Bitwarden vs lastpass 202011/13/2023 What do you mean?Īs researcher Wladimir Palant details, LastPass salts-and-hashes master passwords using the PBKDF2 algorithm, with 100,100 iterations. It sounds like LastPass missed an opportunity to boost its users’ security there…Īnd what’s more, security researchers have revealed that at least some of the master passwords stored by LastPass for its longer-standing users’ vaults have been encrypted in a way which makes them far too easy to crack. Since 2018, LastPass says it has recommended and required a “twelve-character minimum for master passwords”.Īside from the fact that the number of characters alone isn’t a good indicator of password strength, it appears that customers who have been with LastPass since before 2018 have not been required to update their master passwords to meet LastPass’s own recommendations – leaving the encrypted parts of their password vaults much more vulnerable. It may still be a sensible step to take, of course.Īnd what’s going to help the hackers is that many many LastPass users are likely to have chosen master passwords that are much weaker than LastPass itself recommends. Similarly, changing your password now doesn’t undo the data breach. The hackers have already stolen the password vault data, they don’t need to bother logging into anyone’s LastPass account. Hmm, well… 2FA is irrelevant in this case. And I have two-factor authentication (2FA) enabled on my LastPass account. Well, I have a strong, hard-to-guess, unique password. The hackers need to determine what your LastPass master password is, to access the crown jewels – the usernames and passwords to all your online accounts. This sound terrible…īecause the hackers also stole encrypted customer data including: That’s valuable information for anyone attempting to phish further information from you, as they could easily pose as one of the websites you access and send you a scam email.įurthermore, simply knowing which websites you access (and store in your password manager) might reveal private information about you that you would have rather remain confidential.Īnd further still, it’s possible you stored password reset links for these websites in your password manager that might not have expired, or other sensitive information or tokens in your website URLs that you wouldn’t want to fall into the wrong hands. In other words, cybercriminals now know that you use LastPass, they know how to contact you, and they know which websites you use.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |