Password management service LastPass was hacked in August 2022 and the attacker stole users’ encrypted passwords, the company said in a Dec. 23 statement. This means that the attacker could potentially crack some LastPass users’ website passwords through brute force guesswork.
Notification of the Recent Security Incident – The LastPass Blog#lastpasshack #chop #lastpass #infosec https://t.co/sQALfnpOTy
— Thomas Zickell (@thomaszickell) December 23, 2022
LastPass first disclosed the vulnerability in August 2022, but at the time it appeared that the attacker only received the source code and technical information, no customer data. However, the company investigated and determined that the attacker used this technical information to attack another employee’s device, which was then used to obtain keys to customer data stored in a cloud storage system.
As a result, unencrypted customer metadata was exposed to the attacker, including “company names, end user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers accessed the LastPass service.”
Also, some customers’ encrypted safes were stolen. These vaults contain the website passwords that each user stores with the LastPass service. Luckily, the vaults are encrypted with a master password, which should prevent the attacker from reading them.
LastPass’ statement emphasizes that the service uses state-of-the-art encryption to make it very difficult for an attacker to read vault files without knowing the Master Password, stating:
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our zero-knowledge architecture. As a reminder, the Master Password is never known to LastPass and is not stored or maintained by LastPass.”
Despite this, LastPass acknowledges that if a customer has used a weak master password, the attacker may be able to use brute force to guess that password, allowing them to decrypt the vault and obtain all of the customer’s website passwords, like LastPass explained:
“It’s important to note that if you don’t use your Master Password [best practices the company recommends], then it would greatly reduce the number of tries needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing the risk by changing the passwords of the websites you have on file.”
Can Password Manager Hacks Be Eliminated With Web3?
The LastPass exploit underscores a claim Web3 developers have been making for years: that the traditional username and password login system needs to be phased out in favor of blockchain wallet logins.
According to crypto wallet login proponents, traditional password logins are inherently insecure as they require hashes of passwords to be stored on cloud servers. If these hashes are stolen, they can be cracked. Additionally, if a user relies on the same password for multiple websites, a stolen password could result in everyone else being hacked. On the other hand, most users cannot remember multiple passwords for different websites.
To solve this problem, password management services like LastPass were invented. But even these rely on cloud services to store encrypted password vaults. If an attacker manages to get the password vault from the password manager service, they may be able to crack the vault and get all the user’s passwords.
Web3 applications solve the problem in a different way. They use browser extension wallets like Metamask or Trustwallet to log in with a cryptographic signature, eliminating the need to store a password in the cloud.
An example of a crypto wallet login page. Source: Blockscan chat
So far, however, this method has only been standardized for decentralized applications. Traditional apps that require a central server currently have no agreed standard for using crypto wallets for logins.
Related: Facebook has to pay a fine of 265 million euros for disclosing customer data
However, a recent Ethereum Improvement Proposal (EIP) aims to remedy this situation. The proposal, dubbed “EIP-4361,” seeks to provide a universal standard for web logins that will work for both centralized and decentralized applications.
If this standard is agreed upon and implemented by the Web3 industry, its proponents hope that the entire World Wide Web will eventually phase out password logins entirely, eliminating the risk of password manager breaches like the one at LastPass.