LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. The encryption and decryption of data is performed only on the local LastPass client. The master password is never known to LastPass and is not stored or maintained by LastPass. The stolen encrypted fields are secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using LastPass’s Zero Knowledge architecture. This may be a difficult task considering current technology but not an impossible task, considering the potential advances in next-generation computing expected. The threat actor will likely attempt brute force attacks to break the stolen master password hashes and decrypt the copies of vault data taken. The latest disclosure from LastPass included a list of remediations taken to strengthen security, including decommissioning the hacked development system and rebuilding it from scratch, retaining a managed endpoint detection and response service, and rotating all relevant credentials and certificates that may have been affected. While LastPass has been transparent with its disclosures to date, obviously, the theft of user password vaults is bad news for any password-manager solution. Last Pass’s password best practices can be found here. The threat actor may also target customers with phishing and vishing attacks, credential stuffing, or other brute-force attacks against online accounts associated with your LastPass vault. LastPass customers should ensure they have changed their master password and all passwords stored in their vault. In addition, user password vaults were stolen containing unencrypted website URLs and site names as well as encrypted usernames and passwords.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |