Christian Johnson with a Look at LastPass Breach and Your Options Now – HGG559
This week on Home Gadget Geeks Jim and Christian catch up on the Last Pass Data Breach. We talk about why the security industry had a field day and introduce foundational concepts to password managers along the way. We also walk through some other password managers with similar bumps in the road over the years and what are some of the characteristics that stand out for password managers that can earn consumer trust. We then explore Christian’s migration to Bitwarden and what makes it a stand-out option amongst some of the preferred options for password management. It’s 2023 and we are still talking about password managers…. If that’s not insanity what is?! Thanks for listening!
Full show notes, transcriptions (available on request), audio and video at http://theAverageGuy.tv/hgg559
Join Jim Collison / @jcollison for show #559 of Home Gadget Geeks brought to you by the Average Guy Network.
WANT TO SUBSCRIBE? http://theAverageGuy.tv/subscribe
Join us for the show live each Thursday at 8pmC/9E/1UTC at http://theAverageGuy.tv/live
Popular Tags: Podcast, Home Gadget Geeks, Home automation, Smart home technology, Internet of Things (IoT), Home appliances, Home entertainment systems, Home security, Home energy management, Home renovation and DIY, Home gadget reviews, Home technology trends
Find Us!
Join us in the Facebook group at https://www.facebook.com/groups/theaverageguy/
On Discord at https://theaverageguy.tv/discord
Save $40 on your first Box of HelloFresh
Last Pass Breach
https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/
- “Lots of buzzwords here. 256-bit AES encryption, unique encryption key, Zero Knowledge architecture, all that sounds very reassuring. It masks over a simple fact: the only thing preventing the threat actors from decrypting your data is your master password. If they are able to guess it, the game is over.”
Zero Knowledge Encryption Principles:
- Password is NEVER stored.
- All data is encrypted locally on the client, never on the server.
- Servers only ever store encrypted bits.
- Encryption key on the client is always generated and derived from the master password.
Some of the main issues discussed in the Last Pass breach (or as some would say, lack of containment):
- Default for 12 character minimum password wasn’t enforced until 2018. Previous customers weren’t asked to move over to that standard.
- PBKDF2 is a critical feature of reducing brute force attack likelihoods. Minimum expected is 100K iterations in most modern password managers.
- Many Last Pass accounts were still configured with only 5000 iterations. Some accounts later on found were as low as 500. OWASP recommends 310K
What’s PBKDF2 (Password-Based Key Derivation Function)?
- Put simply, it’s a modern cryptographic hashing function that computes iterative HMACs to make passwords resistant to dictionary attacks and rainbow attacks: https://cryptobook.nakov.com/mac-and-key-derivation/pbkdf2
What is driving the need for higher KDF iterations?
- Advent of GPUs coming along and becoming very efficient and cheap hash calculators.
Discoveries on how the Lastpass web vault works:
- Use Chrome developer tools and walk through retrieving the vault.
- Some key things are not encrypted, including URLs (used to target high profile entities).
- https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass-Vault-Format
- 32 of 38 fields aren’t encrypted
The general dangers of autofill, JavaScript, and password managers:
Roboform
So, I started researching common marketing phrases that all password managers like to talk about. Phrases include:
- Military grade AES-256 encryption
- PBKDF2 SHA256, 4096 iterations [https://www.roboform.com/business/security]
2014 Case Study on Roboform: https://paul.reviews/how-secure-is-roboform-the-5-minute-challenge/
- If you’re required to hand over a password, a phrase or indeed anything you know to gain access to your data, that’s authentication… not encryption.
- Master password in plain text going to the server.
- Android PIN bypass
Bitwarden
Features that win me over as a consumer:
- Open source, security researchers can validate the implementation independently.
- Self-hosting option. This one is huge. Don’t trust the cloud? Run it yourself.
- Above average auto-fill, TOTP capability.
- Two step login on master password – supports Authenticator, Yubikey OTP, Duo, FIDO2, Email.
