Breaking LastPass Password Vault

[Ink]

Content source

https://blog.elcomsoft.com/2020/04/breaking-lastpass-instant-unlock-of-the-password-vault/

Interesting read: Breaking LastPass: Instant Unlock of the Password Vault

For security reasons, desktop platforms offer the best protection. The LastPass database we obtained from a Windows computer was protected with 100,100 hash iterations.

The browser extension offers what’s arguably the most convenient way to automatically fill passwords on Web pages. Since most passwords protect online resources, many users skip the desktop app and use the Chrome extension exclusively.

LastPass advertises the same level of security for protecting the user’s password database in the Chrome extension:

We discovered that’s not always the case.

This vulnerability is still present in all recent versions of the LastPass Chrome extension (we’ve used LastPass 4.44.0 in Google Chrome 80.0.3987.146 running in Windows 10 x64). As a result, the forensic expert may be able to extract and decrypt the password vault instantly without brute-forcing the master passwords on one condition: the user had selected the “Remember password” check box.

On Android, LastPass uses weaker protection with only 5000 rounds of hashing. Correspondingly, the attack speeds are significantly higher compared to the Windows version – yet obtaining root access or imaging the file system of an Android device may be difficult or impossible.

 

[upnorth]

Just one little note that I understand this company did not take in consideration or simply didn't want to include. 2FA ( 2 factor authentication ), and I'm not talking/thinking about on the Lastpass extension itself.

If anyone have for example setup 2FA on one of the added sites/urls inside Lastpass, that is automatic one extra security layer that must be bypassed as otherwise this hack is useless. The Lastpass extension don't have the " Remember Password " enabled by default so that's an extra hurdle, but still well described their tool won't work otherwise.

if the user selects the “Remember password” check box.

IMO this article feels more of an advertise of their own software. After all that's apparently needed according to themselves.

Thanks for the share anyway.

 

[Digmor Crusher]

Anyone who has any iota of security sense would not check the "Remember password" box.

 

[Divine_Barakah]

Anyone who has any iota of security sense would not check the "Remember password" box.

People sacrifice security for convenience. For some people, typing the master password each and every time is a hassle. It's always been the case.

 

[blackice]

Wouldn’t this require access to the machine in question? Either physically or remotely, through exploit or malware? If that’s the case they’ve already ticked the remember password box and they have access anyway.

 

[ForgottenSeer 85179]

And another LastPass leak.
Just ignore this crap software

 

[upnorth]

Seems they also forgot or simply ignored ( I would guess the latter ) that genuine vulnerability/exploit disclosures no matter what company/vendor or software is done very differently. It don't help try point to a whitepaper from 2013, as that would somehow automatic make normal and basic Security research behaviour unnecessary.

 

[Nevi]

If anyone check the "remember PW" box, they would pr default ask for problems. But as someone said, many will probably do it in the name of convinience.