LastPass, the popular password manager service, has recently announced that it will be requiring some of its users to choose longer master passwords. The company states that this change is necessary in order to ensure the utmost security for all of its customers. However, critics argue that this move is nothing more than a public relations stunt and will do little to help those who were affected by a breach at LastPass in 2022.
LastPass notified its users earlier this week that they would be forced to update their master passwords if they were less than 12 characters long. While this change was officially implemented in 2018, a number of the company’s earlier customers were never required to increase the length of their passwords. This is significant because LastPass disclosed a breach in November 2022, in which hackers stole password vaults containing encrypted and plaintext data for over 25 million users. Since then, there have been reports of cryptocurrency thefts targeting individuals in the tech industry who were using LastPass, leading security experts to believe that the stolen vaults have been cracked.
One victim of the breach, who had more than three million dollars worth of cryptocurrency stolen from their account, had been using LastPass for almost a decade and had never changed their eight-character master password. They were also never forced to improve their password. Adblock Plus creator Wladimir Palant conducted research that showed LastPass failed to upgrade many of its older customers to more secure encryption protections that were offered to newer customers. For example, the number of iterations in LastPass’s encryption routines, which determines the time it takes for an attacker to crack a master password, was set much higher for newer customers compared to older ones.
Palant and others impacted by the breach argue that the recent action taken by LastPass is merely a public relations move. LastPass sent the notification to all users, regardless of whether they had a weak master password or not. Palant believes LastPass is trying to shift the blame onto its users instead of implementing technical measures to enforce the policy change. He also points out that the changes will not help those affected by the 2022 breach, who still need to change all of their passwords.
LastPass CEO Karim Toubba defends the change by stating that it is not meant to address already stolen vaults that are offline but rather to protect customers’ online vaults and encourage them to upgrade to a 12-character minimum password. Toubba acknowledges that some customers may have chosen convenience over security by using less complex passwords. LastPass’s functionality of generating and remembering lengthy passwords is meant to offer convenience and security to its users.
However, experts argue that when cybercriminals have access to encrypted vault data, offline attacks become possible. These attacks involve unlimited password cracking attempts using powerful computers. Increasing the number of iterations significantly increases the time and cost required for attackers to crack a master password. Nevertheless, determined adversaries with large-scale computational assets can still reduce the time needed to crack passwords.
When asked about why some LastPass users were not upgraded to higher security minimums, Toubba attributes it to a small percentage of customers having corrupted items in their vaults that prevented proper upgrades. LastPass is working to address this issue and complete the re-encryption process.
Nicholas Weaver, a researcher at the University of California, Berkeley, criticizes LastPass for not force-upgrading the iteration count for existing users. He believes that LastPass’s weak default settings and failure to upgrade them for existing users make it an unreliable password manager. He advises users to consider alternative password managers.
Regarding the recommendation to change all passwords secured by the stolen master password, Toubba states that the majority of customers have followed their guidelines, and the probability of successfully brute-forcing vault encryption is low. LastPass has been advising customers since December 2022 to follow recommended guidelines and change downstream passwords if they haven’t already.
In conclusion, LastPass’s decision to require longer master passwords has faced criticism, with some viewing it as a PR move. Critics argue that it does not address the issues faced by those affected by the 2022 breach and that LastPass should have taken stronger measures to enforce security standards in the past. Experts recommend considering alternative password managers, as LastPass’s reputation has been tarnished by these incidents.