Viewing a single comment thread. View all comments

PMs_You_Stuff t1_j82uslf wrote

Reply to comment by jmpalermo in Millions of passwords stolen from LastPass earlier than company disclosed: Report by BasedSweet

So, my 16+ digit alpha numeric password is safe?

15

jmpalermo t1_j82v4yx wrote

If that is your master password, yes. If that was a stored password and your master password was “Password1!” like mine was, then you need to rotate all the stored passwords.

21

steven4297 t1_j85u4zv wrote

I use a simple phrase and convert it using base64encode.org

So say I type "I love pizza!"

It returns "SSBsb3ZlIHBpenphIQ=="

Best way I've found to make passwords

5

jmpalermo t1_j85w796 wrote

https://xkcd.com/936/

Just a phase itself is a really good password

6

thirdender t1_j85zxsq wrote

Is it bad that I know exactly which xkcd that is without checking?

9

csallert t1_j88kc3u wrote

That one and “little Bobby tables” have well defined use cases

2

cryptosupercar t1_j839wmc wrote

Do a quick check. Every year produces faster processors and gpus

2

FreeWildbahn t1_j83qro8 wrote

Did you calculate the number of combinations? 62^16 are 4.7 * 10^28 combinations. This will hold for a veeeery long time.

4

Dominicus1165 t1_j83t9mx wrote

As Long as the password is not vulnerable to a rainbow table attack

3

FreeWildbahn t1_j84wf1x wrote

For a rainbow table attack you need a hash like the passwd file on linux systems. But we are talking about cracking a password safe.

4

jmpalermo t1_j85whp1 wrote

Any responsible site will salt the password before hashing it which makes rainbow table attacks worthless. Not every site is responsible though…

4

sopwath t1_j87biaq wrote

That’s not what a rainbow table is. Also, rainbow tables are defeated by salting.

2

Dominicus1165 t1_j87obtb wrote

Yeah i know. I meant a dictionary attack… with the dictionary provided by the user and only the correct websites to be found.

1

Toasty27 t1_j881vl9 wrote

Rainbow tables are easily thwarted by salting passwords before hashing. Most systems do this nowadays. Pretty sure LP also does this.

1

guatemaleco t1_j84e7xv wrote

16 characters seems low unless it’s a randomly generated password. PBKDF2 iterations would also matter a lot here. The most determining factor is probably how likely of a target are you? Are you likely worth the compute time?

1

[deleted] t1_j84lawy wrote

[deleted]

0

belteshazzar_der t1_j85klag wrote

This is incorrect. They stole the password vaults themselves, so if they crack your master password they'll get access to all of your passwords. Doesn't matter if you have 2FA on. This is one of the main reasons why this breach was so bad.

10

guatemaleco t1_j8gt399 wrote

Yea, 2FA is not used in encryption at all. It's only part of authentication to retrieve the encrypted vault. Since the vaults were already stolen, 2FA is meaningless here.

1