billsonbobq2q
billsonbobq2q t1_j1gz7xc wrote
Reply to comment by Fit-Anything8352 in The Lastpass hack was worse than the company first reported by glawgii
Encryption is meaningless without a strong master password in this case. And LastPass was permitting some shockingly short master passes in their protocols.
Attackers can now take the file and run infinite offline brute force attacks on each vault until they unlock everything via the cracked encryption key.
Additionally because the files exposed URLs of each PW entry attackers can gain quite a bit of knowledge about the user of each vault, making it easier to guess and crack potential passwords.
So yeah, for most users there's not a ton of risk, but for anyone with PWs of less than 11ish characters and/or a low degree of entropy, everything they stored is at risk.
billsonbobq2q t1_j1jbze9 wrote
Reply to comment by sometimesome in The Lastpass hack was worse than the company first reported by glawgii
>will not stop them from from accessing my old offline vault with the old password with the now deleted entries as well?
Correct. They have a backup from months ago. While changing your master pw is a good idea, it doesn't remove what's already been taken.
>Within a password file i would keep important private notes, not a secure note, but the field within a password entry,
Everything I've read says the notes fields were encrypted. The URL field was exposed, as well as your name and email attached to your specific vault file.