure practices in relation to credentials.
Jeffrey Goldberg, lead architect of rival 1Password, joined the chorus, pointing out the competitor’s claim that it would take “a million years” for a brute-force attack to discover a master key. According to the expert, this goes for randomly generated sequences of 12 characters, a criterion still little followed by human beings, who prefer recognizable passwords that are easy to remember and type.
Palant also goes further, indicating technical details related to encryption protocols, especially in relation to older accounts, which could facilitate or, at least, shorten the brute-force process for discovering passwords. He also points out that exposing users’ IP addresses can also have serious implications if LastPass collects such information at each access, allowing the composition of a movement profile, facilitating the discovery of information and, who knows, minimizing the number of attempts. .
Leak exposed LastPass URLs and other details
The compromise revealed last week by LastPass not only involved passwords, but also emails, phone numbers and URLs of websites whose passwords are stored in the manager. Such data, as pointed out by the company, were not protected and were obtained by the individuals responsible for the invasion in plain text – they should also be encrypted, as experts point out.
Therefore, contrary to what was pointed out by the application, the recommendation is that users take measures, mainly, to guarantee more security to the master key. Ideally, replace the password with a truly random combination that is 12 or more characters long and has not been used on any other online service.
For the most targeted individuals, such as personalities, businessmen or celebrities, care should go further, also involving changing all passwords stored in LastPass and reviewing security settings related to the interactions of the encryption algorithm. In addition, it is worth keeping an eye on alerts issued by the application itself, which is said to have implemented additional identity detection tools to catch intrusions into user accounts.
Source: The Verge
