Umm, not sure you understand. Yes AES256 is good, if you have a great password.
However if you take 1M users, as them to set a 12 character password with A-Z, a-z, and at least one digit you'll find an astounding lack of entropy. I believe this is pretty close to LastPass's master password requirements.
If you take the most popular 1M passwords and attack the master password you'll find that you've cracked them. With a 2 generation old GPU and the default iterations of 5000 (like several people mention on this post) you can try 300,000 passwords a second. So 3+ seconds per vault and you'd crack a decent fraction of them.
First, where do I find the most popular one million 12-character passwords that use A-Z/a-z/0-9?
Second, the top 1M of 6/7/8 character passwords have a statistically higher probably of being the correct password than the top 1M of 62^12 because their distribution function as a percentage of possible instances is narrower. Put another way: the top 7 char password might be used 10 million times, and the 2nd most popular might be 9million, etc. With a 12 char password, the top 1 by nature appears much less frequency because the total possible space is larger and people have to think a little more. Entropy when that has nothing to do with inverse distributions.
Put another way, look at the frequency of the top-1 password as a sum of all instances of all 1M passwords. It is much larger % for smaller passwords than larger. It is much less likely that the top 1M 12-char passwords are as likely to be successful as the top 1M 6/7/8-char passwords.
I just did this for the top 1000 6/7/8 chhar passwords, the top 6 digit password "123456" represents 1.3% of all 1000 6-chars, where as "password" is 0.9% of all 1000 8-char.
> Second, the top 1M of 6/7/8 character passwords have a statistically higher probably of being the correct password than the top 1M of 62^12 because their distribution function as a percentage of possible instances is narrower.
Not how this works. This would only be true if you were picking passwords randomly out of all possible ones and the attacker knew how long the password. For example, "password" is a more common password than "cat" is (both are terrible of course). It doesn't matter that "password" is longer than "cat".
If you knew how many characters long the password was it might be a different story. But you don't have that information. 012345 being a larger percentage of 6 character passwords than "password" of 8 character passwords means nothing if you don't know what length the password is. After all, 100% of passwords "af64nh8" are "af64nh8", but that means nothing unless you know the password you are attacking falls into that class.
There's been tons of dumps posted. Normally I see the download or magnet links on Reddit or HN. Even with hashes people have broken 69% [0] to 85% [1] of the accounts. There's mailing list or forums for various related tools (cracking tools, gpu cracking, have I been pwned, etc.) that discuss these kinds of things, including where to get the passwords and/or hashes.
One of the summaries claimed that 3% of the cracked passwords were 12 characters long (some 1.9M). 48% of the cracked passwords were lower case and numbers.
Often a thread that mentions the compromise/leak also mentions the newest "batch" that includes the new entries. The last one I tracked was RockYou2021.txt, some 100GB, around 10GB compressed. Just use your favorite egrep/perl/python to filter for whatever you want. I checked the a random torrent and found 25 people on it.
I agree on your comments on the distribution, but the average user has shockingly little entropy, and human password entropy doesn't scale with password length. I expect a decent chunk of the passwords are going to be whatever the user's default password was and either repeating or extending it in obvious ways. Even the simplest approach of testing 2 words or 3 words for a total 12-15 characters with the simple 3/E i/one and 7/L replacements would likely. Granted I'm not expecting the same 8 character 69-85% with 12 characters, but I also don't expect much significantly less, and I believe 33M accounts were stolen.
rockyou2021.txt.7z has 8459060239 passwords
rockyou2021.txt.7z has 835365123 that are 12 characters long
pwned-passwords has 847223402 unique password hashes
pwned-passwords has 5579399834 non-unique passwords hashes
I'm amused that each password was reused on average 6.5 times.
I suspect large fraction of the pwned-passwords hashes could be turned into passwords with the rockyou2021 list.
> First, where do I find the most popular one million 12-character passwords that use A-Z/a-z/0-9?
I'm sure it may not be easy to find this database, but it is probably not that difficult if you hang out in the type of circles that the people who cracked that site hang out in.
> Math...
This strikes me as nitpicking when one can access such powerful computing devices as to make the difference practically irrelevant. So make it 10million and wait a few more minutes, who cares?
