LastPass Hack - Is 1PW Vulnerable?

richsadams
richsadams
Community Member
I've been reading up on the possibility that 1PW competitor LastPass was hacked this week. I only know enough about security to be dangerous but chose 1PW over LP a while back based on some I.T. folks' recommendations. LP is asking their customers to reset their master passwords since a dictionary brute force attack could allow the bad guys access to their account's individual passwords or other information.

I know it's impossible to say that any program is absolutely secure, but now I'm wondering if 1PW is susceptible to the same sort of attack or if they employ different/better security measures? Is anyone here familiar with the differences? A little peace of mind would be welcome right about now. TIA!

Comments

  • Pazzie
    Pazzie
    Community Member
    The company noticed some anomalies in data traffic to and from its servers that it couldn't explain. But one possible explanation was a data breach.

    "We're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," wrote CEO Joe Siegrist.


    So if I'm right, there is a possibility that their database was accessed.

    The main difference between LastPass and 1Password:
    -LastPass stores your passwords (encrypted) in a online database.
    -1Password stores your passwords (encrypted) on your computer in a file/directory called 1Password.agilekeychain, so your passwords are stored offline.

    You can also choose to store the 1Password.agilekeychain online on DropBox, so you are able to use the 1Password information on more than one computer.
    The 1Password data format is designed with the knowledge that some people would have their computers stolen, so if someone gets access to the 1Password.agilekeychain file in your DropBox account your passwords are still safe (unless you have a weak master password).

    Here are some interesting links:
    http://blog.agile.ws/2011/05/defending-against-crackers-peanut-butter-keeps-dogs-friendly-too/
    http://blog.agile.ws/2011/04/dropbox-security-questions/
    http://blog.dropbox.com/?p=735
  • khad
    khad
    1Password Alumni
    edited May 2011
    Pazzie, you are correct. Thanks for posting those links. :-)

    By default, 1Password only stores your information locally. If you choose to sync via Dropbox, all your sensitive information is encrypted (1) before transport, (2) further during transport, and (3) again during storage. At no point is your master password available to anyone but you.

    From our "Security of storing 1Password data in the cloud" document:

    Your secrets in your 1Password data are safe wherever they are stored. Although we don’t recommend making your 1Password database publicly available to the world, we have designed it so that your username and password data (along with other secret data stored within it) is protected no matter whose hands they fall into. For this and other reasons we are very confident when we recommend cloud syncing of 1Password data with Dropbox. The remainder of this document goes into increasing detail about the security measures in place and issues surrounding them.

    Here are some key points you may read about below
    1. Your master password is never transmitted from your computer or device.
    2. All 1Password decryption and encryption is performed on your computer or device.
    3. The 1Password data format was designed to withstand sophisticated attacks if it fell into the wrong hands.
    4. Dropbox provides an additional layer of encryption.


    I hope that helps. Please take a look at the entire document (especially the section on key strengthening) and let me know if you have any additional questions or concerns.

    Thanks for asking about this!
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited May 2011
    The short answer is that (in addition to the fact that everybody's 1Password data aren't centrally stored) 1Password uses PBKDF2 when encrypting your master password. See our blog post about PBKDF2.

    The long answer follows.

    First we need to know what could have been taken in the LastPass breach. These were encrypted access passwords and user names. That is, these serve the analogous role as your master password in 1Password. But, and this is crucial, these passwords were encrypted.

    The encryption system uses something called salt. Salting the encryption protects these encrypted passwords from the easiest form of attack. So it is very good for LastPass users that these were properly salted. Salting means that if two people have the password "pizza" (a very poor choice of password) it will not encrypt the same way. One person's encrypted password may turn out to be "MrcWFKi4XnbXo" while another's may turn out to be "PMSW29dFPcS7." If an attacker has a whole list of encrypted passwords it is very good for them not to know which passwords are the same as each other.

    Also salting prevents an attacker from using what is sometimes called a "rainbow table". That is, without salt an attacker could pre-compute the encrypted forms of common passwords, like "pizza" then then just search of that in the list of encrypted passwords.

