Security Now Episode 905 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte (00:00:00):
It's time for security now. The shortest name in the history of security. Now, Steve Gibson will explain what one means and give more very important device. In fact, honestly, the story, the last pass story gets worse and worse. If you were a last pass customer or still are, you've got to listen to this episode. Security now is next. Hey, before we get to the show though, can I ask you a favor? Our Security Now survey is online, 23. The podcast network as a whole, likes to know a little bit more about our audience. We wanna know what you like, what you use, what you want more of. It helps us sell advertising. I'll say it without tracking you, but it also helps us tune the programming to fit your interests. It's should just take a few minutes. It's absolutely optional, but it sure helps us a lot. You have to the end of the month, 23. Now on with the show podcasts you love

... (00:01:02):
From people you trust. This is TiT.

Leo Laporte (00:01:10):
This is Security Now, episode 905. Recorded Tuesday, January 10th, 2023. One,

Security Now is brought to you by Tanium Tanium Unites operations and security teams with a single platform that identifies where all your IT data is. Patches every device you own in seconds and implements critical security controls all from a single pane of glass. Are you ready to protect your organization from cyber threats? Learn more at And by Drata. Too often security professionals are undergoing the tedious, arduous task of manually collecting evidence. With Drata, say goodbye to the days of manual evidence collection and hello to automation. All done at drata speed. Visit and get a demo and 10% off the implementation. It's time for security now. Yes, it is. You've been waiting all week. I know you have security now. Maven, legend man about town. Steve Gibson is here to talk about the latest security news. Holy cow, Steve, last week's leaving Last pass episode.

Oh, was a biggie <laugh>. Yeah, it it absolutely broke all of the records that we've had for, I mean, just judging you know, my, my immediate feedback is to look at the number of likes and retweets on my weekly announcement of the podcast. And last week's was about eight times more than we've ever had before. And actually as a consequence of that and the, the feed, the nature of the feedback that I received through this next week we're gonna continue because what happened was interesting. We have to have a follow up to last week's leaving last pass episode. And I wanna share the news of the creation of a terrific PowerShell script complete with a friendly user interface, which quickly di obfuscates any LastPass user's X M L format vault data what it reveals is what we expected, but seeing is believing.

And it's, it's a little sterling to see what's there with no decryption of the vault needed. Then we're gonna examine, as I said, the, essentially the conclusions drawn and the consequences of the massive amount of Avid and in some cases, rabid listener feedback received since last week. There were some truly startling things that listeners of this podcast discovered when they went looking. Mm. So we got a great picture of the week, and this episode's title is unique for us. It's just a single digit, I thought I made a mistake. I thought there was an error typing the title. It's just one security now. Number one, security Now, episode 9 0 5 for January 10th, 2023 titled one. Okay? And everyone will find out why. In a little bit. There was a Broadway show called Nine and now there's an episode of security now called one.

There is No one knows Why, but you will find out in, in, in a moment, shall we say. And I'm very curious to hear about the what's going on with the with Last Pass two. I think you're, you don't know how curious you need to be. Oh, geez. There, there's something really something you, you asked me if I could try this xml formatter on my vault data, and I deleted my vault more than a year ago. So, and I hope to God so did last pass. But that's a question for later too. First, let's talk about our sponsor for this portion of the show. Those great folks at Tanium. The industry's approach to cybersecurity says Tanium is fundamentally flawed. What? That's a challenging statement, but think about it. It management security point tools. They give you a slice, a small piece of the solution needed to protect your environment.

We've said that all the time. Security is, requires a layered approach, right? Unfortunately, a lot of these tools promise they can stop all breaches, and that's obviously not true. But here's the problem. For a lot of managers, a lot of IT professionals, you're making decisions based on stale data, old information, and it, that is no way to defend your critical assets from cyber attacks. And if you've got tools that don't talk to each other, that's another huge problem. You got a, a very varied and aggressive team of attackers going after you all the time. You need to be as smart, as effective, as aggressive as they are. It's time for a different approach. You need Tanium. Tanium says, it's time for a convergence of tools, of endpoints, of IT ops and security. They have solutions for everybody, government entities, education, financial services, retail, healthcare. These people trust titanium's solutions for every workflow that relies on endpoint data.

Tanium, you can do almost instantaneous asset discovery and inventory, so you know, every IT asset down to the molecule in your estate. They've got risk and compliance management. Well, everybody needs that, right? Plus you can find and fix vulnerabilities at scale in seconds, no matter how big your estate is. They've got threat hunting, which lets you hunt for sophisticated adversaries in real time client management, of course, but it makes, it makes it easy to automate operations from discovery to management to patching. And of course, since we've all got some sensitive data, you've gotta have sensitive data monitoring. Tanium let's you index and monitor sensitive data, and it can do it globally. And in seconds, you're getting a a here of how fast Tanium is. Tanium protects organizations where other endpoint management and security providers have just fallen down on their faces with a single platform.

Tanium identifies where all your data is across your entire it s d patches, every device you own in seconds and implements critical security controls. And it does it all from a single pane of glass with tools that all talk to one another. It's just a, it's just a, a complete paradigm shift in how you manage your security. Ask Kevin Bush, vice president of IT at Ring Power com corporation. He says, Tanium, this is a quote. Tanium brings visibility to one screen for a whole team. And if you don't have that kind of visibility, you're not gonna be able to sleep at night. I think Kevin's talking from personal experience with real data comes real time impact. If you are ready to unite operations and security teams with a single source of truth to confidently protect your organization from cyber threats, it's time you met Tanium, t a n i u m to learn more, visit

I'm sure you've heard about all the buzz. There's been a lot of buzz about Tanium over the last year, really, a, a, a disruptor in this space. You need to learn more. This may be the perfect thing for you. In fact, I bet it is. Tanium.Com/Twit. Please use the slash twi so they know you heard it here. That way Steve gets credit. This is the only place you'll hear it. Tanium.Com/Twit. All right. I think the calendar, the clock on the wall, the atomic clock says it's time for our picture of the week, Steve. So we've actually shoved this one before, but I ran across it again and I thought, this is just, just so good. Sometimes things are just so clever. And this is not a Photoshop, I own both these books. Yep, I do too. Yep. So, on the left we have a Riley's official Bible, JavaScript, the Definitive Guide, and it's got a big rhino on the cover.

And it looks like maybe it's about three inches tall. I mean, this is like, it's, there's, it's, you could use it as a door stop. You could yes, it would, you could you, you could use it to keep your car from rolling down the hill. Yes, yes, you could. Okay. And on the right we have also from O'Reilly written by Douglas Crawford who's a you know, renowned JavaScript person. This one's got a butterfly on the cover and it says JavaScript colon, the Good Parts. There's not many <laugh>, and it's, that's about takeaway on that, about maybe a quarter inch thick. Yeah. So just, you know, just so much smaller than the the definitive God. Anyway, I just, I just, you know, as a visual joke, that's a great one. And it's true. I mean, that's, those are the books. Yeah.

Hmm. Okay, so last Pass Aftermath. And for those of you who are no longer using Last Pass, who moved away from it a year ago, blah, blah, blah, you know, you may think that some of this doesn't interest you, but we've got, as I said, last past aftermath and there actually will be some math later in this podcast, but there'll be no test on it, so you don't have to worry about taking notes. But there will be something for everyone here. Okay. At the top of the news for our listeners this week is that my call for the creation of a last pass vault de obfuscate, you know, I called, it's not a decryptor, cuz we can't decrypt the vault easily, but they, as we know, a lot of the non-encrypted information was obfuscated. It was, you know, just converted into hex, which you, you ha you you should do when you're moving stuff across the internet.

 Which, you know, many of, of the areas of the internet still don't support. Or maybe that's not true anymore, but everyone still does it eight bit bites. So like seven bit characters is the reason that that weird things have to be converted. And also, if you're using XML where, for example, you've got angle bracketed starting and ending formatting stuff, well if you're, if the content of what you're sending had an angle bracket in it, that would foul up the XML parser. So I asked our listeners, I said, I'm sure there's a bunch of coders out here. Let's see if somebody by the this time next week, which is today can come up with something. So, wow. They, they responded too. Sure enough, I got a whole bunch of people, did a bunch of different things. His ever listeners produced JavaScript solutions. Paul Holder, who I know you know, from Love Paul, he's a, he's a Java guy, not JavaScript.

He's a Java guy. Yes. Yeah, exactly. And in fact, he wrote a portable solution in Java. Several others wrote solutions in cc plus plus and C Sharp <laugh>, you know, and I was sure that would be the case. We got some real coders out there. That's great. Yeah, that's great. Okay. But the solution, which surprised me it really captured my attention, was both the smallest of all by far and the most powerful. It was implemented as a Windows PowerShell script. Oh, interesting. Yeah. And, and having seen what now, what Powershells scripting language can do with its full access to language, it's clear to me that I'm gonna need to make some time, I don't know, someday to take a much closer look at it. It's sort of amazing what has quietly been happening over there. I've got a picture of the, of this little PowerShell script, which I guess you would call an app, even though it's a script, you know, I mean Pearl or this technically a scripting language, but you make apps with it.

