For those that don’t know, LastPass is a fantastic free service that takes care of your password management for websites plus other neat things such as automatic form filling and random password generation. I’ve used this for a while myself across multiple computers (under Internet Explorer, Firefox and Chrome), my iPad and Samsung Galaxy S and it has been a very handy tool to say the least.
For one reason or another, some suspicious traffic passed through the LastPass servers and has led the company to suspect that an intruder may have accessed a database server containing a small percentage of customer information. Given the spate of recent break ins including, most notably, the PlayStation Network this would generally be a cause for concern. However, in this case, this would seem to be much less of an issue for three main reasons of which other services should take note as sound security principles.
Firstly, the LastPass database servers stores user information in a completely encrypted form. This means that should someone hack in to the database and extract its contents they would not get very far unless:
- the hacker also had the cryptographic key for each user,
- had an inordinate amount of resources to attempt to crack the encryption on a given encrypted data blob.
One might guess that LastPass would be lax enough to store the cryptographic key in its database in an unencrypted form – fortunately you would be wrong. LastPass never stores your AES cryptographic key but instead stores a token that is a byproduct of:
- your username and master password hashed together using SHA256 (i.e. your cryptographic key),
- your cryptographic key concatenated with your password then hashed (i.e. your unique ID),
- a random 256-bit blob (that was generated and stored at LastPass at the point of account creation) hashed with your unique ID.
Because a hash is a one way function there is no way for an attacker to easily obtain your cryptographic key from your unique ID even though it is part of the input. Your cryptographic key is only ever used on the client side (i.e. your computer) to encrypt and decrypt data.
This approach helps to keep your data secure from hackers who don’t have both your e-mail address or your master password as they cannot create the cryptographic key nor can they determine which encrypted blobs belong to a particular user (the unique ID).
Despite all of this, LastPass is encouraging its users to change their master passwords and has also taken the servers that were involved in the suspicious activity offline whilst migrating affected data to other servers – that’s how serious LastPass is about safety and it has yet to be proven that customer information was ever exposed.
So Sony and others you should take notice – this is how things are done properly.
To find some good information on how LastPass works, check out the Security Now #256 netcast transcript.
1 ping
[…] I have previously recommended, LastPass is a fantastic solution for password generation and storage and is robust against attacks against itself. Plus, you can secure it with Google Authenticator […]