    So salting is important and LastPass did salt their data. Unfortunately salting isn't enough, particularly if people have weak passwords. This is because automated password guessing software is easily available. To thwart automated password guessing programs we need a "key derivation function" that makes testing a particular guess a slow process. That is, if it takes a computer, say, a quarter of a second to process an entered password that slowness won't bother a human, but it changes whether millions of passwords can be tried per second or only a few hundred or a few thousand.

    PBKDF2 (Password Based Key Derivation Faction, version 2) is such a key derivation function, and you can read more about how we us it here:

    http://blog.agile.ws/2011/05/defending-against-crackers-peanut-butter-keeps-dogs-friendly-too/

    So in addition to where your data are stored, 1Password data files are resistant to automated password guessing in ways that LastPass data are not. LastPass have said that they are planning to introduce PBKDF2.

    One thing that I want to make absolutely clear: We are not sitting here smugly watching this. There is no schadenfreude, and there is certainly no complacency on our part. No one can honestly say that their system invulnerable to all attack; the best we can say is that we have studied these things carefully and have protected your 1Password data against every potential line of attack we are aware of. For everyone security is a dynamic process, and we are continually looking for ways to improve yours.

    Cheers,

    -j
  • Pazzie
    Pazzie
    Community Member
    LastPass have said that they are planning to introduce PBKDF2.

    If I understand you correctly, PBKDF2 is to slow down bruteforce attacks?
    Doesn't LastPass have other ways to prevent bruteforce attacks (because they are a online service and they can monitor the amount of wrong password entered)?
    Lets say the average LastPass user logs in five times a day. Then it would be highly strange if suddenly someone or multiple computers (botnet) enters hundreds of thousands of wrong passwords per second.

    If I enter a few wrong passwords in a row at my online banking account, my account gets blocked. Then I have to prove I'm the owner of the account to receive a new temporary password.
    Doesn't LastPass have something like a secret question or CAPTCHA you have to enter after 3 wrong passwords where entered and maybe a (temporary) account block after a certain amount of tries after that?

    I'm also wondering why they are introducing PBKDF2 now and not earlier?
    You wrote:
    I need to remember “PBKDF2″ because it is a very important, though behind the scenes, part of your security.

    Didn't they pay enough attention to security when they started LastPass?
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Pazzie wrote:

    If I understand you correctly, PBKDF2 is to slow down bruteforce attacks?

    Exactly, it slows down brute force attacks against your master password.


    Doesn't LastPass have other ways to prevent bruteforce attacks (because they are a online service and they can monitor the amount of wrong password entered)?

    That is a great question.

    They certainly can do this when people try to launch the brute force attack directly against their web service. But in this case the encrypted passwords were stolen, so the attacks can be done "off-line".


    Lets say the average LastPass user logs in five times a day. Then it would be highly strange if suddenly someone or multiple computers (botnet) enters hundreds of thousands of wrong passwords per second.

    If I enter a few wrong passwords in a row at my online banking account, my account gets blocked.

    Those defense mechanisms, which surely are in place, don't help when an attacker has all of the encrypted passwords to test on their own computer. The attacker can try millions of guesses without any interaction with the LastPass servers. Only when they have discovered the password would they attempt to log in.

    I'm also wondering why they are introducing PBKDF2 now and not earlier?
    Didn't they pay enough attention to security when they started LastPass?

    I don't want to speculate (much) on why they didn't have PFKDF2 in place earlier, but I will note one thing. I believe that we were ahead of the game by using PBKDF2 when we designed the Agile Keychain format for 1Password. The other thing is that we were aware from the beginning that users' encrypted data may be stolen. First because computers get stolen, and second because we were moving to more online syncing. So we specifically sought ways to protect your data in such cases.

    Because web services have other means to prevent repeated login attempts (as you correctly described above) things like PBKDF2 play less a role.

    I hope that this helps.

    Cheers,

    -j
  • Pazzie
    Pazzie
    Community Member
    Thank you for the answers. It makes sense to me now.

    I'm glad you already implanted PBKDF2 and planning to introduce a data format with even more iterations.
  • khad
    khad
    1Password Alumni
    On behalf of Jeff, you are quite welcome. :-)

    We are always here to help!
  • richsadams
    richsadams
    Community Member
    Thanks very much for the details and reassurances that choosing 1PW was a wise one. I better understand some of the security challenges and Agile's abilities to address them. I feel somewhat less dangerous when it comes to my knowledge of security issues now...and have a bit more peace of mind. Thank you!
  • khad
    khad
    1Password Alumni
    It is our pleasure to help. I always learn something new myself when Jeff posts in the forums. :-)
  • Penelope Pitstop
    Penelope Pitstop
    Community Member
    jpgoldberg wrote:

    Exactly, it slows down brute force attacks against your master password.


