Viewing a single comment thread. View all comments

wren337 t1_j1gekzz wrote

Reply to comment by Fit-Anything8352 in The Lastpass hack was worse than the company first reported by glawgii

Assuming they didn't do anything incorrectly. Like secretly having a second password for customer support, or for law enforcement requests. These guys have screwed the pooch at every turn. I find no comfort in them saying they had the right high level design.

59

Fit-Anything8352 t1_j1gers3 wrote

I mean they physically can't implement the cipher in a way that allows for a backdoor, it wouldn't work(unless they are simply lying about how they encrypt the data I guess, but some quick reverse engineering of their app should figure out pretty easily if they aren't actually using AES-256).

That's why it's a good idea to use open source security tools though. You can read the source code to make sure there's no funny business going on.

21

Ioncannon t1_j1udcjv wrote

I never understood this. Could they not just keep a secret branch that implements all the bad shit and they just merge the public main in from time to time?

Most people aren't compiling their own binaries.

1

Gaspar099 t1_j1i5zxy wrote

The thing that make me question is:How they can reset your Master Password if your data is encrypted? I lost my master password in the past and I was able to change it. Meaning they probably have a backdoor in there cryptographic system or a way to get the information on their side.

8

raunchyfartbomb t1_j1io28h wrote

Yea, this is a point to think on. The only thing I can think of is that it exists locally with much less security. But that doesn’t make sense, so they must have some way to decrypt it in order to apply the new password to the blob.

3

Gaspar099 t1_j1iob6i wrote

Maybe a copy of vault with another key they have.

1

hypnoticlife t1_j1i6ptn wrote

Both of the other replies here make me think that the master password isn’t the key. That it merely unlocks the key. This gives the ability to have a password reset and trivial support/law enforcement access. The only evidence is the ability for password resets. That’s a huge red flag.

7

wren337 t1_j1ke1j2 wrote

Agree that's how you do multiple passwords. There is a random encryption key for the actual data, and then multiple copies of that key are encrypted with your password and one or more of their passwords. So the question is, did their passwords get lost? If support can recover your vault, everything they've said is a lie.

1

nicuramar t1_j1irrv4 wrote

> Assuming they didn’t do anything incorrectly. Like secretly having a second password for customer support, or for law enforcement requests.

But if that’s secret and not leaked, an attacker wouldn’t be better off.

1