Viewing a single comment thread. View all comments

billsonbobq2q t1_j1gz7xc wrote

Reply to comment by Fit-Anything8352 in The Lastpass hack was worse than the company first reported by glawgii

Encryption is meaningless without a strong master password in this case. And LastPass was permitting some shockingly short master passes in their protocols.

Attackers can now take the file and run infinite offline brute force attacks on each vault until they unlock everything via the cracked encryption key.

Additionally because the files exposed URLs of each PW entry attackers can gain quite a bit of knowledge about the user of each vault, making it easier to guess and crack potential passwords.

So yeah, for most users there's not a ton of risk, but for anyone with PWs of less than 11ish characters and/or a low degree of entropy, everything they stored is at risk.

9

sometimesome t1_j1h8nyu wrote

Oh man i feel so stupid right now. I have so many questions. I had a few reset emails come at me while reading about this. Already moved to a different cloud based one that doesn’t get hacked every year. At first i thought ok they got hacked a few years back now they will double down on security- so they will be safer than the ones that didnt get hacked. 🙃

Alright my 2 questions to help me take better action. Hope someone can help, this may help others going through this right now too

  1. Silly obvious question but i need to ask it to be super sure: when you say they have the vault offline does this mean my new masterpassword online and some important ones that i have now deleted from my online vault, will not stop them from from accessing my old offline vault with the old password with the now deleted entries as well?

  2. Within a password file i would keep important private notes, not a secure note, but the field within a password entry, i cant find if this field was encrypted or was it fully visible too in the hack?

4

HanaBothWays t1_j1hkhwk wrote

> Already moved to a different cloud based one that doesn’t get hacked every year.

Respectfully, you don’t know how often they get hacked, they probably just Don’t disclose it the same way. But any password vault provider is gonna be an attractive target for hackers.

5

sometimesome t1_j1hlyhf wrote

Yes youre absolutely right, just know a few people that use 1password service with apple watch 2fa, and dont have time today of all days to figure out which self service to choose, how to setup and keep secure etc. but long term definitely need to do so

1

Gaspar099 t1_j1i6td7 wrote

>Within a password file i would keep important private notes, not a secure note, but the field within a password entry, i cant find if this field was encrypted or was it fully visible too in the hack?

On Last pass website, they are telling:
"LastPass Secure Notes is your personal Fort Knox notes app. Just like your Password Vault, Secure Notes is encrypted at the device-level, meaning personal data – Wi-Fi passcode, credit card info, password hints, and more – is protected from anyone who isn't you."

Meaning they are encrypted as well.

2

billsonbobq2q t1_j1jbze9 wrote

>will not stop them from from accessing my old offline vault with the old password with the now deleted entries as well?

Correct. They have a backup from months ago. While changing your master pw is a good idea, it doesn't remove what's already been taken.

>Within a password file i would keep important private notes, not a secure note, but the field within a password entry,

Everything I've read says the notes fields were encrypted. The URL field was exposed, as well as your name and email attached to your specific vault file.

2

Fit-Anything8352 t1_j1hq4pp wrote

> So yeah, for most users there's not a ton of risk, but for anyone with PWs of less than 11ish characters and/or a low degree of entropy, everything they stored is at risk.

They were always at risk though, it was always incredibly stupid to use short master passwords, it's not like we didn't know that. People who ignored the warnings and did it anyway knew exactly what they were signing up for in the event or a breach.

2