Firewalls Don't Stop Dragons Podcast

SPECIAL: LastPass Breach

Listen Later

Right before Christmas, LastPass dropped a bombshell report explaining that bad actors appeared to have made copies of LastPass users’ encrypted password vaults. The information was a little short on key details, probably indicating that the investigation is ongoing and we will learn more in the coming weeks. However, we have already learned enough to know that the data breach did leak some important metadata contained in people’s password vaults and that any users who had less-than-secure master passwords should be worried that the encrypted contents may now be vulnerable to disclosure. That is about as bad as it gets. Today I will speak with a cybersecurity and authentication expert from CISA about this breach: what we know, what we don’t know, what we should learn from the incident, and (most importantly) what LastPass users should do about this.

Bob Lord is a Senior Technical Advisor for the Cybersecurity and Infrastructure Security Agency (CISA) and former Chief Information Security Officer (CISO) for Yahoo. 

Interview Notes
  • SPECIAL REPORT: LastPass Breach: https://firewallsdontstopdragons.com/special-lastpass-breach/
  • Twitter thread investigating what’s encrypted and what’s not: https://twitter.com/UK_Daniel_Card/status/1606012536582656000
  • Write-up by a security researcher: https://www.pwndefend.com/2022/12/24/lastpass-breach-the-danger-of-metadata/
  • Mastodon technical thread #1: https://mastodon.social/@[email protected]/109585049690097599
  • Mastodon technical thread #2: https://infosec.exchange/@WPalant/109590750504031700
  • My “diceware” passphrase generator: https://d20key.com/ 
  • My blog on creating strong passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/ 
  • How to make stronger passwords: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/ 
  • Classic XKCD cartoons on passphrases: https://xkcd.com/936/ 
  • Consumer Reports Security Planner: https://securityplanner.consumerreports.org/
    • Further Info
    • Follow me on social media: https://firewallsdontstopdragons.com/contact/ 
    • Send me your questions! https://fdsd.me/qna 
    • Support me! https://fdsd.me/support 
    • Subscribe to the newsletter: https://fdsd.me/newsletter 
    • Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
      • Table of Contents

      Use these timestamps to jump to a particular section of the show.

      • 0:00:47: Ep300 giveaway updates
      • 0:03:15: interview setup
      • 0:08:17: What do we know about the LastPass breaches?
      • 0:13:25: Were all LastPass users affected?
      • 0:15:03: How is my LastPass data secured, exactly?
      • 0:19:53: What is PBKDF2 and why are iterations important?
      • 0:23:10: Did LastPass increase the iterations for all users over time?
      • 0:26:46: Is any information in my password vault not encrypted?
      • 0:29:35: How do I know if my vault password is strong enough?
      • 0:36:13: What if I didn’t have a strong vault password? What should I do?
      • 0:41:47: Do we have any evidence that people’s vaults have been cracked?
      • 0:45:34: Did LastPass handle this properly?
      • 0:50:50: What can the government do to help here?
      • 0:53:30: Should LastPass users switch to a different service?
      • 0:57:11: Will passwordless authentication solve this problem?
      • 1:01:03: What are the key take-aways here?
      • 1:02:37: My take on the breach and what you should do about it
        • ...more
        View all episodesView all episodes
        Download on the App Store
        Firewalls Don't Stop Dragons PodcastBy Carey Parker
        • 4.9
        • 4.9
        • 4.9
        • 4.9
        • 4.9

        4.9

        64 ratings

        More shows like Firewalls Don't Stop Dragons Podcast

        View all
        Hidden Brain by Hidden Brain, Shankar Vedantam

        Hidden Brain

        43,622 Listeners

        Global News Podcast by BBC World Service

        Global News Podcast

        7,711 Listeners

        Hacked by Hacked

        Hacked

        191 Listeners

        This Week in Tech (Audio) by TWiT

        This Week in Tech (Audio)

        3,063 Listeners

        Security Now (Audio) by TWiT

        Security Now (Audio)

        2,009 Listeners

        The Daily by The New York Times

        The Daily

        112,225 Listeners

        Darknet Diaries by Jack Rhysider

        Darknet Diaries

        8,059 Listeners

        FT News Briefing by Financial Times

        FT News Briefing

        646 Listeners

        Surveillance Report: Weekly News For Digital Freedom by Techlore

        Surveillance Report: Weekly News For Digital Freedom

        109 Listeners

        Hard Fork by The New York Times

        Hard Fork

        5,560 Listeners

        The Ezra Klein Show by New York Times Opinion

        The Ezra Klein Show

        16,339 Listeners

        Closed Network Privacy Podcast by Simon Walsh

        Closed Network Privacy Podcast

        20 Listeners

        Watchman Privacy by Gabriel Custodiet

        Watchman Privacy

        75 Listeners

        The Weekly Show with Jon Stewart by Comedy Central

        The Weekly Show with Jon Stewart

        10,853 Listeners

        The 404 Media Podcast by 404 Media

        The 404 Media Podcast

        392 Listeners