31 Jan 2023
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Ivan Ristić.
During January, there was a flurry of activity surrounding password managers and their security. It all started in December, when LastPass warned about an unauthorized third party gaining access to archived backups of its production data. Oops. The data included customer information and their encrypted vaults. This announcement reignited interest in password storage and, especially, PBKDF2.
PBKDF2 is a key derivation function that’s used to slow down attackers who gain possession of some encrypted material. In this situation, vault passwords are the weakest link because weak passwords can be brute-forced with a dictionary of commonly used passwords.
Soatok wrote about a variety of algorithms for password storage. Neil Madden wrote a blog post discussing PBKDF2 iterations. Then he wrote another. Then it became difficult to keep up with the number of blog posts.
In its initial disclosure, LastPass claimed 100,100 PBKDF2 iterations, but users with older accounts are reporting significantly lower numbers. A former engineer provided additional details about what led to the current situation. A similar problem was discovered with Bitwarden, another popular password manager that’s also available as a free, open-source product.
In both cases, the problem was that the protection measures are initially set and frozen in time when a password vault is created and not updated over time, while our understanding of various weaknesses and the ability to exploit them improves continuously.
Current recommendations are to use 600,000 PBKDF2 iterations to protect password vaults. That said, it’s worth understanding that although increasing the number of iterations helps, it only increases the attackers’ costs—and by a relatively modest amount. A much better defense is to use a strong password, which can make your vault unbreakable.
Of particular interest here is the attack model when using a hosted password manager. In this scenario, your vault can be stolen from your devices, but also from the vendor’s systems. Your vendor’s systems are very attractive to attackers because they have many, many vaults, which is why we should expect to see further security measures. Neither LastPass nor Bitwarden have additional measures, but another hosted password manager company, 1Password, does, via its per-device secret key.
This subscription is just for the newsletter; we won't send you anything else.
Here are some things that caught our attention since the previous newsletter:
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.