Viewing a single comment thread. View all comments

guatemaleco t1_j84dahy wrote

0

spsteve t1_j85qm3y wrote

I have heard both options from reputable sources. Normally I would trust the company statements, but given their handling of this I trust NOTHING that touched them.

2

schussboomer t1_j86n943 wrote

username, password, and password notes are encrypted. The website URL is only hex encoded so it might as well have been in plain text. In other words, hackers know which websites you have passwords for (so beware of phishing attacks) but if you have a strong enough master password, they are still probably trying to crack your vault. You can see for yourself what is encrypted by downloading your encrypted vault - this was a good article which helped me figure that out: https://palant.info/2022/12/24/what-data-does-lastpass-encrypt/

At any rate, going forward, 1password seems to be a better choice because of the additional secret key required to unlock the vault.

In the end, there is no substitute for a good, strong master password.

3

ISLITASHEET t1_j86o22x wrote

The same vault that is stored server side should be what is available locally. Older vaults may be different, so your mileage may vary.

I know that I examined my local vault and fields that were associated with a credential were encrypted, but names and URLs were not. Some URLs were stored with a token in them. Regardless of that fact, I cycled all of my credentials as I migrated to another provider.

1

spsteve t1_j875o99 wrote

As I understand it a lot depends on when you started using the service, including the number of rounds used on the master password.

1

guatemaleco t1_j89nwz6 wrote

I wasn't basing that on statements from Lastpass. I just presented on this at work and as part of preparing the presentation, we analyzed Lastpass Bitwarden and 1Password vaults as they are synced to their respective services. Palent's blog was certainly one of the sources we used in putting together the analysis.

Some interesting takeaways are that Shared Folders and Federated authentication offered some additional security. 2FA is completely meaningless in this situation as nothing from 2FA is used as part of the encryption key derivation.

As you also mentioned, age of the account made some differences (though not in username encrypted or not). Default iterations being a big one, and AES-CBC vs AES-ECB, which would certainly make usernames more easily determined.

1