LASTPASS BREACH PASSWORD
We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.”Best of all, they then explained who might be in danger: “If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you – the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. As a precaution, we’re also forcing you to change your master password.” They went on to explain why they were worried “we saw a network traffic anomaly for a few minutes from one of our non-critical machines” and “we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)”.They explained what this might mean: “We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. Since LastPass (which I’ve written about before) is a cloud password management tool, this was a major cause for concern, despite the fact that the passwords were salted – which would make them harder to figure out – many users still use poor passwords which could be easily retrieved.The good news is that LastPass did a lot of things right, starting with their first blog post: “We noticed an issue yesterday and wanted to alert you to it.
LASTPASS BREACH CODE
Two-factor authentication is a security feature that requires users to confirm their identity by entering a code sent to a device after entering their credentials.Most people in the security world – and many Internet users – have read over the past two weeks about the possible exposure of LastPass‘s password database. Nonetheless, the company advises users who log in to the service from a new device or IP address to verify their identities via email or two-factor authentication. PBKDF2-SHA256 is a password-strengthening algorithm that makes brute-forcing a slow and resource-intensive process. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
“LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. “We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist wrote. Last Pass is also sure the attackers can`t open cryptographically locked user vaults where their plain-text passwords are stored. The company says encrypted data was not “taken,” so, the account passwords stored via Last Pass are safe. What can hackers do with your LastPass password?īrute-force their way into accounts or deploy precision targeted phishing campaigns, such as prompting users with fake “Update your LastPass master password” messages, for instance. Password salts and hashes help encrypt user passwords into strings of characters impossible to reverse ” at least in theory. “The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.” “In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed,” Joe Siegrist, CEO of Last Pass, said in a blog post on Monday. Lass Pass suffered a network intrusion on Friday and is advising users to change their master password to avoid being hacked.
0 kommentar(er)
