Fun with LastPass

Being a fan of LastPass (and a local NoVA company as well) we were intrigued when we came across a tweet from @mubix regarding a post from Dhiru Kholia to the OpenWall mailing list. In the message Dhiru discusses some interesting fields he found when looking at LastPass transmissions through Burp proxy and the potential for performing an offline brute force attack. He closes by asking the question that what would prevent LastPass from performing a similar attack to gain access to our database of credentials.

via OpenWall Mailing List


So far, I haven’t been able to mount an offline attack against
LastPass locally stored database. However, it is possible to sniff the
LastPass authentication packets and mount an offline attack to recover the original password.

Here is an screenshot of Burp Suite in action,

Click to Enlarge

? ../run/john -fo:lastpass -t # AMD X3 720 CPU (single core)
Benchmarking: LastPass sniffed sessions PBKDF2-HMAC-SHA-256 AES [32/64]… DONE
Raw: 2520 c/s real, 2520 c/s virtual

What prevents LastPass from using the same technique? Maybe they have another faster way to access user data ;).

I urge LastPass to open up their database format, so that a proper
third-party security analysis can be carried out.

Source: “Fun with LastPass” –

I think this is a valid question and it would be great if LastPass would respond to this potential attack and reveal their database format. As you know security through obscurity is generally a bad thing.


Do you think this attack looks like something LastPass users need to worry about? Let us know in the comments below. See ya!

6 comments for “Fun with LastPass

  1. November 15, 2012 at 1:38 pm

    BLOGGED: Fun with LastPass

  2. Bob
    November 15, 2012 at 2:55 pm

    This is simply not realistic — what is sent to the server is a sha256 hash of something that has already been sha256 hashed 500 times. The reason why we do many pbkdf2 rounds is because the calculation takes a long time. Because of this, the amount of time it will take to brute force is prohibitively long to be effective.

  3. November 15, 2012 at 11:06 pm

    Bob: Thanks for the comment. Would it be possible to open up your database format per the Dhiru’s request?

  4. November 16, 2012 at 4:57 am

    #NoVABloggers Fun with LastPass

  5. Phillip
    November 27, 2012 at 8:23 pm

    Definitely scary considering LastPass has experienced multiple security breaches already. I use RoboForm personally and while both softwares encrypt data with a user created “Master Password”, RoboForm was the first on the market and has not been plagued with the same security issues as LastPass. Siber Systems (the company that makes RoboForm) is also based in Northern VA (Fairfax). I highly recommend RoboForm.

  6. November 27, 2012 at 10:00 pm

    Phillip: Thanks for the comment. Yeah, I’ve heard great things about RoboForm as well. Didn’t know they were local to NoVA… I tried RoboForm once before and it felt a bit heaver on the browser at the time … but of course things could have changed since then.

    Also I only heard of one _potential_ security breach associated with LastPass. They detected an unusual amount of data leaving their network and immediately cut it off. Analysis showed some data may have gotten out however it was all encrypted with individual user master passwords. Was this one of the breaches you were referring to? Any others?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.