 So we have a solution that I'll explain in detail in a moment and it is this Week's Security Now podcast, 9 0 5 shortcut. So e everyone can get the PowerShell script by going to 9 0 5. And when you've hit enter, that'll present you with a zip file. Well anyway, I'll explain all that in a second. So the way we got here is almost as interesting as what we got. And I confess that it would've never occurred to me. It began with a Twitter DM from a listener named Rob Woodruff. Rob tweeted to me, he said, alright, Steve, you asked and I delivered, I wrote a PowerShell script to parse the XML file that is your last pass vault, identify any values encrypted with E C B rather than cbc and to code the URLs from HS to aki. I chose PowerShell so that it will run on any modern Windows computer.

It's not fancy, but it appears to work. Now, he's not actually talking about this at the moment, not fancy, but it appears to work. You'll need to specify the in file out file and format parameters on the command line. None of that's still true, or it will prompt you for them. In file is the path and file name of the XML file. Your last pass vault out file is the path and file name of the output file. He says format is the format of the output file, either csv, you know, com, separated values or HTML anyway. And then, then he sent me a link, you can download it here. And he sent me a Dropbox link. Okay. So that was Rob's first of what ended up being many messages between the two of us. And that's, as I said, far from where we ended up about four hours later.

This was on Friday evening. He followed up, he said, this version of the script has a gooey, and then he sent me a Dropbox link. You know, so a graphical user interface. Upon seeing this, as I said, I I, I thought, okay, I'm gonna have to pay more attention to PowerShell. So I replied, holy crap, Rob, you're a PowerShell wizard. I'll check this out tomorrow. Thank you so much. To which Rob replied, my pleasure, Steve. I really enjoyed the process. First time doing a gooey in PowerShell. Not sure I can claim the title of wizard though. I had chat. G p t do most of the heavy lifting.

 And he said, speaking of which, if you haven't played around with it, <laugh> heavy chat, G P T is a PowerShell wizard. <Laugh>, he said, speaking of which, if you haven't played around with it, meaning chat G p T, you must, it will blow your mind. Okay, now, I mean, mind blown. I said, okay, being unsure whether Rob might be pulling my leg. I wrote back, I said, Rob, are you not kidding? Did Chad g p t really have a hand in that? I mean, this was like a funk, a functioning app with graphical user interface. And he said, Steve, I'm not kidding Chad, g p t is supposedly fluent in every written language, including programming languages. I told it in English what I wanted to do, and it's spat out out PowerShell code. Well, more than that, it's apparently familiar with the last pass XML form <laugh>.

He said, it's not perfect, of course. And I spent a lot of time debugging the hex to ask e conversion. Ultimately, I ended up using a code snippet for the conversion that I found using Google, because chat G P t couldn't seem to figure it out. Similarly, when I asked chat G p T to add a gooey, it got most of it right on the first try, but it had two of the buttons being overlapped by text fields. Well, boohoo, you know, g you know, fine. Thank you. Wait a minute, jet G p D does Gooeys too. Wow. Yes, yes. He's power show shall no less. Wow. So I, yes, yes. This thing is 12 K Leo, that thing that you saw is a 12 K script. Okay. So he said, so I had to it, yes. I had to adjust the positioning of the elements manually.

He said, overall though, it saved me a lot of time. I probably wouldn't have even tried to tackle this project without chat G p T. Okay. So we've clearly entered a very different world. You know, what Rob explained is consistent with everything we've heard about chat, d Chat, chat, G p T, it's not yet perfect, but it's very good. And it can typically get you, you know, 95% of the way there. And then yeah, you need to go in and fix the things it got wrong, but, wow. So anyway, I thought that, that, you know, that was just very cool. I then worked with Rob through Friday evening and through the weekend to Polish and perfect this little 12 K gem to ready it for today's podcast. Remember that being a script, it's entirely open source and therefore readily verifiable. And remember from last week that the key to obtaining the last pass vault is using the developer features of any browser that's currently logged into last pass.

Though this part is still a bit inconvenient, there's no way around that without a huge amount of work to recreate everything that a browser does. And actually, as I was putting this together, the putting the show notes together last night, I thought, huh, maybe we just asked chat g p t to write us a browser anyway. Or, or spin rate, maybe <laugh>. No, actually somebody did. So I, I, I received a, a DM from someone who said how would you write spin? Right? And it gave a complete description of, of how to do that. Wow. Not assembly code, just the description. No, it, it, it didn't do any, it didn't write any code, but it explained all the well understood what it would be spin Right. Does. Which is interesting. Yes. Yeah. Yes. I'm sure it went out there and like, found out what's been right was and said, okay, here's how, how you'd, we are, we are in an interesting time, I have to say.

Oh, it is it is a really, yeah, we're right on the cusp of something. Not sure how good it's gonna be, but <laugh> we'll see. Okay, so <laugh>, I know. Well, it's gonna change the world, right? Yeah. I mean, ki kids, kids are gonna grow up in a different world than we did. And of course, old fogies are all like, when I was a kid, or you had to actually use a pencil and sharpen it. But, you know, <laugh> <laugh>, yeah, I say that all the time. I know how that is there. So, so it's necessary to still involve the, the developer console of the browser. Okay. So just to, to, I want to give people the, the instructions they need especially those not familiar with running a PowerShell script. So first grab the PowerShell script that Rob wrote from my server. I I'm hosting it, although he also has it on GitHub.

And there's an update button on his gooey that'll take you over to his, his page on GitHub, in case you know it, it goes through some revisions. But as I said, 9 0 5, that will return a tiny zip file containing a one file titled analyze hyphen LastPass one. That's the PowerShell script. And as we've learned on this podcast, encapsulating the script in a zip prevents windows from tagging the script inside the zip with the dreaded mark of the web. So you don't need to see the warning about the dangers of using something that's been downloaded from the internet. As a very useful security measure, windows will no longer run unsigned PowerShell scripts. And before this all began, I didn't even know you could sign a PowerShell script, but turns out you can. And I did. So since I didn't want anyone to be put off by that.

I mean, you know, you, it gives you all kinds of scary warnings and things, and you can say, yeah, run it. Anyway. and since signing also does a useful verification that nothing has been altered, I signed Rob's final script with GRCs EV code signing Cert. So Windows will see that it's been signed and it will run it all without complaint. So after downloading it, launch a PowerShell prompt with window, you know, from, from the Windows menu, or you can just type PowerShell into the search box and it'll, it'll get you there. This does not need to be run with elevated admin privileges. So anyone should be able to do this. Start the script by entering, and this is odd and, you know, reminiscent of Linux, you need to say dot slash and then analyze hyphen LastPass vault PS one. In order to, to get it to go, that's just, and then say, execute it from this directory Exactly.

From the current directory. Don't, don't, don't go looking around for it. Yeah, it's not in the path. Then oh, anyway, so and so press enter. The Analyzed LastPass vault app will be displayed on your desktop. You'll find complete instructions there in the app itself, right there in, in the UI for proceeding. So you can likely race off on your own without the rest of this. But I, I, you know, I can provide a little bit of additional background for clarification with Rob's app running. Switch to the browser and log into LastPass so that you're looking at your vault like, you know, many people did last week when we first talked about the way to grab your vault, press the F 12 key or control shift I, which toggles the developer mode. And so that will, that'll suddenly subdivide your screen vertically into the browser on the left and the, the developer stuff over on the right.

Then select the console tab in the developer window. And things may be like scrolling like crazy, wait for them to settle down. That'll eventually stop. Once you have a cursor flashing there at the bottom, you are ready to make this as easy as possible. We built in the three lines of JavaScript code that needs to be dropped into the browser at this point. So you just press copy query button in Rob's app, which places those three lines onto the system's clipboard. So then bring the browser to the foreground so that it has the system focus and hit control v, you know, to paste those three lines in. Enter the browser and you'll see them appear there after, after the cursor. Then press enter to execute the query, and the page will fill with XML expressions. That's your encrypted LastPass vault, as I described last week.

Down at the very bottom of the screen will be the options to display more of the, of the text that was cut off, cuz it's way longer than Will fit on the screen. Also to copy the entire query results to the systems clipboard. That's what you want. So click on copy now switch back to Rob's app and click the paste button that will paste the clip the captured clipboard directly into Rob's app without needing to go through the intermediate step of saving it to a file. And note that if last week you had already copied your X M L format vault out of a browser and you know, may have terminated your account with last pass, you can also provide Rob's app with that file name to load and then process. Okay, so with the vault made available to the app, either by pasting it or opening a file, specify an output file name to receive the de obfuscated data and choose the output format either CSV or H T M L.

 The CSV format will ideally require something in your system for viewing it like Excel. I like the HTML format since your browser and we all have a browser, we'll happily display that. So set the file name ending in either CSV or HTML as needed and finished by clicking Analyze the file will be written and the, then the resulting file will be launched for display by whatever handler the, you know, your system has registered for handling that type of file. And as I said, if you exported H T M L, the results will be displayed in a nicely formatted scrollable window with one line per login record. Actually, same thing for C S V. So Rob's app displays an okay on the far left if the encrypted account information was encrypted using the better c BBC cipher mode. And I'll we'll review that a again a little bit in a second.

