AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Lastpass security settings9/4/2023 ![]() ![]() And if you finally took the plunge with a free and mainstream option, particularly during the 2010s, it was probably LastPass. This means that attackers will have to guess master passwords in order to decrypt stored passwords.You've heard it again and again: You need to use a password manager to generate strong, unique passwords and keep track of them for you. Ok, let’s assume that indeed no master passwords have been captured (more on that below). LastPass does not have any access to the master passwords of our customers’ vaults – without the master password, it is not possible for anyone other than the owner of a vault to decrypt vault data Whenever LastPass has a security incident they are stressing their Zero Knowledge security model. Publishing the breach date would make it obvious, so LastPass doesn’t to save their face. I suspect that this conclusion was premature and what has been exposed now is merely the next step of the first breach which was already ongoing in September. After investigating that incident, in September 2022 LastPass concluded:Īlthough the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults. I can only see one explanation: it happened immediately after their August 2022 breach. When did this breach happen? Given that LastPass now seems to know which employee was targeted to gain access, they should also know when it happened. Whether the encryption will hold is a different question, one that I’ll discuss below.īut first: one important detail is still missing. The threat actor was also able to copy a backup of customer vault data Does it mean that all passwords are compromised?Īccording to the LastPass announcement, “an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.” What data? All the data actually: “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” And of course:.How long does decrypting passwords take?.So if your master password is shorter than twelve characters you should be more concerned about your passwords being decrypted. If it’s the former for you, your account has a considerably higher risk of being targeted.Īlso, when LastPass introduced their new password complexity requirements in 2018 they failed to enforce them for existing accounts. LastPass failed to upgrade some accounts from 5,000 to 100,100 iterations. You should especially check your password iterations setting. Happy holidays, everyone!Įdit (): As it turned out, even for a “nobody” there are certain risk factors. If their web application has been compromised nobody will be safe. Unless LastPass underestimated the scope of the breach that is. Should you hold the keys to your company’s assets however (network infrastructure, HR systems, hot legal information), it should be a good idea to replace these keys now. If you are a regular “nobody”: access to your accounts is probably not worth the effort. You should also consider whether you still want them uploaded to LastPass servers. If you are someone who might be targeted by state-level actors: danger is imminent and you should change all your passwords ASAP. But the executive summary is: it very much depends on who you are. I’ll delve into the technical details below. Fact is however: decrypting passwords is expensive but it is well within reach. It also prepares the ground for blaming you, should the passwords be decrypted after all: you clearly didn’t follow the recommendations. This makes it sound like decrypting the passwords you stored with LastPass is impossible. ![]() If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. The following statement from the blog post is a straight-out lie: In particular, they are rather misleading concerning a very important question: should you change all your passwords now? ![]() While this email and the corresponding blog post try to appear transparent, they don’t give you a full picture. If you have a LastPass account you should have received an email updating you on the state of affairs concerning a recent LastPass breach. ![]()
0 Comments
Read More
Leave a Reply. |