How is it nitpicking? The distribution tail effectively goes to a frequency of zero. Increasing to 10M doesn't solve the problem because the space is so vast, by the time you get to a fraction that has the similar area under the curve as 1M for 6/7/8 chars, you've lost any compute advantage. We're not talking an order of magnitude, we're talking multiple. As much as I know y'all want to hate on any password manager that isn't your favorite, math doesn't care about what strikes you as nitpicking.
> by the time you get to a fraction that has the similar area under the curve as 1M for 6/7/8 chars,
You are (incorrectly) conflating entropy of a password with its length.
> math doesn't care about what strikes you as nitpicking.
Math actually cares a lot about the nitpicky details. Both in the sense that small things can have big effects, but also in the sense that things which sound big can also be irrelavent.
I don't use a password manager and am not familiar with the math involved; I was going off your 10million number and the post above you's 300,000 iterations/sec.
I'm trying to understand how Top-N frequency distribution flattens and becomes less useful as search space increases. It is a both a statistical and a psychological issue. If you can't help don't comment.
I think you might find that your life goes a little more smoothly if you weren't so abrasive, confrontational and dismissive. As a side affect, people you talk to won't end up feeling like shit because you possibly will treat them less terribly.
(26+10)**12 is 4738381338321616896 combinations. 300,000 attempts per second isn't going to have an easy time cracking that, so I don't see what the problem is with LastPass' requirements.
It is relevant, because it's where LastPass' responsibility ends. It's not their job to prevent people from being stupid and choosing a password like `lovelovel0ve` but rather to define a requirement that allows for sufficient complexity.
I think a reasonable feature for a password manager would be to do NIST recommended checks, such as comparing passwords to databases of known compromised passwords and alerting/recommending rotation or rejection of the password if a match is found (depending on password entry UI).
Obviously you're not going to get a complete db of known hacks, but a db of most common X million passwords, updated every 6 months or so, is pretty good, and is what I would expect a good password manager to do.
LastPass is in the bad situation of needing to provide excellent security in a product that people really aren't willing to pay a lot of money for. Some of the websites that ask for passwords are in a better position to do this, but then you don't get the benefits of a password manager.
Same issue for the the other password managers out there.
Yes, those with pure random passwords are safe. What percent of LastPass users do you think use a very hard to remember completely random 12+ character password?
Personally I use either VaultWardens random password generator, or some variation of the XKCD like 4-6 words out of 100,000 which give me somewhere north of 64-96 bits of entropy. Cracking that @ 300k/sec takes a quite long time. I like the XKCD approach, because it's particularly voice/phone friendly.
However much more common in the real world is to pick an easy to remember password with low entropy, something like PinkFloydRocks, which fail because of lack of a number and change it to P1nkFloydRocks. Or maybe PinkFloydRocks<2 digit birth year>.
Quite a few plaintext passwords have been leaked, some even with helpful popularity tables. I'd place bets that a decent percent of LastPass's vaults would fall to a top 10,000 12 character or longer popular passwords. I suspect someone is testing this right now.
I had a feeling you were speaking from experience with that 300k number. Does that include the cost of password stretching? As others have pointed out in this thread LastPass uses PBKDF2 with 100,000 rounds. Even if you have a supercharged PC with 6x ATI Radeon HD 5870 you're only going to be able to derive 25k AES keys per second tops to even try, since that doesn't include the cost of deciphering. So how do you do it?
No experience, just saw a post on someone attacking LastPass Vaults. It looked to include everything. Apparently they wrote a tool specifically attempting password recovery on LastPass vaults and with a RTX 2070 (2 generation old) managed 309,000 against the 5000 iteration flavor and 15,500 against the 100,100 flavor.
While I agree with your main point, I think confirmation that the URLs weren't encrypted and that they can all be tied to your Lastpass signup information is far from "best case"
> The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that *contains both unencrypted data, such as website URLs,* as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data
That's real bad - think blackmail material for important people.
I missed that part. What is the problem about URL exposure?
EDIT: all three replies to this comment are about sex-shaming people via their email address, ip, home address. hardly pearl clutching. go to DefCon some day, you'll see how that information is basically for sale legally, let alone on the darkweb.
i don't have a horse in this race because i use my own password storage software but the amount of FUD in this thread is cray cray.