If the records encrypted information was encrypted with the suboptimal information leaking ECB cipher mode, you'll see the message warning encrypted with e ECB next on the line. And likely most interesting to everyone will be the D obfuscated U R L that's associated with the website's encrypted log on record taken as a whole. These are all the sites for which last passes vault contained your log on information. And it's notable that the vault does not appear to contain the user's unencrypted email address to associate who they are with the vault, nor is there any indication of the number there of pbk DF two iterations that were being used to obtain the vault's decryption key from the user's email address and password. That information is necessary to run the, you know, password based key derivation function to decrypt the key, which is used to decrypt the vault.

Otherwise it requires brute force. So it must be that it's provided to the user's client through another query other than the one we just used in order to get the, the, the vault bulk content. But last passes infamous December 22nd breach update. You know, in, in that they said, quote, the threat actor copied information from backup that contained basic customer account information and related metadata, including company names, end user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. So, you know, to that, we can now add everything that Rob's LastPass vault analyzer makes crystal clear given the amount of effort that will generally be required. And we have a bracing update on that coming up next to brute force. The decryption of the encrypted information in even one last pass vault, coupled with the fact that tens of millions of LastPass user vaults were obtained en mass.

That direct threat of decryption for a single individual, unless directly targeted, would seem to be very small, but assuming there's, but because they have the meditated, they it's easier for them to target somebody, don't you think? Correct. Well, yes. And like if you had the log to the strategic air command's missile control center in your LastPass vault, you'd be highly motivated. <Laugh> people would wanna get into it, right? Yes. They're gonna have to pick and choose. Obviously they're not gonna decrypt all, why would they? Correct? Yeah. But assuming that it's possible for the bad guys to associate company names, end user names, physical addresses, email addresses, telephone numbers, and IP addresses with specific vaults. And that must be possible because last pass has to do it. And this is the information that they lost. Yeah, it's the metadata that they didn't encrypt. E Yes. Even without any decryption, what you get is a comprehensive dump of exactly who logs on exactly where.

Right? And if you scroll horizontally all the way to the right of Rob's H T M L output, there's also a last touched field. Oh geez. Conta containing a time code that shows when the last log on at that domain occurred. Oh my God. So even without the use of any brute force decryption of the vaults encrypted contents, this represents at best a significant privacy compromise. Yes. For every last pass user and, and last pass user could have, there was no technical reason they didn't encrypt that data they could have. Yes. other password managers do. Yes. Well, I, so I will, I did a test. I was wondering why they didn't encrypt the URLs. So I thought, well, maybe if I'm not logged in so that my vault is encrypted, right? If I'm not logged into last pass, so I have no vault present.

Yeah. maybe last pass doesn't add the little last pass highlights to the username and password field if it knows it doesn't have the ability to fill that in cares. So I thought, okay, <laugh>, and it turns out Bit Warden does not do that. A lot of password images don't. I think that's a silly little JavaScript feature. Go ahead. Turns out what, so it, it turns out that's not the case. Oh. Which is to say no, no, it, it, it, it, which is to say last pass always puts that it's always there. All of the user name and password fields. So I was trying to give them the benefit of the doubt saying, well, maybe they're being smart about where the user, you know, where it knows the user has the ability to log in. No. So I, so Leo, I can find no rationale. We're not saying that they should encrypt it with AEs 2 56 in your vault, but they should probably hash it.

 So that it, I mean, it shouldn't be plain text in your metadata in the vault. A lot of this I see no re I, I I don't, I don't yet. There's no benefit to do it. I don't yet see a reason for them doing it. And I tried one idea. Yeah, but that wasn't it. And you could see why. So there, there is already a class action lawsuit and the guy who started it claims, and we haven't verified this, but claims that he lost $53,000 in cryptocurrency. You could see why this is important. If you're gonna attack somebody, find somebody maybe who has a shared crypto wallet on Coinbase. So, you know, that kind of information is being leaked. It gives you prioritized a way to prioritize which faults you go after. Oh wait, honey, there is way more traffic <laugh>. Oh no, it means perfectly possible.

We don't know that there is somebody right now running, you know, his old Bitcoin mining apparatus cuz he doesn't have any use for that anymore against all of the vaults and just the first ones that come out of the ones he's gonna use. Right. Cuz they have bad passwords or whatever. Okay. Or they're pbk DF two is 500. One last note before we look at what's been learned from a week of feedback from our listeners which as I said is a little bit bracing Oh boy. If executing Rob's PowerShell script produces errors, rather than the presentation of a nice graphical interface as it initially did for me on my Windows seven machine, I wanted to note that it's possible to update any Windows PowerShell support, even Windows seven to the latest version 5.1. Microsoft wants you to have it. So I have a link for that at the bottom of page four of the show notes that will help anyone update their PowerShell script just in case you get an error.

Okay? So next what more do we know this week that we didn't know last week after our listeners had the chance to understand and peruse their LastPass settings? We don't yet have any good sense for whether or the degree to which encrypted content was allowed to remain encrypted under the less desirable E C B cipher mode. I expect feedback from the use of Rob's analyzer to fill a lot of that information for, you know, to fill in a lot of that information for us next week. So I'd appreciate knowing when and how many E c b warnings, if any, are seen by our listeners. I didn't have any e CB encryption in my vault, even though I'm sure that I had login credentials dating from my first use of last pass. Rob reported that his vault contained one e EC B encrypted entry. This would be a really old password, right?

I mean, yeah, well I had really old ones too. So it's this, we don't know what the, we don't know what the, we don't timeframe was of we're having, we're having to sort of, we're having to reverse engineer again. This is something we need to know and last pass is not and forthcoming with. Yep. Yeah. Okay. But the E ECB versus CBC issue is not that much of a big deal. I don't, I don't want to overstate that. Since A E S E C B electronic code book being based upon the a e s cipher has a block, has a cipher block size of 128 bits, sets of 16 eight bit characters, thus forming a block of 1 28 bits are encrypted from that pattern of 1 28 bits into a different pattern of 1 28 bits. That's encryption. So this means that every instance of the same password will encrypt into the same pattern of 1 28 bits.

As I noted last week. The presence of password reuse would therefore be obvious just by in inspecting a user's encrypted vault without the need for any decryption by compar comparison. A E S C B C Cipher blockchaining uses both the encryption key, which would not change from one password to the next, and also a random initialization vector. You know, think of it like salting a hash. It is different for every password. So this would completely obscure the presence of any identical passwords. Otherwise, I really can't see any reason for you for preferring one over the other. But that's a good reason. That's a big one. Yeah. Because now the guy, again, we're we're talking about triaging the vaults. Yep. You could, you could look at a vault, say look at that 400 reused passwords without decrypting and that's so big deal. So we're gonna likely learn by this time next week we'll have, we'll have feedback from our listeners who have used Rob's tool.

We'll know how much EC B is still around. Okay. Now Leo, are you centered over your ball? Oh, <laugh>. Oh no. <Laugh>. Now what? <Laugh> Oh no. Okay. By far mm-hmm. <Affirmative>, the most worrisome fact that was revealed when our listeners checked the settings of their last pass vaults was the degree to which many, and I do mean many of their password iteration settings were found to be below the 100,100 iterations mark. Hmm. And in a revelation that I'm still trying to get my head around, I heard from many listeners whose pbk DF two iteration count was set to one what? Yes. <laugh> one. And thus the title of today's podcast, 1, 1 1. Many people have an iteration of one, which is to say, why bother? What does that mean? It mean you could, I mean, you still have to re you a hash cannot be reversed, but you could use rain rainbow tables easily here.

 No, because it is salted. So I I I've got all the, I've got all the math here. We're gonna understand what this means. Oh, good. Okay. Good. So I, I also received many reports of iterations still being set to 500. Yeah. And many set to 5,000. 5,000 was the default for many years. 5,000. It was up until five years ago. Yeah. It was 5,000. That's when it changed to the, the 100,100. And as we mentioned, and I asked the tech guys on Sunday, the o OSP recommendation is 300,000. Yes. And probably not adequate. And we'll be talking about that in a second. <Laugh> maybe even should be higher. Yeah. I'm thinking 1, 2, 3, 4, 5, 6, 7 would be a good number. That's 1,000,200 and 30 house 4,000 you know, 500. And of course, the reason you don't use larger ones cause it's slower on a, on a, especially a mobile device.

Yeah. Turns out as unless you're being powered by a hamster <laugh> you're probably, you can do millions. Okay. Okay. That's good to know. Yeah. Okay. So at, at first you might think that anyone whose iteration setting was one should be about a hundred thousand times more concerned than someone using the new default of 100,100. But it's actually quite a bit worse than that because that 100,000 to one simple math that it, it assumes that vaults were being selected at random for attack, which would probably not be true. Right. We need to assume that the attackers obtained every user's account metadata, including their vault's iteration counts. Oh, that's in the metadata. It is obviously, yes. That's how people has be because last pass ha last pass has to have that they need to know, okay. Those counts need to be recorded somewhere because no one's vault could be decrypted without knowledge of the count.

