1/18/2024 0 Comments Lastpass security issuesIf you are sticking with LastPass, the good news is that it's also pretty easy to disable the trackers in question. Moving your password vault from one app to another is generally easy enough, although getting used to a different user interface can take a bit of time. Anything that introduces a potential attack surface, which is what some security researchers are calling such third-party tracker content, in a password vault product certainly gives pause for thought. However, I'm not saying that this is absolutely enough reason for happy users to ditch LastPass, not least as research last year found vulnerabilities in multiple password manager apps last year, but that option is there if you want it. While company CEO Joe Siegrist wrote that there was no evidence that encrypted user vault data was taken, investigations have shown that the digital break-in. Do you need to switch to another password manager now? The critical difference here is that a password manager has to be fully trusted by the user, and anything that might erode that trust isn't a great thing. Of course, as iPhone users discovered when Apple started getting more aggressive with its iOS privacy labelling, many apps come complete with such trackers. Exodus research suggests that of the big names, neither 1Password nor KeePass includes any trackers, but Bitwarden has two and Dashlane four. It should also be noted that LastPass is far from being alone when it comes to password managers embedding such trackers. If you’ve used LastPass and haven’t done so already, the safest move is to change all of your passwords.Ĭheck out all the issues brought up with the LastPass security breach in Palant’s full blog post.For me as a security geek, the most important thing to note here is that LastPass has also made it clear that "No sensitive personally identifiable user data or vault activity could be passed through these trackers." This means that credentials such as username and password data are not being collected or logged by these trackers. Even an unusually strong password with 50 bits of entropy would take 200 years on average – not unrealistic for a high value target that somebody would throw more hardware on. Such passwords could be guessed in slightly more than two months on the same graphics card. An older survey found the average password to have 40 bits of entropy. Most people have trouble even remembering a truly random twelve-character password. As I’ve calculated, even guessing a truly random password meeting their complexity criteria would take less than a million years on average using a single graphics card.īut human-chosen passwords are far from being random. LastPass had their security challenge and vault tour, while NordPass brings OCR scanning and a huge list of browser extensions to the table. One would assume that people who “test the latest password cracking technologies” would know better than that. To counter this issue, LastPass has implemented biometric security, ensuring that only the thumbprint registered with the phone is able to unlock the app and access its data. I’ll translate: “If you’ve done everything right, nothing can happen to you.” This again prepares the ground for blaming the customers. Palant says that’s probably closer to two months than “millions of years” for the average person: One of the claims at issue is LastPass telling customers “If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology.” Writing on his security blog, Almost Secure (via TechMeme), Wladimir Palant has picked apart 14 different statements in the LastPass update on its security breach.Ĭovering everything from the company’s claim of transparency to its own security practices and more, Palant believes LastPass has downplayed the risks and is guilty of “gross negligence.” Then in November of 2022, LastPass stated that its third-party cloud storage service, which it shared with its partner GoTo, was also breached using the same. After digging through all the technical claims, one security researcher says the situation is much worse than the company claims and beleives the statement is “full of omissions, half-truths and outright lies.” Just before Christmas, LastPass issued an update on its security breach including the news that customer vaults were obtained by the hacker.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |