Lastpass leaks

LastPass’ disclosed the information they collected on their controversial security breach from last August. The company announced that the security breach resulted in malicious actors obtaining its users’ password vaults.

LastPass announced the details of the attack in a blog post, saying that its users’ passwords are still safe as it’s,

Extremely difficult to attempt to brute force guess master passwords.

Cybersecurity experts are criticizing the post, saying that people could feel safer than they are and that this was just the latest in a series of incidents surrounding LastPass.

Wladimir Palant, a security researcher, said LastPass’ December 22nd statement was “full of omissions, half-truths, and outright lies.”

The Competition and Security Experts Bash LastPass

Jeremi Gosney, a security researcher, recommends moving to another password manager. In his post on Mastodon, Jeremi said,

LastPass’s claim of ‘zero knowledge’ is a bald-faced lie. They have about as much knowledge as a password manager can possibly get away with

LastPass’ “zero knowledge” architecture is said to keep its users safe because the company doesn’t have access to their master password, which is what the hackers would need to unlock the stolen vaults.

Gosney didn’t dispute this claim but said the phrase is misleading as the encryption is far worse than the users would imagine. According to the CEO of LastPass, Karim Toubba, if you use the default settings for password length and strength and haven’t used it on another website, then:

It would take millions of years to guess your master password using generally-available password-cracking technology.

Another security researcher, Wladimir Palant, thinks “this prepares the ground for blaming the customers.” In a blog post, Palant notes that the encryption keeps the users safe only if the hackers can’t crack their master password.

Criticizing their standards, the researcher added the company didn’t enforce them well either. Despite the company making 12-character passwords the default in 2018, Palant says,

I can log in with my eight-character password without any warnings or prompts to change it.

LastPass’s statement has garnered a response from a rival company, 1Password. On Wednesday, 1Password’s principal security architect, Jeffrey Goldberg, published a post on the company’s website titled “Not in a million years: It can take far less to crack a LastPass password.”

In the post, Goldberg refutes LastPass’s claim that it would take a million years to crack a master password, stating that this assumption is based on the use of a 12-character randomly generated password.

Goldberg argues that passwords created by humans often don’t meet this requirement and that threat actors can prioritize certain guesses based on how people tend to construct passwords that they can remember.

How Secure is LastPass’ Protection?

Palant further criticized LastPass for their password-strengthening algorithm, known as PBKDF2, as “stronger-than-typical.”

The researcher seriously wonders what LastPass considers typical, saying their 100,000 PBKDF2 iterations are “the lowest number I’ve seen in any current password manager.”

The researcher also points out that LastPass hasn’t always had that level of security and that older accounts may have 5,000 iterations or fewer.

By comparison, Bitwarden, a well-known password manager, reports that its app uses 100,001 iterations and an additional 100,000 iterations when the password is stored on the server, resulting in a total of 200,001 iterations.

1Password said it uses 100,000 iterations, but its encryption scheme means the user needs a master password and a secret key to unlock their data.

According to Gosney, anyone who obtained a copy of a password vault protected by this feature wouldn’t manage to access it by only using the master password, making it uncrackable.

Several security experts, including Palant and Gosney, agree that this breach isn’t proof positive that cloud-based password managers are bad.

While offline password managers may offer some benefits, they can also come with challenges like the risk of data loss and difficulty with syncing between devices. One obvious benefit, however, is that a password that’s not on the cloud can’t be hacked and stolen.

Palant recommends that LastPass users, particularly those with simple master passwords, low numbers of iterations, or who may be high-value targets, take immediate action to change all of their passwords.

Overall, individuals should carefully consider their password management strategy to ensure the security of their accounts and personal information.

Read More Software News:

Twitter Blue for Business Introduces Company Affiliation Marks

Musk Pushes Employees for Year-End Deliveries & Not Worry About Market ‘Craziness’

Apple Claims iMessage Can Alert You of State-Sponsored Surveillance