Okay. And the count is not particularly sensitive information. Right. Unless it's one <laugh> and last pass. Oh God would've bad. Oh Leo, it's so bad. Oh my god. Last pass would've backed it up since the loss of that, the iteration count data would've been even worse than the loss of the vault backups themselves. Cuz it would've made them worthless. So assuming that the attackers obtained the iteration counts for every last pass user, as they probably did from the last pass as backup, if opportunistic brute force decryption of user accounts was their intent, it would be a reasonable strategy for the attackers to start with those LastPass users whose counts were won <laugh>. Why would they not? Actually, this would be a good use for a PowerShell script to triage the millions of vaults you have looking for low iteration counts and perhaps maybe some custodial Bitcoin wallets or, you know, things, Leo things that you really want.

Just ask Chad g p t <laugh>. They'll do it or she'll do it or it'll do it. Yeah. So which one should I crack first? Jet? yeah, unfortunately there's a well-known expression to describe the situation in which all of those LastPass users who at the time of this breach had their last pass password iteration counts set to one. And that expression is low hanging fruit. Do we have a theory how somebody could have one? It was never the default. Yes, it was what Yes. In the earliest days of last pass, one was the default for the first four years from 2008 to 2012. Oh, I realize one, one a a salted hash was considered strong enough. That's enough. That's, and of course, one iteration. That's, that's what it was when I looked at it and I said, this is fine. You know? Yeah. You need to salt, you need, you can't just hash glass salted need to salt your hash.

You said that many times. And so Yeah, there was no problem. Okay. So last week we did not look deeply into the actual performance of today's G P U enhanced password cracking. This week we need to get a sense of scale current estimates of G P U hardware, enhanced password cracking places the time required to crack a 100,100 iteration PBK DF two protected password where that password has high entropy of 50 bits at 200 years. So one G P U 100,100 iterations high entropy password 200 years. But since G P U use scales linearly dividing that cracking task among 200 GPUs Yes. One year, which is, which is now quite mature cracking technology. Sure. Could crack the same password having 50 bits of entropy in one year. Okay. So one GPU 200 years, 200 GPUs one year. But I also note that studies have shown, Wikipedias says it too, they agree that most practical passwords have an entropy of around 40 bits.

A lower entropy, because you have to remember it, they're not truly random. Yes. It turns out that it's difficult to actually get 50. Yeah. So, okay, we'll get back to what lowers true entropy in a second. Okay. But having 40 bits of entropy is approximately one hun is approximately 40 versus 50. 40 is approximately 1000 times weaker Oh than 50 bits. Oh, that's a problem. Because bit strength scales exponentially. Oh boy. In, in other words, random bits are worth a lot because each additional truly random bit on average doubles the time required to crack. So the difference between 40 bits and 50 bits is 10 bits. Two to the power of 10 is 10 24. Thus a thousand times weaker. Okay. So if we assume that our attackers will have the use of 200 GPUs, which in this era of GPU laden cryptocurrency mining rigs seems entirely reasonable, cracking a typical password, having 40 bits of actual entropy would require 71.338 days.

Yikes. If that, if that password was protected by 100,100 iterations of PBK DF two. Okay. Just to restate that, because this is an important benchmark. A typical strength password, 100,100 iterations of key derivation that's attacked by a 200 G P U password cracking rig would fall against that attack in an average of 71.338 days. So if you're thinking that all of those 100,100 iterations might still not be providing you with sufficient protection, you're probably not entirely wrong. Hmm. Using 1 million iterations would be 10 times stronger. Bringing us to 713 days. Just shy of two years. Eh, that seems much safer. Okay. But the very bad news is it for all those whose last pass iteration count was for whatever reason discovered to still be set to one. And there were many such people who reported that this past week. And those are our listeners. Those are, yes.

Those are not in unsophisticated people. Those are hard listeners. Yes. Yes. Those same 200 GPUs could crack that same 40 bit entropy password in an average of 61.56 seconds a minute or just over one minute per single iteration password crack. Wow. Given that it appears to be the height of negligence, if not bordering on criminality, that for some reason, for whatever reason, many listeners of this podcast, and I'm sure a great many more non listeners have no effective protection. Sad. This is the most loyal LastPass users, the ones who started using it in the very earliest days, which by the way is probably you and me. Yeah, yeah. Fortunately you and I moved to a hundred thousand we did five years ago when we when we talked about this. Yep. Yep. They have no effective protection from the cracking of their last pass vaults and the resulting disclosure of every single one of their website log on credentials, their credit cards.

And as you mentioned before, any other confidential documents and personal papers that were stored for them by last pass. Okay. Now, not one of these many people told me that last pass had reached out to them to explain that due to their effectively non-existent password encryption, they are at heightened risk following the data breach. And that they should immediately rotate all their login credentials being managed by LastPass and assume that any information stored in their LastPass vault had been compromised. As far as I know, that has not happened and it certainly should have. Last pass knows everyone's iteration counts and now so do the criminals who stole them last pass somehow failed to update those iteration counts for a decade after the default was raised from 100 to 500 in June of 2012. And they have not immediately and proactively assumed responsibility for that by informing their users whose iteration counts were dangerously low in many cases set to one that unfortunately they should now assume that the encrypted content of their LastPass vaults is now in the hands of criminals.

The industry at large has been grumbling about last pass not being forthcoming about the details of the breach, but we now have all the information we need to assess. Last passes culpability. A couple of weeks ago when I was first uploading updating myself on last passes client settings over the holidays, I changed my iteration count from 100,100 where thank goodness it was still set after we talked about this five years ago to 350,000 as is now recommended by O osp. That change of my iteration count took, oh, perhaps five seconds. I had to provide my last pass master password again so that the last pass client could rehash that password under the new iteration count. And that was it. This could and should have been automated since its first increase from one to 500 back in 2008. No user should have been allowed to set a dangerously low iteration count. And every LastPass client, which must know its user's iteration count in order to function, should have taken proactive responsibility for continually bumping it up every five years or so to whatever is currently considered safe. So the most startling and deeply disturbing news I received throughout last week was not only that many of our listeners iteration counts were still 5,000 or, and many, even 500, but that many discovered that theirs was still set to one.

I am a 67 year old lifelong entrepreneur and businessman. And you would have a difficult time finding anyone who is more deeply opposed to frivolously turning attorneys loose on each other. It's one thing to fight over an ongoing contract dispute in order to reach a resolution that makes sense to me. When the parties cannot negotiate an accord in the absence of objective judgment, but attacking an entity after the fact for something that was done, which I'm sure they now regret, still leaves a bad taste in my mouth. On the other hand, if a lawsuit were to be brought against last pass, not because they made a mistake that upset their customers, but over actual provable damages arising from reliance upon last passes assertion of the safety of vault data, then I would not consider that to be unwarranted ambulance chasing. There's no way to paint the presence of an iteration count of one used for the derivation of a last pass vault decryption key as anything other than a critically debilitating product defect.

And for that, if actual damage results last pass could be and I think should be held wholly responsible. So I should point out that all the password, major password manage managers, including our sponsor bit warden last pass use pbk D or one password use PBK DF two. So I just went into my bit warden and set my pbk DF two. It's in the security keys section of your settings. I said it to 2 million. Good. if and if everything, and of course what I'm gonna do is see if anything got really, really slow. I bet it didn't. Frankly, the processor on my iPhone's better than the processor on this Lenovo <laugh>. But assuming that everything's usable slow but not too slow, I'm gonna keep it at a high number. And so that's a warning that others should also do this.

Right. Doesn't just, it's not a last pass only problem. The bit warden default is a hundred thousand. But it should be, let's set it higher, right. Well, after we take a break Okay. We're gonna talk about the, the true strength of our passwords. Okay. Especially since I probably my masterpass password prob in all likelihood has is might not be 40 bits of entropy. <Laugh> might be a little bit less as probably it is for a lot of people cuz you have to memorize it, right? Yep, exactly. So I use, you know, a pass phrase and some numbers and stuff, but I bet you that's certainly not fully random. That's for sure. That's our next, that's our next topic. Oh good. You are so good. You anticipate everything. Get the show notes, cuz there's a lot of information in there. You should always get 'em.

Anyway. When you get the the show I'm wondering if we should push it out in the RSS feed too. We can do that. Push a PDF of the show notes along with the show. Would you have any objection to that? No. No. I'm thinking maybe we should start doing that cuz they're so valuable. I don't know. Listeners let us know if you, you know, I mean a lot of people would get it. We go, what did I get? I don't want it. But I think it would be valuable. Anyway, let's talk about our sponsor then. Back to the show. We go the show today is sponsored by dda. If you wanna live life at DDA speed, you need daadada is, well, let's put it this way. It's to help you collect the data for your compliance needs, right?

I think a lot of organizations are still doing this manually. And if your organization is having trouble achieving continuous compliance, especially as you grow and you scale, it could well be that manual evidence collection is really not ideal. Draw as a leader in cloud compliance software, G2 says it is, right, they streamline your SOC two, your ISO 27 0 0 1, your PCI D s s, your G D P R, your HIPAA and other compliance frameworks so that you get automatically 24 hour continuous control monitoring. You focus on the stuff that matters. Scaling securely. Let DRA keep you compliant with a suite of more than 75 integrations. Strada easily integrates with your tech stack through applications like aws, Azure, GitHub, Okta, CloudFlare, countless security professionals or companies like Lemonade and Notion and Bamboo HR have shared how crucial it has been to have dorada as a secure and trusted partner in the compliance process.