- Reports feature: Exposed passwords, reused passwords, weak passwords, unsecure website utilization, inactive 2FA, breached accounts.
- Cross platform ease of use.
About LastPass:
LastPass was founded in 2008 by Joe Siegrist and Ian Tompson. The company was born out of a need for a better way to manage passwords. Joe, the CEO, and Ian, the CTO, were frustrated with the traditional methods of password management, such as writing them down on a piece of paper or saving them in a text file on their computer. They saw an opportunity to create a solution that would make it easy for people to securely store and access their passwords.
In 2009, LastPass launched its first password management product, a browser extension for Firefox. The extension allowed users to securely store their passwords in the cloud and automatically fill them in when they visited a website. The product was a hit, and LastPass quickly expanded to support other browsers, including Chrome, Safari, and Internet Explorer.
In 2011, LastPass introduced a premium version of the product, which added additional features such as multi-factor authentication and the ability to share passwords with others. This helped the company to attract more enterprise customers and solidified its position as a leading player in the password management space.
About Bitwarden:
Bitwarden is a password manager that was first released in 2016. The company behind it, 8BIT, LLC, was founded by Kyle Spearrin and Matthew LeGare. The goal of Bitwarden is to provide a secure and easy-to-use password management solution for individuals and organizations.
The first version of Bitwarden was a browser extension for Google Chrome. It was designed to save and automatically fill in passwords for websites. The extension quickly gained popularity and was soon made available for other browsers such as Firefox and Safari.
In 2017, Bitwarden introduced a mobile app for iOS and Android devices. This allowed users to access their password vault from anywhere and added an extra layer of security with fingerprint and Face ID authentication.
Later that year, Bitwarden also released a command-line interface (CLI) tool for Linux, macOS, and Windows users. This tool allows users to easily access their password vault from the terminal and automate password management tasks.
In 2018, Bitwarden launched a paid plan called “Bitwarden Premium”. This plan includes additional features such as two-factor authentication and password sharing for teams. Bitwarden also released a fully open-source version of their software, making it available for anyone to review and contribute to the code.
In 2019, Bitwarden introduced a new feature called “Identity Management”. This feature allows users to store and manage their personal information, such as their name, address, and passport number, in addition to their passwords. Bitwarden also added support for passwordless logins, allowing users to log in to websites and apps without having to enter a password.
In 2020, Bitwarden made the decision to become a fully open-source company and transitioned away from the premium plan. They also released a password health feature that allows users to check the strength of their passwords and alerts them if any of their passwords have been compromised in a data breach.
Today, Bitwarden is a widely used password manager with a strong focus on security and privacy. It offers a variety of features for both personal and business use and is available for all major platforms and web browsers. The company continues to actively develop and improve the software, and it has a large and active community of contributors and users.
Show Segments
What’s going on with password managers today? [1:29]
What is Zero-Knowledge Architecture? [5:54]
What is the impact of the LastPass breach? [12:52]
How do you store the representation of the master password on the database or in memory? [16:29]
How many iterations do you want to put the password in before you spit it out? [22:21]
Changing your password doesn’t necessarily fix it. [29:09]
If you’re willing to try something different, there’s no reason not to give it a try. [36:12]
Would I give away the farm if I told how many password iterations I had on my account? [43:15]
Get to know your company’s background. [46:23]
Is it better to have the convenience or the convenience? [53:15]
How to use Bitwarden with Autofill. [1:00:05]
Where do I go now if I leave my passwords? [1:05:49]
Why are we doing things like biometrics or fingerprints for free? [1:11:01]
How to get a pre-canned deployment instance. [1:16:35]
Find Us!
Join us in the Facebook group at https://www.facebook.com/groups/theaverageguy/
On Discord at https://theaverageguy.tv/discord
Get the Home Gadget Geeks subscribe links at http://homegadgetgeeks.com
http://theaverageguy.tv is powered by Maplegrove Partners web hosting. Get secure, reliable, high-speed hosting from people you know and trust. For more information visit http://maplegrovepartners.com