What have we done to secure LastPass
Beyond the actions we have already taken as described in the detailed incident sections, we are prioritizing areas of further investment in security, privacy, and operational best practices. Further we are hiring to expand our security expertise across all dimensions. Many of these items were already underway prior to the incidents.
Note: To read the complete update on the security incident from our CEO, Karim Toubba, visit the LastPass blog.
- Platform, infrastructure, and endpoint security enhancements designed to strengthen our environment and operational security such as:
- Continued tuning of our production environment's detective and preventative controls including the deployment of additional analytics and observability capabilities, platform hardening, and enhanced logging in our data center environments.
- Continued hardening, enhanced logging/alerting, and validation of the security of our cloud storage environment, with additional continuous monitoring and enforced additional security controls.
- Deployed a Cloud Security Posture Management (CSPM) platform across all Cloud estates.
- Enhanced endpoint security controls for developer and engineering workstations including the deployment of a new managed Endpoint Detection and response (EDR) service, SASE deployment, and additional detection tuning and initial deployment of hardware security keys to developers and engineers.
- Acceleration of product enhancements designed to improve the security, privacy, and user experience of our products and platforms such as:
- Increasing default PBKDF2 SHA256 iterations to a minimum of 600,000 both for net-new users (already complete) and retroactively for existing users in alignment with OWASP’s January 2023 update regarding recommended minimum iteration count: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html. Work is underway to enable Business customers to automate this process from the Admin Console rather than requiring manual, end-user, and client-generated updates.
- Working to encrypt URL and URL-related fields in the vault BLOBs.
- Initiating efforts to streamline MFA re-enrollment for rotation of multi-factor shared secrets for Business customers who use Microsoft Authenticator, Google Authenticator, LastPass Authenticator, or Grid.
- Improving the master password recovery options with respect to One-Time Passwords (OTP) and Account Recovery One-Time Passwords (rOTP) by adding an additional validation for these flows (no action required from the user) which relies upon the encrypted private component of the sharing keys which is stored within the user’s vault.
- Initiating efforts to retire Password Apps (Push Sites/Apps) functionality and guide customers to secure (Zero Knowledge) sharing practices via groups.
- Preparing to release a new SIEM/Splunk integration in the first half of 2023 to store the access tokens in encrypted form.
- Accelerating roadmap items related to numerous security improvements across client and backend platform components.
- Implementing additional automated reporting for business customers to provide customers a better understanding of LastPass deployments and enable better risk triage and assessment.
- Preparing to force-improve hygiene for master password selection, including validation and enforcement of password best practices during registration, change, and recovery activities.
- Mid-term strategic investments focused on product and platform evolution that was already part of our planned work including:
- Expanding encryption of customer data & metadata in databases within our application and backup infrastructure.
- Accelerating and enhancing of cryptographic primitives, including the addition of Argon2 key derivation function, migration to standardized implementation of AES-GCM-256 encryption including peer-reviewed and standardized cryptographic methods and APIs, and retirement of all remaining legacy cryptographic block cipher modes (ECB).
- Ensuring a standardized set of modernized and standards-based cryptographic APIs is in use across all client platforms where encryption is used.
- Wholesale transformation of our software factory/development environment as part of our separation. This includes deployment of our modernized cloud-based CI/CD pipelines, unified observability platform, code safety initiatives including Software Bill of Materials (SBOM), and Supply Chain Levels for Software Artifacts (SLSA) Level 3+/NIST 800-218 compliance.