DDA is personally backed by S V C I. That's the reason I mention that is because S V C I is a syndicate of ciso, angel investors security experts from some of the world's most influential companies who know how important this is. DRA allows companies to see all their controls and easily map them to compliance frameworks. So you gain immediate insight into overlap. If you've got it, you can start building a solid security posture. You can achieve and maintain compliance and you can expand your security assurance efforts all with less effort. Draas automated dynamic policy templates support companies new to compliance and help alleviate hours of manual labor. If you think about it, the words manual and security don't really go together. The integrated security and awareness training program, they offer automated reminders ensure a smooth employee onboarding. They're the only player in the industry to build on a private database organ architecture.

That's, that's really important. It means your data can never be accessed by anyone outside your organization. That's what we're talking about today. On the show, all customers receive a team of compliance experts, including a designated customer success manager cuz they know your success means their success. In addition, they've got a, this is great, a team of former auditors, people with lots of expertise, more than 500 Audi audits between them. They're available for support and council. And you could say, Hey, what about this? What about that? These are, these are people who enforce the rules with a consistent meeting. Cadence DDA keeps you on track to ensure there are no surprises, no barriers. Oh and Jada's pre-audit calls are great cuz they'll prepare you for when the audits begin. It's nice to have that confidence going in with's risk management solution. You can manage end-to-end risk assessment and treatment workflows.

You can flag risks, you can score 'em, you can decide whether to accept, mitigate, transfer, or avoid them. Drta maps appropriate controls to risks which simplifies risk management and automates the process. And Strata's Trust Center provides real-time transparency into security. Security and compliance posture, which improves sales security reviews, gives you better relationships with your customers, your partners, cuz they know you're doing it right. Say goodbye to manual evidence collection. Say hello to Automated compliance by visiting DRA ratta, D r A T w i tada. Bring an automation to compliance. Atta speed. D r a Get a demo, get 10% off. Go there right now. Dda.Com/Twit. We thank 'em so much for supporting security now and remind you as always, you support the show too when you use that url, especially the slash twit part cuz then they know Oh yeah, oh yeah, they heard about it on Steve.

Oh my. Back to all the nasty <laugh>. I am centered on my ball ball as we continue <laugh>. Okay, so I wanna amplify something I touched on both last week and this week. I mentioned that an increase in iteration count provided a linear increase in strength, whereas the increase in strength provided by adding bits is exponential. I want to be certain that everyone fully appreciates the implications of that. A few weeks ago when I increased my last passes client's iteration count from 100,100 to 350,000. That gave me an increase of 3.497. So about three and a half times, but not, you know, not four times. But if I had increased my passwords entropy by just two bits, that would've been a full factor of four increase in cracking resistance. True entropy is quite difficult to calculate because few of us are using, you know, very few of us are using a chunk of text from GRCs perfect passwords page for our master password, since those are impossible to remember.

So we have the situation that a single character's true entropy is difficult to calculate if any character in a password is related to any other character in that password in any meaningful way other than having been chosen purely at random. You know, in other words, if there's any reason for a character to be what it is rather than something else. So then if I use characters a passphrase for instance, yes, because those then those characters are logically related by English grammar to one another. Yes. That then that character's contribution to the true entropy of the whole is reduced. You know, its contribution of entropy would be significantly less than it would otherwise be because it's not random. So it, you know Right. It's not I have e except for foresee or whatever it's, yeah. So this is why the first thing that password guessing crackers do is use dictionary words Yep.

In various ways and base their attacks upon the frequency of characters occurring in the natural languages of the passwords. User E T A I O N S H R D L U. Yep. Those attacks model the lack of entropy that many users employ when they're choosing their passwords. Yeah. I gotta go change my password, I'll be back. So <laugh>, so what's, what's the idealized potential entropy of a single character? You know, in a bite oriented system, a single character typically occupies eight bits. So we might be inclined to say eight bits, but asy only uses the lower seven of those eight bits. So assuming a non unicode standard asy character set, there are total of 95 printable standard characters available. If you use upper and lowercase alphabetic, the 10 numeric digits and all the other special characters, that gets you to 95. So here's the point.

I want to drive home increasing my iteration count from 100,100 to 350,000. Yielded that, you know, just shy of three and a half times increase in password busting protection, you know, 3.497, but just adding one single randomly chosen additional character to the end of a password increases the resulting passwords, anti-fracking strength by 95 times 95. This is the password haystacks stuff you told us about years ago. Yes, exactly. And so this is why when it comes to passwords, size does matter. You get far more attack protection by using even slightly longer passwords where strength increases exponentially with length than you do by increasing iteration counts where strength only increases linearly. Okay, so I have a, there were a bunch of interesting bits of feedback and questions from our listeners. I'm going to continue talking about some of these things, using them as the prompting via a dm.

I received the note someone posted. I have a corporate last pass account and a personal pro account. The personal account was updated to a hundred K iterations, but the corporate account was still at just 5k. My personal account is still exposed though, because I took advantage of the ability to share passwords between my personal and corporate accounts to reduce the number of logins. I assume that if they crack the corporate, they would have the personal. Anyway. Good news. My password has more than 25 random characters derived from your perfect passwords. The bad news is that it is so long and random that I use the same password for my corporate and personal LastPass accounts. Oh, that's not good. Well, 25 truly random characters chosen from the perfect passwords page as this user did, will have been selected from an alphabet of 95 possible characters.

So that's 95 times 95 times 95 and so on for a total of 25 times. That's 95 raised to the 25th power. I use the password haystacks page to quickly do the math and show me that the resulting password has 2.8 times 10 to the 49. Holy cow. Yeah, baby. But how do you memorize it? <Laugh>? No. You, yo you do, you don't. You you have that somewhere else. You write that somewhere. Okay. Yes, you, you, you, you keep that in your apple notepad and, and you know, copy and paste it. Oh lord. And importantly, all of those characters are all equally likely Oh, interesting to appear. Combinations. True entropy. Now, if we take the log base two of that number to determine the equivalent binary bit strength, we get 164.2. So in other words, it contains a little over 164 binary bits of true entropy.

Another way to look at that is that each character when truly chosen randomly from a set of 95 possible characters, contributes 6.57 bits of entropy, 6.57. In other words, this person has absolutely nothing to worry about. His password has slightly more than 164 bits of true entropy. It will never in many lifetimes be cracked by today's or even any projected technology of tomorrow. Remember, quantum computers won't help with this sort of symmetric crypto problem. They are of no use. Okay? But there's something else worth noting. Recall from last week that Mr. Grumpy pants what was his name? Oh, yeah. Jeremy Gosney. He noted that last passes vault encryption key was derived from only 128 bits of entropy. Okay? So now consider this crazy 25 character, totally random password, which has a bit more than 164 bits of entropy. If the attackers knew that and there's no way they could, but if they did, it would be far quicker to just forget about the users insane password.

An attempt to directly brute force the vault's encryption key itself, since it has only 128 bits of entropy, you know, and I have only in air quotes, because my point is that 128 bits already has so many possible combinations, 3.4 times 10 to the 38, that there's never any reason to go above that haystacks tells us that 20 characters chosen from that 95 character alphabet offers 3.6, two times 10 to the 39. Okay? Once again, 128 bits is 3.4 times 10 to the 38 20 random characters is 3.6 times 10 to the 39. So 10 times stronger than what 1 28 bits can do. Okay? So last word on this, in summary, do not use only 20 characters unless they are truly chosen from among all possible characters randomly. But if they are, there is no need or benefit gained from using anymore. 20 purely random characters from an alphabet of 95 is 10 times more than what you get from 128 bits.

And 128 bits is considered by the entire industry. All we need for now Dave wrote on security now episode 9 0 4. Steve asked for feedback on the current value of the last pass password iterations field. Mine was set to one. I have no idea how slash why it is one because I never changed it. Well, there's why. Needless to say, I have downloaded and installed Bit Warden, and I am changing the password on every site in my vault as rapidly as I can <laugh>. So yes, Dave has the right idea. He was typical of many of our listeners. And there's an example from among many of what our listeners discovered to their horror last week. And sadly it might be because he never changed it, that it remained set to one. As you said, Leo, the most loyal early adopters of Last Pass, they're the ones who are, you know, in a phrase, ft as we know, he should not have had to change it.

That should never have been his responsibility. But we're on the outside here looking in. We have no idea, you know, of the real story behind this iteration fiasco. But there is no way to forgive this from last pass. None. This is more than a mistake. This had to be someone's boneheaded decision with their acknowledgement of the importance of increasing the iteration count over time, evidenced by its default being jumped from one to 500 to 5,000 to 100,100. Someone must have made the decision not to bother bringing older existing iteration counts into compliance with current best practices. Someone must have decided that it would, I don't know, result in too much customer confusion and support calls. So let's just leave it wherever it is. And the galling thing is, it could have been done 100% transparently. I am no smarter than their crypto people. So they know this too.

