The Verge observes that this is in fact the seventh time that LastPass has been breached. I know people who were using it on a daily basis, and I've spoken to them about migrating away from the service. I was quite shocked by the disclosure from the company when they admitted the threat actors gained access to users' password vaults and other data. When I wrote about the hack, I speculated that the only customer information that were stolen would be the things that you'd find on an invoice, because that's how LastPass had described the incident. Jeremi Gosney, a Senior Engineer at Yahoo, called "LastPass's claim of "zero knowledge" is a bald-faced lie." He also says that users assume that their vault is stored in an encrypted database which is protected, but this is not the case, and that LastPass stores your vault as a plaintext file, and that only some of the fields are encrypted. Goldberg says it may cost just $100 for a hacker to run ten billion guesses to crack the passwords hashed with PBKDF2 (100,000 iterations). The company had been using 5,000 iterations as the default value, which is incredibly low. The fact that LastPass only hashes passwords with 100,000 iterations (PBKDF2) was also criticized by the researchers. This is really important, because most people would not be using a master password generated by a password generator, and this greatly increases the risk of their vault being breached. So, thousands of users could actually been using a weaker password. While the rule came into effect in 2018, it was only mandatory for new users (default setting), existing users were never asked to change their password. They say that it may take a long time for hackers to guess the master password, only if LastPass had forced its 12-character minimum password requirement. This claim has been criticized by Palant, and Jeffrey Goldberg at 1Password. Here's the primary issue, LastPass claims that its Zero Knowledge architecture and 256-bit encryption will protect user data from being accessed by hackers, because "it would take millions of years to guess your master password using generally-available password-cracking technology." He also points out that the hackers could have collected all IPs associated with a user, website URLs which were unencrypted, to profile their activity. As a matter of fact, LastPass has not revealed when the 2nd attack took place, and Palant says that this could have happened in September itself. Palant called the statement as "full of omissions, half-truths and outright lies", and that the company had tried to draw focus to the 2 hacks as two separate incidents, to cover up the fact that they are related to each other. He says in an article on his blog, that by releasing the update right before the holiday season, LastPass wanted to make sure the news flew under the radar. Wladimir Palant, the creator of AdBlock Plus was among those who slammed the statement. Many security researchers have blasted the company for misleading its users about the stolen password vaults. The situation could actually be a lot worse. Martin's write-up explains what LastPass' statement had to say about the recent security incident.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |