It turns out that LastPass does just what we recommended!Īctually, it exceeds our minimum suggestion, because it uses HMAC-SHA-256 for 100,000 iterations, not just 10,000. At least 10,000 iterations of the hash function for “stretching” (time-consumption) purposes.A hash called HMAC-SHA-256 as the hashing function inside PBKDF2.
#Lastpass breach password
Stretching is where you deliberately re-run the hashing part over and over again before storing the representation, to slow an attacker down. Hashing is where you scramble the salted password cryptographically and store the one-way scrambled version only. So even if two users pick the same password, their password representations end up different. → Salting is where you add some random nonsense to the actual password text. no encrypted user data was accessed).Īnd LastPass does a good job of storing its password representations – your passwords are salted, hashed and stretched, and only ever stored in that scrambled, irreversible form. It doesn’t look as though the crooks got anything of importance more than the authentication data (e.g. That means, amongst other things, that the crooks very likely have your email address, your password hint, and a representation of your password. That means it has some sort of authentication database for all its users.Īnd the LastPass authentication database is, apparently, one of the things that the crooks got into. LastPass lets you store your password vault online, so it needs some way of validating, over the network, that you know your master password. It was therefore with some trepidation that we read a just-published security notice from popular password manager LastPass, saying that the company had found crooks inside its network. So the master password needs to be remembered and stored in more traditional ways.Īnd if a crook gets hold of your master password, then that’s like getting the crown jewels – because now the crook has access to all your accounts at once. That password can’t be kept inside the vault, because you’d need to know the password anyway to get into the vault to retrieve the password. There’s one non-trivial downside that you need to keep in mind: the password manager’s vault, whether it’s stored online or offline, is typically protected by a password of its own. Instead, the password manager makes up phrases like OLr9Ia7iJZgt, mz8mE Vbnf4DVtm0 and JDYUG=mzGrSW.8j.īetter yet, it enters those passwords for you into the right web pages, so there’s no extra hassle caused by typing in weird-and-wacky text.Īnd a password manager can stop you putting real login data into a fake web page, because it simply doesn’t have a password to match a bogus site such as phishygmail.example.
With a password manager, you don’t end up with repetitious and guessable passwords like mikenyt, mikeicloud and mikegmail for your New York Times, Apple and Google accounts respectively. That means that if you’re the kind of person who has hundreds of passwords, or who struggles to memorise even a few wackily long and mixed-up passwords, or both, password managers can be a huge help.
Generally speaking, we’re in favour, because password managers are tools that generate and store a list of different, hard-to-guess passwords for all your websites and online accounts. Here at Naked Security, we have a variety of views about password managers.
0 kommentar(er)