When the user provides their email address and password to log into their client at that moment, the client has everything it needs to perform the upgrade transparently. Start iterating on pbk DF two, pause at the current iteration count and take a snapshot of the current key at that point. Then keep going to the new larger iteration count and take a snapshot of that new key. Now decrypt the vault with the current key, which was sampled midstream. Then re-encrypt the vault with the larger final iteration count key, and finally update the stored iteration count. Done. Totally transparent, no user confusion and a company as big as last pass. Now focused on the enterprise and everything for like, for reasons I can't possibly explain, never did that. I mean, not only is not everybody at a hundred thousand 100, there are people at 5,500. There are people that won and <laugh> change your passwords.

Hey everybody. Leo LaPorte here. I'm the founder and one of the hosts at the TWIT Podcast Network. I wanna talk to you a little bit about what we do here at twit because I think it's unique and I think for anybody who is bringing a product or a service to a tech audience, you need to know about what we do Here at twit, we've built an amazing audience of engaged, intelligent, affluent listeners who listen to us and trust us when we recommend a product. Our mission statement is twit, is to build a highly engaged community of tech enthusiasts. Well already you should be, your ears should be perking up at that because highly engaged is good for you. Tech enthusiasts, if that's who you're looking for, this is the place we do it by offering 'em the knowledge they need to understand and use technology in today's world.

And I hear from our audience all the time. Part of that knowledge comes from our advertisers. We are very careful. We pick advertisers with great products, great services with integrity and introduce them to our audience with authenticity and genuine enthusiasm. And that makes our host Red Ads different from anything else you can buy. We are literally bringing you to the attention of our audience and giving you a big fat endorsement. We like to create partnerships with trusted brands, brands who are in it for the long run, long-term partners that want to grow with us. And we have so many great success stories. Tim b Broome, who founded it Pro TV in 2013, started advertising with us on day one, has been with us ever since. He said, quote, we would not be where we are today without the TWIT network. I think the proof is in the pudding.

Advertisers like it Pro TV and Audible that have been with us for more than 10 years, they stick around because their ads work. And honestly, isn't that why you're buying advertising? You get a lot with Twit. We have a very full service attitude. We almost think of it as kind of artisanal advertising, boutique advertising. You'll get a full service continuity team, people who are on the phone with you, who are in touch with you, who support you from, with everything from copywriting to graphic design. So you are not alone in this. We embed our ads into the shows. They're not, they're not added later. They're part of the shows. In fact, often they're such a part of our shows that our other hosts will chime in on the ad saying, yeah, I love that. Or just the other day, <laugh>, one of our hosts said, man, I really gotta buy that <laugh>.

That's an additional benefit to you because you're hearing people, our audience trusts saying, yeah, that sounds great. We deliver always overdeliver on impressions. So you know, you're gonna get the impressions you expect. The ads are unique every time. We don't pre-record them and roll them in. We are genuinely doing those ads in the middle of the show. We'll give you great onboarding services, ad tech with pod sites that's free for direct clients. Gives you a lot of reporting, gives you a great idea of how well your ads are working. You'll get courtesy commercials. You actually can take our ads and share them across social media and landing pages. That really extends the reach. There are other free goodies too, including mentions in our weekly newsletter that sent to thousands of fans, engaged fans who really wanna see this stuff. We give you bonus ads and social media promotion too.

So if you want to be a long-term partner, introduce your product to a savvy engaged tech audience, visit Check out those testimonials. Mark McCreary is the c e o of authentic. You probably know him one of the biggest original podcast advertising companies. We've been with him for 16 years. Mark said the feedback from many advertisers over 16 years across a range of product categories, everything from razors to computers, is that if ads and podcasts are gonna work for a brand, they're gonna work on Twitch shows. I'm very proud of what we do because it's honest, it's got integrity, it's authentic, and it really is a great introduction to our audience of your brand. Our listeners are smart, they're engaged, they're tech savvy, they're dedicated to our network and that's one of the reasons we only work with high integrity partners that we've personally and thoroughly vetted.

I have absolute approval on everybody. If you've got a great product, I want to hear from you. Elevate your brand by reaching out, break out of the advertising norm. Grow your brand with host red ads on Visit TWI tv slash advertise for more details or you can email us, if you're ready to launch your campaign. Now, I can't wait to see your product, so give us a ring. Okay, David la Meyer. He said, hi Steve. Thanks for the effort E, excellent coverage of the last pass breach and its consequences in SN 9 0 4. I can confirm both your smooth experience transferring from last pass to bit Warden and Leo's note about bit warden having a lower size limit on secure notes than last passes. I had to delete two. He said, yeah, I'm sorry, had to delete one or two very large notes before I could successfully import my vault.

He said, thankfully they were obsolete. He said, I have one technical security question. Given a threat of rainbow tables, wouldn't it make sense for each individual account to have its own iteration value within a suitably secure range rather than a common default value? He says, which I realize can be changed, combining an unpredictable iteration count with salting. The hashing process should raise the work factor for the creation of rainbow tables as well as the comparison process by a considerable factor. Okay, now, I didn't mean to confuse things last week with my mention of the possibility of attacking known salt-free hashing schemes with pre computation attacks. My intention was to paint a history to remind us of where we've been and h how we got to where we are today. Everyone has always been protected from pre computation attacks by the inclusion of their email address as the salt for the P B K D F two function.

Joe Siegrist was doing this from day one with an iteration count of one. Unfortunately back in 2008. Joe was, you know, as I said, also iterating only once through P B K D F two. And now as we now know, for some unlucky souls that for whatever reason was never changed. Someone is also likely to ask if a user deliberately set their iteration count to one. What would happen if they didn't understand what that was about? You know, you know, like what if that happened? My answer to that would be that it should absolutely never have been allowed. Last pass would certainly not allow any user to leave their password blank. A low iteration count is effectively no different. Last pass was lifting the count over time, and that should have always been the minimum that any LastPass user client would accept as its count.

I received a question via email. Hello, about the last pass breach episode 9 0 4. The risk on passwords and metadata was explained very well. I wished the risk for files stored in last pass could be explained too. For example, copies of personal id, passports, driver's licenses. He said I can go through all my passwords and change them, but changing my real life documents will be much more difficult. I guess many other last pass users will have this problem too. Thanks, signed Boris. So Boris makes a great point. We didn't stop to consider much, you know, that we we're only talking about login credentials primarily, you know, but the many greater privacy dangers that might arise from having the contents of the last pass. Vaults, secure notes, storage compromised, depending upon what was in there, the damage from disclosure could be significant. Oh yeah, my social's in there, my driver's license, my passport, everything.

Yep. Full identity theft information. Abs Oh good lord. Yes. So I also received a bunch of these basically saying replying to AD S G G R C. I exported all my stuff to bit warden earlier tonight. The process couldn't have gone more smoothly up and running on both my laptop and phone. Yeah. So I was glad for that bit. Warden, I'll say it again, is a sponsor, but that's not, that has nothing to do with anything. I explained my, my rationale. We like it cause it, it's open sourced. There's all sorts of benefits incidentally. So I have changed my pbk DF two to 2 million as I said, which I think is as large as it can go. I don't, I'm, I guess there's no practical limit, but I've noticed now I've, because I also changed my password, so I look, got logged out everywhere that it only added a few seconds to loading the vault.

So, yep, a minor, minor amount of time. That's 2 million. That's, that's big. I also, one of the nice things about last pass, I changed my password cuz I want more entropy and I use password haystacks to pat it out and all that stuff. But they also give you the option risky though it might be, and they explain the risk of rotating your vault key. That's that 128 bit key of for your vault and you can do that as well. And I thought, you know, I've had this for a couple of years, maybe I should rotate that vault key too. So they really give you the options you need, I think, to, to make sure you're safe even if that vault guide filtrated. Yep. And I, I will have a request from for bit warden will get you here by the, by the end of the show.

I, I know some people so <laugh>. Okay, so via direct message, Steve, I listened to your podcast twice, but what I don't understand is I thought you said it would not matter if somebody had our blob of data because the keys only reside on our devices. So even if they had our master password, how would they crack into the blob without having the keys? Thanks for all you do. Okay, so if there was some confusion there, let me clear that up. The key that's required to decrypt the last pass vault key is derived only and completely from three pieces of information. The user's email address, the user's password and the iteration count. No other information is required. The only one of these three things that last pass and the attackers do not know is the user's password. They have their email address and iteration count.

So with an iteration count that's too low, it's quite feasible for a modern attacker to simply guess and test at ultra high speed all possible passwords until they find the right one also via direct message. Hi Steve. Do you think that having a non-standard number of iterations, let's say 1 6 8 4 2 9, makes that particular password not worth the effort to try to decipher? Since 95% of all passwords will have either 5,000 or 100,100 iterations. And this question came up often since each user's iteration count is known, making it non-standard will have no effect if the attackers have adopted, you know, that low hanging fruit first strategy, which is what seems by far the most likely way to reap the rewards of their score, they would sort the entire last pass vault backup database by iteration count and prioritize a attacks against all of those unlucky souls whose iteration count matches the title of this podcast.

