So, LastPass posted a blog post last night with further details on the breach that occurred in Aug 2022. It’s a lot worse than what was thought. To summarise:
- “Some source code and technical information” was stolen from a development environment. We should assume at this point that the threat actor has access to the entire code base.
- The above information was used to social engineer a developer to obtain credentials and keys to access their cloud based backup storage (presumably an S3 bucket?)
- The threat actor was able to use this information to obtain basic customer information and unencrypted metadata. This includes names, billing addresses, mobile numbers and the IP addresses that were used to access the LastPass service.
- The entire customer data was copied as well - this included unencrypted data like website names and encrypted data (thankfully) like user names and passwords.
The blog later on goes on to talk about the encryption used etc, which is probably of no consequence to the end user - rather it gives you a false sense of security that everything might not be as bad as it seems. But I disagree. lets recap the information the attacker has for all customers of LastPass
- personal data - names, addresses, phone numbers, IP addresses (that could further help geolocation or other social engineering attacks)
- The encrypted username/password blobs that at this time is just protected by the complexity of the master password.
Lastpass says that there has been a minimum 12 char requirement for the master password, but lets face it, how many people setup and remember a complex password successfully? And therein lies the catch-22.
Password managers are essential in maintaining a good password hygiene and prevent getting hacked. Our lives revolve around this information and it could turn nasty if an attacker got hold of our passwords.
So, what do we do? Make sure we are in full control of our passwords with tools that have been vetted. Here’s how I have my passwords stored and setup to be accessible on all devices I use - I get the exact same functionality of LastPass for zero cost. Plus I am in control of the entire process, and there’s no unencrypted data that leaves my machine at any point.
here’s how to do it.
- access to a could provided storage (like OneDrive, google drive or iCloud)
- use the excellent (And open source) KeepassXC. This has clients for windows, macOS and Linux.
- Use this to create your password database, and store the password database file on your cloud. That way, the only thing that leaves your local system is a encrypted blob, with no metadata. it is worthless to an attacker and gives absolutely no information about you even if they get the file.
- For mobile devices, use KeepassDX for Android (note that I don’t use android and I haven’t used this personally, but it seems to have good feedback) and use the excellent Strongbox for apple devices. I’ve used strongbox for a while now, and I highly recommend it.
- Once you have this setup, you have access to your passwords on all devices - they sync seamlessly and you can make changes anywhere and they will be available pretty much instantaneously.
- The most critical thing is that this solution will work without an internet connection (the sync will not happen though) if you want to - just copy over the encrypted file to the local storage of the device you want offline access on.
- To top it up, all of these apps support native platform authentication as well - for example, KeepassXC on windows uses an additional Windows Hello authentication step to confirm it’s you AFTER you have entered the master password. StrongBox does a FaceID check after you’ve put in your master password in the app. You have to repeat this authentication each time you access this app..
Of course, you can take this to the next level by investing in a hardware based physical key (like a yubikey) to store your master password - but IMHO, that’s really not needed for most of us.
I hope you’ve found this useful, hit me up on twitter if you have a comment!