Since they're tied to people's account details, address and similar, I'd imagine quite aggressive blackmail opportunities going forward if the data gets to the hands of criminals.
Think postal letter named and addressed, giving your email, and the adult (or other embarrassing) sites you were a member of listed on the letter, along with details of a bank account to make immediate payment to...
Also, you may be able to identify people working for certain high profile orgs (defence contractors, etc) and target them further if you can gleam from URLs they have access to internal systems by specific URL.
Agreed. Also what's being overlooked by others is the inability (using dumps of "users of site X") is the ability to globally intersect that with another site.
The ability to quickly find users who have an account in (list of embarrassing sites) intersected with (list of internal gov and mil sites, and large defence companies) is hugely powerful to some adversaries, and data leaks/dumps only give half of this equation.
I might be misunderstanding, but if the url was adobe.com, then it would be possible to find the corresponding password from that adobe breach for the same email address (not trivial, but if someone moves in the right circles I assume they could get a whole host of the big breaches in a searchable format).
A subset of users might have reused the breached password(s) for their lastpass master password.
Not sure if you could also feed the breached passwords into the brute force tool to give it a headstart, in case they did a slight variation on a breached password for the lastpass master password.
With a list of names, billing addresses, email addresses, telephone numbers, IP addresses (sounds like it's a list since the user first started to use LP) along with URLs having a 99.9% probability of the individual having an account at the URL... that can be pretty much catastrophic. Create a list of OnlyFans subscribers, or if there is a subdomain used for OF creators you can compile a list of them. Any service that uses unique subdomains (like the users username) means you can connect usernames with individuals and so on.
Some URLs will be for internal corporate networks, things that should be protected by VPN but aren't, or publicly-accessible projects with poor security.
It would be really interesting to crawl through this data and filter out all the boring usual stuff, and see what else shakes out.
It's also somewhat helpful for spear-phishing or other social engineering. If you know which services a particular person is using, it's easier to fool them into giving up access to one or more of them.
Probably that now it is known that people with a lastpass account of email address X also have an account at login.furriesindiapers.com or something really insane like dailywire.com
Any information that helps an attacker craft a more targeted attack is useful to the attacker. With URL exposure the attackers now have a comprehensive list of services that a person depends on and where further data about them is stored.
> that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
I wonder what other data is unencrypted . They need to be more specific on what that means. Were there certain fields that a person can set in the vault that were not encrypted?
There is a notes field (this is different from the “secure notes” feature) for each password entry that you could use to write remarks. I don’t know if that would be encrypted.
That doesn't require it to be stored in the clear on the server. Extensions/apps could keep a domain list (don't see why they need full URLs) in memory after lock.
Are domains truly the only scope that matters? What if a platform site allowed hosting user web apps (which could themselves offer authentication) all on the same domain, each in their own directory/path. As long as the app was careful to set the path attribute of the session cookie appropriately, the app could be pretty well-contained. Then a password manager just decides that a password field anywhere on the whole domain is a good place to autofill your password for one of the apps on that domain? That's pretty scary!
The context here is with a locked vault so no data to auto-fill with. It's most likely purpose was to indicate "LP has the login info for this site but the vault is locked". An indicator like that can be coarse and simply use a root domain and ignore subdomains and paths, better to have some false positives than leak data in the clear.
[We might be wrong about the locked-vault but might have data scenario, but that kind of seems the only legit reason to store that stuff in the clear, so if that wasn't the reason, LP's negligence is even worse]
I agree this isn’t the worst-case as you mentioned above. However, it is far from the best case scenario which is closer to “only fake testing vault data was exposed”.
The vault leak is acceptable in terms of Lastpass’s formal threat model but could still result in real user pain e.g. targeted spear phishing using plaintext fields like URLs, or compromise for users with weak passwords.
This is literally the best case hack scenario.
Why? Because we already know that encrypting something using their strategy is essentially uncrackable.
AES256 is quantum resistant.
The worst case would be silent exfiltration from the LastPass application via malware to steal user master passwords.
In the security game, the crypto is the strongest part, the crypto-system is the weakest part.