LastPass attacker stole password vault data, demonstrating Web2’s limitations

Password management service LastPass was hacked in August 2022, and the attacker stole users’ encrypted passwords, according to a statement from the company on December 23. This means that an attacker might be able to crack some LastPass users’ website passwords through a brute force guess.

LastPass first disclosed the hack in August 2022, but at the time, the attacker appeared to have only obtained the source code and technical information, not any customer-specific data. However, the company investigated and discovered that the attacker used this technical information to attack another employee’s device, which was then used to obtain customer data keys stored in a cloud storage system.

As a result, customers’ unencrypted identifying data was exposed to the attacker, including “company names, end-user names, billing addresses, email addresses, phone numbers, and IP addresses through which customers were accessing the LastPass service.”

In addition, some customers’ crypto safes were stolen. These vaults contain the website passwords that each user stores with the LastPass service. Fortunately, the safes are encrypted with a master password, which prevents an attacker from being able to read them.

The statement from LastPass confirms that the service uses state-of-the-art encryption to make it very difficult for an attacker to read vault files without knowing the master password, stating:

These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is unknown to LastPass and is not stored or maintained by LastPass. “

However, LastPass admits that if a customer uses a weak master password, an attacker may be able to brute force to guess that password, allowing them to decrypt the vault and obtain all customers’ website passwords, as LastPass explains:

It is important to note that if your master password does not use an extension [best practices the company recommends], it will greatly reduce the number of attempts needed to guess it correctly. In this case, as an additional security measure, you should consider reducing the risk by changing the website passwords you have stored.”

Can Password Manager Hacks Be Eliminated Using Web3?

The LastPass exploit illustrates a claim Web3 developers have made for years: that the traditional username and password login system should be scrapped in favor of blockchain wallet logins.

According to crypto wallet login advocates, traditional password logins are insecure mainly because they require hashes of passwords to be maintained on cloud servers. If these hashes are stolen, they can be cracked. In addition, if a user relies on the same password for multiple websites, one stolen password can compromise all others. On the other hand, most users cannot remember multiple passwords for different websites.

To solve this problem, password manager services such as LastPass were invented. But it also relies on cloud services to store encrypted password vaults. If the attacker can obtain the password vault from a password management service, he may be able to compromise the vault and obtain all of the user’s passwords.

Web3 applications solve the problem in a different way. They use browser extension wallets like Metamask or Trustwallet to sign in with an encrypted signature, eliminating the need to store a password in the cloud.

Example of a crypto wallet login page. Source: Blockscan Chat

But so far, this method has only been standardized for decentralized applications. Traditional applications that require a central server do not currently have an agreed standard for how crypto wallets should use logins.

Related: Facebook fined 265 million euros for leaking customer data

However, the recent Ethereum Improvement Proposal (EIP) aims to remedy this situation. The proposal is called “EIP-4361,” and it attempts to provide a universal standard for web logins that works for both centralized and decentralized applications.

If this standard is agreed upon and implemented by the Web3 industry, its proponents are hopeful that the entire World Wide Web will eventually get rid of password logins altogether, eliminating the risk of password management breaches like the one that occurred with LastPass.