Keepassxc safari5/29/2023 ![]() ![]() * a dictionary for this type contains all the common words people use along with all the common letter/symbol substations, common capitalizations and common suffixes (symbol, number, number sequence.).So I've switched to Vivaldi a while back and it's quite ok (doesn't handle multiple tabs as well as Firefox, but well), but there is one annoying thing - passwords manager: My gut feeling is the median master password would be cracked with a dictionary* attack in under 35 bits (12 digits) of entropy. Most lastpass users did not expect an off line attack on their passwords. Offline attacks though require 25 digits or more (70 bits of entropy). A bank with millions of customers should have the equivalent of 12 digits (40 bits of entropy). A company with 5000 employees with a limit of 100 logins per second needs 10 digits. For a small company with a rate limited login to 1 login from any person per second then 8 random digits is sufficient. ![]() So for this attack a 4 digit PIN might be sufficient. A stolen bank ATM card only allows a few tries before locking the attacker out and they can only attack the one card. Worse with some simple planning they can essentially try the same password against every password store at the same time. ![]() If the bad guys have your password store they can try, assuming they rent the computing power, tens to hundreds of billions of passwords a second. This is offline, the easier attack for bad guys. There is a huge difference between online and offline attacks. Despite the fact that it made 12-character passwords the default in 2018, Palant says, "I can log in with my eight-character password without any warnings or prompts to change it." And they have a convenient explanation already: these customers clearly didn't follow their best practices." However, he also points out that LastPass hasn't necessarily enforced those standards. "This prepares the ground for blaming the customers," writes Palant, saying that "LastPass should be aware that passwords will be decrypted for at least some of their customers. Palant also notes that the encryption only does you any good if the hackers can't crack your master password, which is LastPass' main defense in its post: if you use its defaults for password length and strengthening and haven't reused it on another site, "it would take millions of years to guess your master password using generally-available password-cracking technology" wrote Karim Toubba, the company's CEO. "I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no - with LastPass, your vault is a plaintext file and only a few select fields are encrypted." While Gosney doesn't dispute that particular point, he does say that the phrase is misleading. "LastPass's claim of 'zero knowledge' is a bald-faced lie," he says, alleging that the company has "about as much knowledge as a password manager can possibly get away with." LastPass claims its "zero knowledge" architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. He also highlights LastPass' admission that the leaked data included "the IP addresses from which customers were accessing the LastPass service," saying that could let the threat actor "create a complete movement profile" of customers if LastPass was logging every IP address you used with its service.Īnother security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. Some of his criticisms deal with how the company has framed the incident and how transparent it's being he accuses the company of trying to portray the August incident where LastPass says "some source code and technical information were stolen" as a separate breach when he says that in reality the company "failed to contain" the breach. Here's an excerpt from the report: LastPass' December 22nd statement was "full of omissions, half-truths and outright lies," reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. "While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager," reports The Verge. Last week, LastPass announced that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. ![]()
0 Comments
Leave a Reply. |