From there, sorted by iteration count, they would proceed upward. And let's not forget that a significant amount of privacy related information is per, is immediately available since all of the URLs for the sites where we have stored our logins is in the clear. Someone named Zapper tweeted to me at SG G R C Steve being a longtime and very trusting listener, I have been a LastPass user on your recommendation. I will now migrate to bit warden. May I ask you to clarify the security risk if my last pass master password was 20 plus characters? Okay, this zapper question is also quite common, so I wanna reiterate that longer is always better, even much better and more random is also better because it increases true entropy. But as for 20 plus characters, if your password is truly 20 random characters, that's 131 bits of true entropy, which is absolutely secure.

So no need to go larger via dm. Last pass, he says I changed my 30 30 character master password, but I still feel uneasy. I started changing all passwords but have not migrated off of last pass yet. Any thoughts on ensuring last pass removes all vault info upon cancellation of user account? So that's a really good question. I think LastPass needs to affirmatively answer this question. If they don't have it already somewhere in, in their faq. This user is not talking about the consequences of the theft immediately, but rather the safety of remaining for a while, I guess with last pass a 30 character master password will be very, very, very secure. Even if it's the lowercase alphabet with one Ill in order a b c d e f g h i j k l m n a P, you know, and so forth with, you know, the digits 1, 2 34 scattered among the 26 letters somewhere to pat it out to 30.

The resulting hash from that conveys nothing of the passwords length. So no one attacking would have any idea how long the password is. This was the key message underlying password haystacks, no attacker would be trying any 30 character passwords. No, no. Having no idea how long the password is until they had exhausted all shorter passwords and that will never happen. So, you know, the reason we don't recommend somebody using like that 30 character password, like in a lot of different places is that we, we don't know that everyone is hashing it securely and storing it securely. And we've just had a big example of, you know, the largest password manager on the planet not storing things securely. So, you know, but using that one time in, in, in a situation where you know how the password is being managed, it's being deeply hashed with a high iteration count, that would be a perfectly acceptable password, but don't use that one.

 Skynet said, moved my vault to bit warden and set the P B K D F two iteration to 1 million on my iPhone 11 Pro max. It performs fine. 1 million iterations go big or go home, Steve. I went double that <laugh> Yep. And is fine. And I wrote it added a few seconds. That's all it adds and it only adds and how often you don't have to do it then often it only add the first time you download the password vault, correct? Yeah. So it's not, it's a minor boy and it feels a lot better. Yes, and I, and I got rid of the entropy instead of using a past phrase, which had English words in it. So the order of those letters was not completely random that followed English, no spelling rules. I used an a, a acronym. I used not an acronym a initialism.

So I used the first letters of a long phrase and that is an extra pay to padding with other stuff. Yep, so good. I feel like that's now there's still less randomness because there's, you know, there's some grammar to that sentence, but I don't, but again, length length matters. It's very long now it's 59. Nobody, I think it's not enough. Nobody will know what your length is. Yeah, nobody will know. So, oh, I just said it, nevermind, forget I said that by the way. That's one thing I do when I create passwords for, we should mention passwords for sites don't have these same issues in the mo in most cases. The difference here is somebody was able to download the vault and at their leisure brute force it. You don't have that leisure with a site unless the site gets breached and their password database gets captured and it's not properly encrypted and all that you don't, the same rules don't necessarily apply to individual passwords you're generating.

Although again, you know, it's, it's worth doing a long one if using a password manager. Well, and this, this is a perfect example of all your chickens in one basket, right? Yeah. I mean the, it's the master password, that's the and last password, that's the biggie. The only, the only password you need to remember. Well, well, uhhuh <affirmative>. And, but what I was gonna say is I vary up the length, length of passwords I use on sites. So I don't always use 19 characters. That's a setting in bit warden, but I mix it up so they don't even know that, which is helpful, right? Yeah. Yep. Yeah. So for ppk DF two, I don't see any reason for using an iteration count lower than a million. And as I said, I'd probably use 1, 2, 3, 4, 5, 6, 7. And it doesn't matter this not secret because that doesn't help anybody if you know the it's all being salted anyway.

So, so each individual crack has to happen by itself. And you know, if you find out that it takes too long on some platform, you can always turn it back down. But I'd start at 1, 2, 3, 4, 5, 6, 7. But really in this era of G P U driven password cracking where G'S hash at light speed P B K D F two is showing its age, cranking up iterations is just running ahead of a moving train, it would make much more sense to just get off the tracks. Well, I asked about that last week. Argon two is another option. Yes. Since squirrels entire security model is based upon the security of a single password based key, I gave this a great deal of thought years ago. Everyone including bit warden, ought to abandon the use of any Emory Hard Mm. Password key derivation, which GPUs excel at squirrel uses script, also known as s s script, S C R Y P T, which absolutely requires a block of dedicated memory, which cannot be shared among Coors.

Hmm. Scripts. Many parameters are tunable, and I don't now recall exactly how much memory I required, but I think it was 16 megabytes. I chose that because every smartphone can spare that and is only needed briefly to process a user's password entry. But significantly, GPUs are unable to follow since they're unable to run s script of that size at all. Oh, nice. So when that much memory is required, GPUs are out of the game. So switching away from pbk DF two whose time has passed ought to be on every password manager's roadmap for the future. Hmm. Good tune. Now there's b how about argon script? And there's argon. Yes. I mean that's the same thing. These are all memory hard. And, and so, so just, just as, as a little quick example, the, the way this works is the, the algorithm allocates 16 megabytes of memory, then it uses a very secure hash, an h a keyed H mac based on, on the password that you're giving it to fill this memory with pseudo random data where each value is a pointer within that memory.

So, so it fills 16 megabytes with pointers from zero to 16 megabytes, then it follows the pointer trail jumping throughout all of that memory. Well, it turns out there is no way that has ever been found to short circuit that process. That is, you don't technically need to use 16 megabytes, but if you didn't, you would need to compute what some random pointer somewhere out there in 16 megabytes space would be. And then when you go to it, you would need to then compute what the point, what the other pointer somewhere else would be. In other words, if speed is your goal, the fastest way to solve this puzzle is just give it 16 megabytes, let it fill it with pointers and follow these pointers all around hell and gone, you know, within this 16 megabytes space. And, and the, the path you take ends up ends up resulting in the key that this thing synthesizes and it cannot be short circuited and no G P U can do this. Hmm. So you just switch to something that GPUs cannot do, and then you're not constantly having to, to, as I said, run ahead of the train, staying on the tracks. You just say, Nope, let's use a different protocol. And again, I I've been using, you know, a squirrel uses a 16 megabyte s script algorithm and it runs everywhere perfectly on iPhones and Androids. Nobody has ever had a problem with it and it cannot be accelerated by A G P U.

Okay, a couple last bits. Robert VD Breman, he said at S SG G C, thanks for the Honest podcast on last pass your vetting years back made me use it for many years. Now moving to Bit warden, now that I'm changing my 1000 plus passwords, I see how broken the pass the system of password login really is. Why is there no change password a api? And you know, that's a really good question. A uniform standardized cross-site password change API would make rotating all of one's passwords an automatable operation, right? I think that the problem is that it's mostly per site resistance. One of the complaints most people have is that every site is different, has different password requirements, additional bells and whistles like security questions or not and different password recovery approaches. And this arises from the fact that every site wants to be different.

You know, there's no uniformity. So each site gets to invent the user experience flow that they prefer for their particular whim. You know, it didn't have to be this way, but it's the way it is. Okay. And last one, but, and I should point out the reason this is the internet is the way it is, is cuz nobody sat down and designed the whole thing from scratch. You, they would never, they would've put a password rotation system in. Yes. But it wasn't designed that way. Right. And you would never tell your mother that she must type http colon s slash slash even by the way, it no. That when somebody asked the creator, the founder of the web about that, he said, I never thought humans would ever have to type that it was supposed to be machinery. It was, it was link it, it was link following, right? Yeah. It wasn't supposed to be anything a human would ever have to see. So you were on a page and it had nice English links or whatever language Right. You know, was all under under the hood. Yep. Yeah, exactly. Yeah. But that, that's, so Tim burners Lee did not design it. You know, that's what, that's what happens in the real world. Stuff gets just done and it works. Yep. It changes. And all of a sudden you've got Twitter <laugh>.

It's called evolution or devolution. That might be, okay, last one. A Andy Olson tweeting from average. Andy, he said at SG G R C I listened to the recent LastPass episode, switching to Bit Warden. Just wanted to note that password changes are necessary, but I found I can also change usernames on a lot of important sites. If user login is email change that too. And yes, I agree with that, especially since today's standard for password re recovery, you know, handling the, I forgot my password event is to send the password reset link to the user's a account email. So while it's not imperative, if it's easy for you to also change your account's email while you're at it, you know from what it was when your last pass vault was copied and stolen, then there's no reason not to. Okay. So once again, I've used up our time this week covering this news, which is huge for this podcast listeners since such a large number of us chose and have been using Last Pass.