    That is a great question.

    They certainly can do this when people try to launch the brute force attack directly against their web service. But in this case the encrypted passwords were stolen, so the attacks can be done "off-line".


    Those defense mechanisms, which surely are in place, don't help when an attacker has all of the encrypted passwords to test on their own computer. The attacker can try millions of guesses without any interaction with the LastPass servers. Only when they have discovered the password would they attempt to log in.


    I don't want to speculate (much) on why they didn't have PFKDF2 in place earlier, but I will note one thing. I believe that we were ahead of the game by using PBKDF2 when we designed the Agile Keychain format for 1Password. The other thing is that we were aware from the beginning that users' encrypted data may be stolen. First because computers get stolen, and second because we were moving to more online syncing. So we specifically sought ways to protect your data in such cases.

    Because web services have other means to prevent repeated login attempts (as you correctly described above) things like PBKDF2 play less a role.

    I hope that this helps.

    Cheers,

    -j


    Jeff I understand that PFKDF2 attempts to thwart automated offline attempts to crack a password off line by slowing down the computation required and making dictionary attacks useless via the salt. I have two questions:

    1. Does the complexity of your master password matter? If someone was daft enough to choose a simple master password, would that make them more vulnerable?

    2. How slow is slow? I've superficially read about these programs that harness multiple GPUs and wondered how much computer power would be needed to make the 1000 iterations insufficient.
  • khad
    khad
    1Password Alumni
    1. Does the complexity of your master password matter? If someone was daft enough to choose a simple master password, would that make them more vulnerable?

    My understanding is that PBKDF2 simply increases the time required for a brute force attack, but such an attack is still subject to the password strength. As a very crude example, if using PBKDF2 increases each password attempt by a factor of 10 and each attempt normally takes 1 second, each attempt will now take 10 seconds. If my master password normally would have taken 1 month to brute force, it will take 10 months with PBKDF2. So you still want to be sure you are using a strong, unique password. A good master password will take on the order of years to brute force. PBKDF2 increases that time dramatically. (These exact numbers are made up but are easy to understand at a glance.)

    2. How slow is slow? I've superficially read about these programs that harness multiple GPUs and wondered how much computer power would be needed to make the 1000 iterations insufficient.

    As Jeff mentioned above, this is a question we have been looking at ourselves. The exact number depends on the GPU(s) and how many there are. There is talk about PBKDF2 iteration customization, though, in 1Password's future. While I can't promise anything, the idea (if implemented) would allow you to determine your own level of comfort in this area.
  • Penelope Pitstop
    Penelope Pitstop
    Community Member
    khad wrote:

    My understanding is that PBKDF2 simply increases the time required for a brute force attack, but such an attack is still subject to the password strength. As a very crude example, if using PBKDF2 increases each password attempt by a factor of 10 and each attempt normally takes 1 second, each attempt will now take 10 seconds. If my master password normally would have taken 1 month to brute force, it will take 10 months with PBKDF2. So you still want to be sure you are using a strong, unique password. A good master password will take on the order of years to brute force. PBKDF2 increases that time dramatically. (These exact numbers are made up but are easy to understand at a glance.)


    As Jeff mentioned above, this is a question we have been looking at ourselves. The exact number depends on the GPU(s) and how many there are. There is talk about PBKDF2 iteration customization, though, in 1Password's future. While I can't promise anything, the idea (if implemented) would allow you to determine your own level of comfort in this area.

    Thanks for the reply khad.

    I had seen those articles but was having trouble doing the maths on the timing because I have no feel for the actual time taken for one iteration on typical devices like laptops and iPhones vs those GPUarrays. The phrase "fraction of a second" covers a wide range and makes a big difference to the sums.
  • khad
    khad
    1Password Alumni
    This is true. However, once you start dealing in years, it begins to become less of an issue. :-)
This discussion has been closed.