Episode Details

Right before Christmas, LastPass dropped a bombshell report explaining that bad actors appeared to have made copies of LastPass users’ encrypted password vaults. The information was a little short on key details, probably indicating that the investigation is ongoing and we will learn more in the coming weeks. However, we have already learned enough to know that the data breach did leak some important metadata contained in people’s password vaults and that any users who had less-than-secure master passwords should be worried that the encrypted contents may now be vulnerable to disclosure. That is about as bad as it gets. Today I will speak with a cybersecurity and authentication expert from CISA about this breach: what we know, what we don’t know, what we should learn from the incident, and (most importantly) what LastPass users should do about this.

Bob Lord is a Senior Technical Advisor for the Cybersecurity and Infrastructure Security Agency (CISA) and former Chief Information Security Officer (CISO) for Yahoo. 

Interview Notes

• SPECIAL REPORT: LastPass Breach: https://firewallsdontstopdragons.com/special-lastpass-breach/
• Twitter thread investigating what’s encrypted and what’s not: https://twitter.com/UK_Daniel_Card/status/1606012536582656000
• Write-up by a security researcher: https://www.pwndefend.com/2022/12/24/lastpass-breach-the-danger-of-metadata/
• Mastodon technical thread #1: https://mastodon.social/@epixoip@infosec.exchange/109585049690097599
• Mastodon technical thread #2: https://infosec.exchange/@WPalant/109590750504031700
• My “diceware” passphrase generator: https://d20key.com/ 
• My blog on creating strong passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/ 
• How to make stronger passwords: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/ 
• Classic XKCD cartoons on passphrases: https://xkcd.com/936/ 
• Consumer Reports Security Planner: https://securityplanner.consumerreports.org/

Further Info

• Follow me on social media: https://firewallsdontstopdragons.com/contact/ 
• Send me your questions! https://fdsd.me/qna 
• Support me! https://fdsd.me/support 
• Subscribe to the newsletter: https://fdsd.me/newsletter 
• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:00:47: Ep300 giveaway updates
• 0:03:15: interview setup
• 0:08:17: What do we know about the LastPass breaches?
• 0:13:25: Were all LastPass users affected?
• 0:15:03: How is my LastPass data secured, exactly?
• 0:19:53: What is PBKDF2 and why are iterations important?
• 0:23:10: Did LastPass increase the iterations for all users over time?
<