Breaking LastPass Password Vault

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,053
Interesting read: Breaking LastPass: Instant Unlock of the Password Vault

For security reasons, desktop platforms offer the best protection. The LastPass database we obtained from a Windows computer was protected with 100,100 hash iterations.
The browser extension offers what’s arguably the most convenient way to automatically fill passwords on Web pages. Since most passwords protect online resources, many users skip the desktop app and use the Chrome extension exclusively.

LastPass advertises the same level of security for protecting the user’s password database in the Chrome extension:

We discovered that’s not always the case.
This vulnerability is still present in all recent versions of the LastPass Chrome extension (we’ve used LastPass 4.44.0 in Google Chrome 80.0.3987.146 running in Windows 10 x64). As a result, the forensic expert may be able to extract and decrypt the password vault instantly without brute-forcing the master passwords on one condition: the user had selected the “Remember password” check box.
On Android, LastPass uses weaker protection with only 5000 rounds of hashing. Correspondingly, the attack speeds are significantly higher compared to the Windows version – yet obtaining root access or imaging the file system of an Android device may be difficult or impossible.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,433
Just one little note that I understand this company did not take in consideration or simply didn't want to include. 2FA ( 2 factor authentication ), and I'm not talking/thinking about on the Lastpass extension itself.

If anyone have for example setup 2FA on one of the added sites/urls inside Lastpass, that is automatic one extra security layer that must be bypassed as otherwise this hack is useless. The Lastpass extension don't have the " Remember Password " enabled by default so that's an extra hurdle, but still well described their tool won't work otherwise.
if the user selects the “Remember password” check box.
IMO this article feels more of an advertise of their own software. After all that's apparently needed according to themselves.

Thanks for the share anyway.
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,433
Seems they also forgot or simply ignored ( I would guess the latter ) that genuine vulnerability/exploit disclosures no matter what company/vendor or software is done very differently. It don't help try point to a whitepaper from 2013, as that would somehow automatic make normal and basic Security research behaviour unnecessary. :rolleyes:
 
Last edited:
Top