Researchers Crack LastPass Password Manager

Just to prove that nothing's ever completely safe when it comes to online security, consider passwords. You can't use a specific password for more than one account, because that's unsafe. Now, it seems you can't count on password managers to remember hundreds of them, either, because that might also be unsafe.

Credit: LastPass

(Image credit: LastPass)

Two Spanish researchers say that LastPass, a popular password manager, gave up its valuable secrets with only a little coaxing from a skilled hacker. (KeePass, a rival password manager, had its own security problems earlier this month.) Last week, at the Black Hat Europe 2015 security conference in Amsterdam, they revealed their findings in a presentation entitled "Even the LastPass Will Be Stolen: Deal With It!"

One of the pair, Martin Vigo, a product security engineer at Salesforce, explained on his blog how he conspired with fellow researcher (and Salesforce employee) Alberto Garcia to see if LastPass could be cracked. Vigo's blog posting is fairly technical, but the bottom line is easy enough to follow. By engineering a clever, but by no means impossibly complicated, exploit for Metasploit (a partly free hacking tool used by security consultants), Vigo and Garcia were able to rob a theoretical LastPass user of all of his or her stored passwords.

MORE: 10 Best Mobile Password Managers

The two researchers investigated three separate scenarios: One in which an attacker had access to a victim's computer, one that dealt with an attack on the LastPass servers themselves and one in which an attacker had only his or her wits and the Internet with which to work.

If an attacker has access to your computer, you probably have bigger problems than compromised passwords, but the prognosis for LastPass was not good. First off, if you ask LastPass to remember your master password, all would be lost from the get-go. The master password is encrypted and stored locally, but the encryption wasn't very good, and Vigo and Garcia were able to decrypt it without much trouble.

If the user chooses not to store his or her master password, an attacker could still have obtained cookies used by LastPass, then cross-referenced them with a locally stored, encrypted vault key. The cookies obtained an encryption key, effectively neutralizing the local key's protection. From there, an attacker could simply enter the password, log in, and make off with all other passwords.

Users might think that setting up two-factor authentication would take care of this problem, but no. Without going into too much technical detail, LastPass generates a 32-character key that allows it to accept two-factor authentication — then stored that key locally. If a hacker could find it (and Vigo and Garcia did), he or she could simply enter it into the LastPass program's code and bypass the secondary device.

The next scenario would have come from the LastPass side of the servers — a disgruntled employee, a hacker who has gotten hold of the company's back-end processes or a governmental organization engaged in mass surveillance, for example. First of all, while LastPass does encrypt passwords, it does not encrypt URLs, meaning that if you store passwords for bizarre pornography sites or politically charged forums, an attacker will know instantly.

The password encryption itself was done in electronic code book (ECB), which is generally not too hard to crack, especially if you cross-check a user's email address with a known password — say, from another company's data breach. Users can't do much to protect themselves here; LastPass was simply not very secure on the server-side.

Finally, while attacks over the Internet are less likely, they can still happen. Vigo and Garcia discovered that by using Firefox, it was possible to isolate LastPass credentials for anyone who used both the program and the browser. Here's the odd part: Somehow, these encrypted files are working their way onto Pastebin. Since Vigo and Garcia already cracked LastPass encryption, it's theoretically possible to take these results and decipher them.

What does this mean for users? The answers are not clear. Vigo and Garcia's methods were extremely convoluted, and for the most part, an attacker couldn't have done much harm unless he or she had access to a user's computer or the LastPass server. In those cases, there are much easier ways to wreak havoc than through complicated LastPass hacks.

Vigo and Garcia notified LastPass of the flaws before their Black Hat presentation, and most of the flaws (the researchers didn't say which) had been fixed by last week.

At the very least, if you use LastPass, don't allow it to store your master password and, as Vigo and Garcia recommended, enable the service's two-factor authentication option. If you don't use LastPass, perhaps the smartest option, as three Microsoft researchers suggested last year, is to reuse passwords for low-priority accounts and then memorize a few difficult ones for accounts whose compromise would be very undesirable, such as Webmail, social-networking and online-banking accounts.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.