I woke up this morning with a severe case of 140 character malaise all over my Twitter feed. It all centered around LastPass, password management, and the usual InfoSec hatorade that usually comes free with the purchase of a CISSP (not a ding to the cert, more to the certified). After tearing my morning cloak in two and wailing in a cloud of incense, I evaluated my post-rage options and elected to write this blog.
Another breach notification, another opportunity for division across #InfoSec lists. Yesterday, LastPass announced that it had fallen victim to a security attack in the recent past where key values. Snapshot of the LastPass announcement is below along with underlining points to focus on:
LastPass Announcement Summary
The above announcement has brought forth a lot of nay saying against password managers, but this is because most simply see a headline versus understanding the details of the announcement. Impulsively damning all password managers by iconifying LastPass as the poster child of password management failures is not sensible and sensationalizes the details around the breach. This actually introduces more insecurity to a community that is whimsical about its technology countermeasures in the first place.
It also underscores the advantages of what Password Managers provide when used correctly. Focus should be around underlined areas above and these areas are addressed individually below.
Email address compromise from the breach announcement means that social engineering attacks are likely to blanket affected users. This will most likely introduce a series of targeted phishing emails where they are highly resembling to LastPass correspondence.
Breaches involving email addresses will always imply some level of phishing campaigns that are targeted. Even prior to the breach, its safe to say that attackers have been impersonating a multitude of password management companies as part of blanketed phishing attacks.
Nonetheless, emailing is a common use case employed by several companies when resetting user passwords, providing password hints (deplorable practice btw), one-time password resets, and other user account related notifications.
The key thing to note as a user is to never click on a link within an email. Even if the email is legitimate, it is a better practice for the user to get the gist of the message and simply logon out of band to that email link and make a unique request to the site.
If the site has a legitimate notification wishing to convey to a user or its user base, the site should in turn provide a notifications feature in the Account section of the user account in order to manifest what changes need to be made over that medium.
On the eve of several future spear phishing campaigns, LastPass users should heed this recommendation and again follow the adage of ‘don’t click links in emails’. Several large banks have been conditioning their customers for years by simply notifying users that new notifications are available for them to review under their account while not providing an embedded link in the email.
It is unfortunate that email addresses were compromised as part of the LastPass incident, but that alone should not fuel an exodus from using these types of solutions, particularly considering the fact that most users will now resort to previous, unhealthy password management habits.
Password reminders were compromised as part of the LastPass incident. This is unfortunate. However, it provides a monumental opportunity to change user behavior – don’t use them. Firstly, one of the key added values to using a password manager is so that you only have to remember one password. If you can’t remember one password, then there are other things you’re going to have to worry about, quite candidly.
For those that can remember a legitimate passphrase, note that it should be private. By private, it shouldn’t be manifested as a Skype mood, Twitter handle description, personal blog post, Facebook wall, or any other online, offline place that would violate the term ‘private’. Many security professionals don’t like the use of password hints, which have been traditionally sought as part of social engineering/red team efforts.
If required by a password management solution or any other entity for that matter, perhaps consider using a value that is completely opposite to your very nature. The short of it is, don’t use them. In not using them, this compromised value provides no market value whatsoever. If password hints/reminders do have a place, I certainly don’t think it’s with Password Managers where more is at stake (apply stone, multiple bird metaphor here).
Of all the items compromised as part of the LastPass breach, the server salts and then the authentication hashes should be the thing that generates immediate corrective actions by end-users. Authentication hashes will be re-created for the master password once that has been changed. Once changed, the compromised hashes and salt values are completely useless. The last component of salts is really less of an issue since the salt is stored in the hash in plain-text.
If a hash is compromised, then the salt is by association. The thing that would be most concerning is if the code base used to apply the salt was compromised. This would negate the level of randomness applied to the hashed password. This was not reported to be the case.
And now for some constructive advice. When changing your master password, it bears reminding to make it random, private, and changed periodically. Again, use of a lengthy passphrase that is complex, yet easy to remember would be the biggest win.
Typically, pass phrases are easier to remember than passwords because their construct can include the many things suggested for good password strength, such as special characters, upper/ lowercase, spaces and the phrase itself lends to making it easier to remember for humans. Guidance on what makes a good pass phrase is below:
Related to frequency, changing master passwords monthly would be annoying especially since it takes most people a good while to come up with something memorable and effective. With that in mind, find out what ‘periodic’ means for you.
I don’t think that the staple enterprise policy of 90 days should apply to master passwords but 6 months seems reasonable. Again, at a policy level (enterprise) or at a personal level – these are choices that have to be made based upon the risk-reward scenario so put down the spoon of medicine and note that not all recommendations are tailor made for you or for your enterprise.
Last, if you disagree with password managers, that’s fine. Please suggest your effective alternative in generic terms so that you don’t reveal your own personal password management tendencies to the Internet. Always amazed that non-anonymous handles are broadcasting what they do or don’t do when in fact the forum of where they are sharing this information is in the pubic domain where wolves are in sheep clothing on a daily basis.
One international user on an InfoSec forum literally said (as a rebuttal to password managers): ‘this is why I keep my passwords in clear text on my PC and encrypt them myself’. Now perhaps this user actually does do a good job in securely keeping their keys off of that said computer, and also engages in proper key wrapping, expiration, revocation, and issuance efforts on their own, but by the mere fact he felt compelled to tell random people that this is what he does privately leads me to think otherwise.
There are a lot of things to consider when deciding on how to store passwords. Password managers may not be the solution for you and there may be operational constraints that may be unique to you and your organization, family, etc. Whatever the case may be, its important to peel back the details of the problem and understand what’s at stake and if remediation steps can actually negate the risks introduced with a breach such as LastPass. Based upon the details of the breach, some of the remediation steps alluded to above would indeed mitigate the risks, so before jumping off the Password Management cliff or any other FUD fed by mass hysteria, read, understand, then react.