![]() ![]() 2FA will help on other non LastPass accounts.Īnyway, brave choice to still trust lastpass, not because of the vaults getting leaked, that frankly could happen to other companies, but because the leak showed they aren't good at their jobs, and even when exposed to their failings they have done nothing to improve upon them, like the vaults have fields that weren't even encrypted and despite that being highlighted several times before the breach as a security issue, and it obviously being an issue after the breach, they still aren't encrypting that information, which is just some absolutely wild levels of incompetence, since it not only makes users more vulnerable to be targets of decryption attempts on their vaults, but it also opens a whole host of other vectors of attack for the stolen data, like blackmail, phishing, social engineering and so on. Have no doubts, 2FA will do nothing to help at all, 2FA was there to help against people getting access to the vault in the first place, we are long past that now, since the hackers already have the vault. Most likely these individuals did not, in fact, have a strong master password, since there are certainly plenty of people that will have had weak master passwords (short length, or previously leaked, or prone to dictionary attacks), strong master passwords even with the old very low password iteration should still be reasonably safe, although obviously all important passwords on those accounts should still be changed, that information should be migrated to another service, and the lastpass vault should be deleted because lastpass as a security company has proven to be quite incompetent. Would say that if you are someone with potentially hundreds of thousands or millions in crypto, knew that they got their lastpass vault stolen, and didn't do anything to protect your crypto wallet, that it automatically makes you someone who isn't a "security-minded individual".ĭumb statements from the article aside, it is certainly possible that this was how people got access to some of these accounts, the fact lastpass didn't encrypt URLs and other fields makes people who held crypto keys in their vault particularly vulnerable to attack, since it allowed people with access to the vaults to determine which individuals are more worthy of dedicating resources to cracking those vaults, instead of having been forced to more or less try and crack all the vaults. ![]() I may move away from LastPass as a result of this but I'm not in a panic. I've always used LastPass operating under the guideline that my encrypted vault *would* be fully stolen at some point and I needed to be sure that I was not at risk of someone being able to crack it on their local machine. I did change my master password and make it a hair longer, but that's about it. While I'm pissed at LastPass for this breach, I'm actually not that worried about my own Vault - I've regularly changed passwords anyways and will eventually get them all changed (or close accounts), I don't keep my email password in LastPass, and my password strength is labelled as taking 'centuries' to crack (and is not dictionary-able). Having the full copy of the encrypted data does mean vaults with weak master passwords (along with low encryption cycles) can be cracked pretty quickly since they're just running iterations on it locally rather than trying to break in through the LastPass signin.īitwarden has a JS based check for determining crackability (you can just put in something same length and with same number of special/numeric characters if you don't want to actually type in your real master password): LastPass themselves don't have the decrypted vaults or the ability to access those vaults themselves - that is, they don't have a skeleton key or store your master password anywhere. ![]() For all of LastPass' screw ups here AFAIK the hackers still ultimately have a copy of your *encrypted* vault and not the decrypted one.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |