A week ago, LastPass had confirmed that last August hackers had accessed the user password vaults, which however remained encrypted and inaccessible. But these days, different security experts they criticize the company’s admission, which seems to give the impression that everything is under control. When instead the safety issue and concernaccording to cybersecurity analysts, remain.
LastPass Password Vaults, Experts Criticize Company
LastPass’ Dec. 22 post explained how hackers had access to users’ vaults. Last August’s attack only took away some technical information. Which the hackers then used to target a employee of LastPass to obtain privileges on the platform, stealing information about users and also the their password vaults. However, they remain encrypted and unlockable only with your Master Password, which having at least 12 different characters would take millions of years to be unlocked with brute force.
An admission of the attack immediately, which however has reassured users in part: hackers have safes, but they have no way of opening them. However, some experts think that these statements minimize the risk to users.
The doubts of the experts
Waldimir Palanta security researcher who developed software such as AdBlock Pro, recently criticized LastPass’s words in a blog. According to him, the announcement is “full of omissions, half-truths and blatant lies.”
The first criticism is that the company appears to be treating the August attack and the attack on its employee to obtain administrator privileges as two separate events. When instead it is a common tactic by hackers. He also points out that it’s not just password vaults that are the problem: LastPass Admits Hackers Gained Access to “IP Addresses From Which Customers Access LastPass Services”. Which would allow for “create a complete profile of the movements” of a user, if the platform logs every IP address they log in to.
Another researcher, Jeremy Gosneycriticizes the company because they advertise “the ‘zero knowledge’ policy is a blatant lie”. Because it says it tricks users into thinking LastPass password vaults are fully encrypted, whereas they are a text file in which only some fields are encrypted.
The importance of the Master Password
Palant also disputes another part of the LastPass CEO’s speech, Karim Toubba. In fact, the official post reads that “it would take millions of years to guess the Master Password using generally available cracking technology”. Unless the users “have used the Master Password for other sites,” which LastPass advises against.
According to Palant, this sets the stage for LastPass to shift the blame to users should any vaults be cracked: fault of users who have not followed the recommended best practices.
Jeffrey Golbergin charge of the rival’s security 1Password, also criticized the statement that it takes “millions of years” to unlock a twelve-character password. In fact, he explains that those times would probably be valid for a randomly generated 12-character passwordand, while human-created passwords aren’t quite as secure.
Palant agrees, explaining that passwords created with the XKCD method, which are easy for humans to remember but difficult for machines to unlock, could be cracked in 25 minutes by the right software with a powerful GPU. Composing the password pulling data, it would take 3 years. Having also collected the user data as well as password vaults, Palant thinks it would take much less time to hackers to break into LastPass accounts.
Criticisms of encryption of LastPass password vaults
Gosney also accuses LastPass of committing every “crypto rookie mistake” in protecting safes. Palant argues that LastPass’s password strength algorithm is less secure than expertise, explaining that the number of possible interactions to “guess” to unlock it requires fewer interactions than rival services.
In fact the PBKDF2 standard LastPass uses 100 thousand interactions. Bitwardenan open-source rival, uses 100,001 interactions when creating passwords, then adds another 100,000 when it stores the password in the cloud. arriving at 200,001. While 1Password uses 100 thousand interactions but also requires a secret key together with the Master Password, increasing account security.
Palant also points out that users who registered the account before 2018, were only there 5 thousand iterations possible encryption. LastPass was also asking at the time only 8 characters co at least for Master Passwords. This would reduce the security of the accounts, also because Palant explains that LastPass has not prompted users to update password with notifications.
The researchers further explain that although the passwords are encrypted, the URLs of registered sites are not. This would allow hackers to profile users, which in addition to being a privacy concern, would make it easier to find passwords.
Stolen LastPass Password Vaults: What to do?
Security experts emphasize the importance of change your password to access the safes, as well as changing the passwords of the most important sitessuch as bank ones, in order to avoid problems in case hackers manage to break into your digital vault.
But they explain that this breach shouldn’t lead to a loss of trust in cloud-stored password managers. Not only are they more convenient than offline archives or notebooks full of passwords, but they are more secure when managed in the right way.