Attacking LastPass: Compromising an Entire Password Database

How LastPass Works at a High Level

Before we can attack LastPass (click here to download our guide), we must have some basic idea of how it works:

  • Credentials are encrypted with a “master password” and stored with LastPass. The master password is never sent to LastPass in cleartext.
  • To create the password used to encrypt the LastPass database, the master password is hashed with PBKDF2-HMAC-SHA256 with thousands of iterations (the default is 100.100 iterations).
  • To login to LastPass, this hash is hashed once more to create a login password hash, which is sent to LastPass along with the user’s email address. In this way, LastPass does not know your login password nor do they know the 100,100-iteration hash used to encrypt/decrypt the database.
  • The LastPass database is encrypted with AES-256-CBC on the client-side.

Usernames, passwords, secure notes, and many other items are encrypted. However, stored URLs are not.

  • Without getting too deep into the weeds with how the login and decryption sequence plays out, observe the following login sequence:
  • The user enters their username and password into the login fields.
  • The user-agent requests the number of iterations used to encrypt the database for the given username.
  • The user-agent hashes the master password with PBKDF2-HMAC-SHA256 with the number of iterations assigned to the account. Per the source code, this is vla.local_key.
  • The user-agent hashes vla.local_key with one iteration of PBKDF2-HMAC-SHA256 to make vla.hash and this serves as the “password” to authenticate the user to LastPass. In this way, LastPass does not know vla.local_key nor the master password.
  • The email address and vla.hash are sent to LastPass for authentication. If authentication is successful, the database containing encrypted credentials is obtained with a POST request to getaccts.php.
  • The contents of the database are decoded or decrypted, depending on the type of content. URLs and some other items are decoded while credentials and secure notes are decrypted. The items to be decrypted are done so with the key vla.local_key.