![]() What I will be doing today (without waiting for someone to tell me to do it) is resetting all my email and bank account passwords to start with. So why would they want to do it? For starters, because they know that people store a lot of sensitive data in there - driver’s licenses, passports, SSNs, and other private info besides passwords. In that case they potentially have unlimited time at their disposal. ![]() Maybe not today, maybe not tomorrow, but some time in the future. So going back to the “bad thing.” If the encrypted data blob with customers data was compromised this means that it has a tremendous payoff for the hackers to crack at. (Remember they claim it happened last Friday and we learned about it on Monday.) So the question is, what else did they not tell us? It look LastPass people 3 days to announce this breach. They obviously will try to mitigate it, to soften the blow to their “business model.” There were too many examples in the past when the true details of the breach that were revealed later were much worse than what was originally announced. I don’t know if we can trust any for-profit company to reveal all the truth right away. The bad thing here, Brian, is not the stolen master passwords but the fact that we cannot know for sure if they stole the encrypted data. This entry was posted on Tuesday 16th of June 2015 12:16 AM So what’s the takeaway here? If you entrust all of your passwords to LastPass, now would be a terrific time to change your master password. Except in the case of targeted phishing attacks,” which might try to leverage data known about a specific target (such as a password hint) to trick the user into giving up the answer to their password reminder. That means that if your password reminder or hint is not particularly revealing to someone who doesn’t know you, it probably doesn’t matter much. “But password reminders are useful for targeted attacks, not massive attacks. “I suspect that for a significant number of people, the password reminder - in addition to the user’s email address - is going to be useful for an attacker,” he said. More concerning in this particular breach, Bellovin said, is that users’ password reminders also were stolen. “With a salt, even if a bunch of users have the same password, like ‘123456,’ everyone would have a different hash.” “What a salt does it makes it hard to go after a lot of passwords at once as opposed to one users’ password, because every user requires a separate guess and that separate guess is going to take a considerable amount of time,” said Steve Bellovin, a professor in computer science at Columbia University. These days, computer hardware has gotten so cheap that attackers can easily and very cheaply build machines capable of computing tens of millions of possible password hashes per second for each corresponding username or email address.īut by adding a unique element, or “salt,” to each user password, database administrators can massively complicate things for attackers who may have stolen the user database and rely upon automated tools to crack user passwords. To make matters worse, there are plenty of tools capable of very rapidly mapping these hashes to common dictionary words, names and phrases, which essentially negates the effectiveness of hashing. The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash. Passwords are “hashed” by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse. Parsing LastPass’s statement requires a basic understanding of the way that passwords are generally stored. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.” ![]() LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. “We are confident that our encryption measures are sufficient to protect the vast majority of users. “The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,” the company said. In an alert posted to its blog, LastPass said the company has found no evidence that its encrypted user vault data was taken, nor that LastPass user accounts were accessed. LastPass, a company that offers users a way to centrally manage all of their passwords online with a single master password, disclosed Monday that intruders had broken into its databases and made off with user email addresses and password reminders, among other data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |