Hacker News new | ask | show | jobs
by leftpass 1639 days ago
I thought that LastPass didn't send your master password over the wire, rather it uses client-side code to take your Master Password and turn it into a hash which is then sent to LastPass for comparison[1]. If that is the case, how can LastPass claim to know that your master password was used? At best, they can claim that the hash sent to the server matches your password's hash but that is not the same as your master password being used.

Given the widespread nature of this issue, I'd guess someone has discovered a flaw in the LastPass login process which is allowing a bad hash to pass the master password hash check: that contradicts what the support agent said, but I'd assume they're mistaken, rather than LastPass are lying in their documentation about how their system works.

[1] https://support.logmeininc.com/lastpass/help/about-password-...
2 comments
gregsadetsky 1639 days ago
Very interesting theory!

What's a bit surprising is how "low effort" the rest of the attack was: presumably if they found this flaw to bypass passwords, they then attempted to login (which caused an email to be sent out), but LastPass stopped them because they (i.e. the folks on the Brazil IP range) were logging in from a new IP.

So this would be a case of one protective layer (the new IP detection) compensating for a vulnerability in the other one (the password protection).

That would be "re-assuring" in a certain way (as the passwords themselves did not leak -- presumably!).

Thanks

link
leftpass 1639 days ago
Another possibility is that one of their (many) previous security incidents led to the leaking / exposure of master password hashes, and maybe LastPass don't treat the password hashes as they should (as a password!) and didn't take steps to ensure that any compromise hashes couldn't be re-used. So, potentially, your master password is safe, but there's a hash of it floating around.

Personally, I've long recommended people stay well clear of LastPass for their bad record of security, so shipping a bug in password-hash verification, or treating password hashes haphazardly would not surprise me in the slightest.

link
gregsadetsky 1639 days ago
Again, really great point re: our passwords hashes floating around, rather than the passwords themselves.

I wonder if haveibeenpwned.com would somehow have information about this. I just pinged them on twitter.

link
Peanuts99 1639 days ago
If Lastpass was zero knowledge then this wouldn't make sense. The master password or some derivative of it should decrypt your passwords on the local device.

I use Keeper and despite it being cloud based, that's exactly how it works.

link