Submitted by glawgii t3_ztx9k5 in technology
The_Countess t1_j1gbu5t wrote
Despite the headline, the hackers still can't access any passwords. lastpass doesn't have any users master passwords to leak, so even if they made off with your encrypted password data, they are still encrypted with 256-bit AES encryption, with a key unique to and known only by each user. (and it is designed this way for exactly this eventuality)
The hackers would need to brute force each user individually to get at any passwords, and 256bit AES would take until the heat death of the universe crack that way. for one user.
Unless you are very interesting and have a master password that's vulnerable to rainbow table attacks, you probably still have very little if anything to worry about.
And as all cloud based password manager work roughly the same way switching password manager might not gain you much either.
ColtonProvias t1_j1gpfkc wrote
The large issue with the LastPass leak is that URLs were stored unencrypted. An attacker can use that with other related data (such as email addresses and contact information) to conduct spear phishing attacks.
You don't need to brute force a vault password to get a password, you just have to get enough information to claim to be the user or the service.
quettil t1_j1hxus7 wrote
> The hackers would need to brute force each user individually to get at any passwords, and 256bit AES would take until the heat death of the universe crack that way. for one user.
https://pbs.twimg.com/media/FksX2y8XoAIRr7b?format=jpg&name=small
Depends on how good the password is.
The_Countess t1_j1kahph wrote
They have a 12 character minimum length for the masterpassword, and i already mentioned a password being vulnerable to rainbow table attacks.
marumari t1_j1hh673 wrote
That’s only true if the keys are chosen randomly from all the possible key space, but they aren’t. A modern GPU can iterate through millions of passphrases with 100k rounds of PBKDF2-SHA256 per minute.
Viewing a single comment thread. View all comments