But even for those who had not chosen, you know, to stay with last pass or long ago, chose a different password manager, all the information about G P U cracking strength and P B K D F two iteration counts as universal as is the need to urge whatever password manager you're using, then it's time to move away and beyond P B K D F two, there are many cryptographically verified alternatives and they should be used, you know, racing ahead of GPUs no longer makes any sense. As I said, next week we'll be able to get some sense for the, for the amount of the ECB cipher mode that our listeners discovered in their last pass vaults with the aid of Rob's and chat GPTs. Very nice PowerShell script. But unlike this week's bombshell that many iteration counts were one, the presence of any lingering e ECB won't present a five alarm fire.

I I really wish LastPass for giving us more information. I understand they don't want to cause it's a black mark on their scutch, and, but I think they're a scutch has been scuttled already. So maybe you should just start telling us what we need to do. I it's my guess that when they did up the iterations, they didn't retroactively fix everybody's vault. Maybe they couldn't, maybe they didn't know how to, maybe they didn't want to. Okay. I covered all that. They could, they could have and they should have. They didn't for they, they could have. They should have. We don't know why they didn't. Yeah. I mean I just at least sent out an email saying, and maybe they did, I don't remember. But yeah, no, an email is insufficient. No. The there is leaving anyone's iteration set to one, as you said, it's like having a blank.

The title of this, the title of this podcast is Unconscionable. Yeah, yeah. I mean it is, it is, it is. You could argue it is not true that in today, in like today when this theft occurred, that offered any protection. Right. And they were assuring everybody that if you use a good long and strong password, you are safe. That is not true. That's a huge thing. Yes. They, because of something they did, your good, long, strong password was insufficient. Yes. That's not good. As always great stuff, Steve. I appreciate it. One one thing I'll add to one of your comment commentators Yeah. Who had a shared vault. He had his personal vault. Yeah, yeah, yeah. And his business vault and last pass, we do that as well here. It's my understanding, those are kept separately. So if you know, that's just a separate vault.

It's not like there's one vault. Even now he did use reuse the same password on both, but but it was 25 totally random. A it a good password. He has nothing to worry about. Yeah. And, and he has a good number of pd, pkd F to iterations. We are actually, we use LastPass enterprise and we're talking about what we need to do. It's a massive and that's the other thing I would say. And I got a number of emails and comments from people in our forums that, well, you don't understand. I've got a thousand passwords in there. I do understand <laugh>. I completely understand. Mm-Hmm. <affirmative> that's the problem. You know, and, and Leo, even without any decryption, think of the profiling that can be done. Well that was terrible. They left that under decryption of a person. All that metadata.

Yeah. That's terrible. Terrible. no, I, you know, I don't, this is, this is the other thing that I don't know, but I think there's more, the other shoe will drop down the road because how can LastPass survive this? And when the, when the, you know, stakeholders at LastPass say, well, you got no customers, at some point they're gonna turn off the servers and there's gonna be another <laugh> collapse because they, I don't see how they stay in business. What happens when a password manager goes outta business? That's a really good question. Not something we've <laugh> we've had to face before. No, I mean, that's a really, so I, that's why I think it does behoove everybody as you've done and I've done to move off even though Yes, it's a big pain in the, it's easy to move. Actually, you said that, and I'll say it's easy to move.

Oh my God. I, I, it's, I had resistance to it and it was like, wait a minute, I'm done. It's trivial. And most password managers work roughly the same as last pass with the autofill and the authenticate. Oh, another thing somebody was asking in the chat room hardware key, like, you know, I've mentioned that I use YubiKey recommended good idea. I would just point out that LA that at least bit warden, I think last pass two, they all have fallbacks usually to an authenticator. So always the only thing from a, from a crypto security standpoint, the only thing those offer is the convenience to their user. Yeah. Of, of log. When you log into your phone, the UBI key, it provides no additional security if you could. Right. Because the vault doesn't use this for the brute forcer. They don't, it's not the second factor.

They don't care. They don't care. They don't care. Yeah. Yeah. And if you turned off secondary fallbacks, then I guess this would be stronger than say an authenticator. Certainly a lot stronger than SMS message. Yes. And in fact, that was one of the, as one of the features that Squirrel had was that after you got comfortable with it in the ui, you, you, you could check a box saying, do not allow Right. Any other authentication mechanism. The the fallback is the weakest link. Whatever the, whatever the Exactly, whatever the weakest link is, that's the weakest link <laugh>. That's all you got. That will get attacked. I am so glad you did a second episode on this. I know there are a lot of people saying, yeah, but what about, but there hasn't, it's good news. The hackers rested. They were busy changing their last pass passwords.

So, you know, we got a, we had a little breathing space next week, the news next week. Yeah, we will, we'll do a big news catch up, I'm sure, as I said, we'll briefly talk about how many people found EC B in their vaults. I'll be curious. It'll just, yeah. It'll be a, yeah. It'll just be a, a, you know, a curiosity point. It's not the end of the world. And, but when they will catch up on all the news that's been happening, I wish I could look at my old vault. And this is the other thing Laspas hasn't said. When did that backup get made? I deleted my last pass vault a couple of years ago, but maybe the backup was from two and a half years ago. Yeah. In which case my vault's in there too. And so, and they haven't told us anything, so it's very disappointing.

No, in fact, I did. I I went to the blog to see whether, I mean, I just recently, a day or two ago to see whether they there was any response, any further information. Anything else? No. No. They're just hoping it goes away at this point. They've got nothing to do. They're hoping it goes away and it's not. I'm sorry to say it's not gonna go away. One other point I will make on bit Warden, because it's open source, if you have advice for Bit Warden or a change you'd like to see for instance, changing to a memory hard hashing. But that's where you go to GitHub and you, and you do a poll request, or not a poll request a a pr is it a, not a poll request? What is it you do anyway? You, you issue, you get an, you given him an issue saying, please, that's how you do templates.

It's to bit warden. It's time, it's open source to you go to the bi open source repository and you'll, and you enter an issue saying there's an issue. You should use a memory hard hashing algorithm. And they have to respond. They will respond to that. And you know what what'll happen because it's open source. Somebody will write it. Yeah. So here it is. Well, it's already, it's already been written. It just needs to be you know, hooked in. Yeah. Hook it in. It'll, it'll, it'll take an afternoon. Wow. Then they should do it. Yeah. Thank you Steve. Bless you, Steve, for the job you do. It's so important and we really are grateful to you. Steve's website, There are lots of reasons to go to that website, of course. Foremost of which to get a copy of Spin, right? The world's finest mass storage, maintenance and recovery utility.

Now, admittedly 6.0, it's been around for a little while. 6.1 is imminent. If you buy six oh, now you will get six one the minute it comes out. You can also participate in its development and release. That's that's coming soon. That's coming soon. Grc.Com. You can also get a copy of this show there. Steve has two unique copies or versions of this show. He has the show notes, which are definitely worth download. I will, I will talk with my team about whether we wanna put the PDF in the RSS feed or not. And I will, I would like to hear from our audience on that one, but you can certainly get it from along with the 16 Kilobit audio version, which frankly no one should have to listen to. But if you don't have the Bandwidth <laugh>, at least you can get it.

And the reason Steve does it is for the fabulous Elaine Ferris Collier and Court reporter who does those amazing transcripts. And that's the other form that is unique to Steve's site. The transcripts of the show written by a human. So you can read along as you listen or search them. Very, very valuable. He also has this, the full 64 kilobit audio there. Grc.Com. He's on Twitter at sg grc. Dms are open. If he leave, wanna leave a comment or a suggestion there. That's the only site he reads. Don't be going to MAs on looking for Steve. You go to Twitter, SG I'm a Black Hole <laugh>, SG G R C, <laugh>. You can also go to our site, TWI tv slash sn to find yourself a copy. There's a YouTube channel dedicated to security now that has every episode on it. You can subscribe in your favorite podcast player.

We have video as well as audio. That's the unique format we have. I don't know why you'd want video. I mean, Steve's a good looking guy. I'm not saying that, but I don't know why you'd want video, but you could get it if you want. What else? Oh, I should mention, we do this show every Tuesday right after Mac Break Weekly. So that's roughly <laugh>, very roughly. Supposed to be 1:30 PM Pacifics usually more like 2:00 PM Pacific, 5:00 PM Eastern, 2200 utc. The livestream is at You can go there, watch or listen live chat with us at IRC dot twit. Do TV or if you're a member of Club Twit in the Club Twit Discord. If you're not a member of Club Twit, please join. You. Get ad free versions of this show and all the shows we do for seven bucks a month, plus access to the Discord.

You also get the TWIT plus feed, which includes shows we don't put out in public, like hands on Mac, hands on Windows, the Untitled Lennox Show, the giz Fizz Andmore TWIT TV slash club twit. Thanks in advance, Steve, I hate to wrap it up. Something exciting might happen with security. We'll just have to get together next. We'll be back with, we'll be back with that news next week deal. See you then. Bye. Don't miss all about Android. Every week we talk about the latest news, hardware, apps, and now all of the developer goodness happening in the Android ecosystem. I'm Jason Howell, also joined by Ron Richards, Florence Ion and our newest co-host on the panel Huyen Tue Dao, who brings her developer chops. Really great stuff. We also invite people from all over the Android ecosystem to talk about this mobile platform we love so much. Join us every Tuesday, all about Android on

... (01:51:48):
Security Now.

All Transcripts posts