Author Topic: LastPass  (Read 1104 times)

Offline Shuffler

  • Radioactive Member
  • *******
  • Posts: 26763
Re: LastPass
« Reply #15 on: December 24, 2022, 02:53:56 PM »
 :rofl :rofl :rofl :rofl :rofl :rofl :rofl :rofl :rofl :rofl
80th FS "Headhunters"

S.A.P.P.- Secret Association Of P-38 Pilots (Lightning In A Bottle)

Offline AKIron

  • Plutonium Member
  • *******
  • Posts: 11801
Re: LastPass
« Reply #16 on: December 24, 2022, 03:22:03 PM »
256 bit encryption will be hard to break. I'm guessing the hackers will have to break each users account individually. I use MFA for all my important accounts. Glad for that.

Of course the hackers don't have to break the encryption, just crack the Master Password.
« Last Edit: December 24, 2022, 03:23:57 PM by AKIron »
Here we put salt on Margaritas, not sidewalks.

Offline Vulcan

  • Plutonium Member
  • *******
  • Posts: 9830
Re: LastPass
« Reply #17 on: December 25, 2022, 12:22:14 AM »
You assume they didn't steal the private key for the encryption at the same time they stole the data. The thing is to use the data you need to have the key accessible, so it will all depend on their key management. If you lose the key, doesn't matter what encryption level you have.

Offline AKIron

  • Plutonium Member
  • *******
  • Posts: 11801
Re: LastPass
« Reply #18 on: December 25, 2022, 10:06:20 AM »
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

"The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here. 

There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment." 
Here we put salt on Margaritas, not sidewalks.

Offline AKIron

  • Plutonium Member
  • *******
  • Posts: 11801
Re: LastPass
« Reply #19 on: December 25, 2022, 10:33:07 AM »
There's a chance the hackers may learn something that will enable them to defeat LastPass' security in the future. Unlikely but possible. If you want to void that risk I suggest exporting your passwords to a csv. Them delete them all in LastPass. Then change your LastPass Master Password to something almost impossible to crack. Then, using that csv, change the passwords in all the accounts there. Updating the csv with the new passwords as you go. Probably oughta keep the old passwords in it too. Print it out and delete the csv or keep it on a secure flash drive.

Of course you don't want the recently changed passwords back in LastPass so uninstall it. Cancel the Last Pass account once it's empty if you're paying for it. No real need to if it's a free account provided it's empty.
« Last Edit: December 25, 2022, 10:43:41 AM by AKIron »
Here we put salt on Margaritas, not sidewalks.

Offline Bizman

  • Plutonium Member
  • *******
  • Posts: 9508
Re: LastPass
« Reply #20 on: December 25, 2022, 11:02:22 AM »
Guess you could encrypt the .csv and store it on your computer. 7zip can do that with 256-bit AES and it's free.
Quote from: BaldEagl, applies to myself, too
I've got an older system by today's standards that still runs the game well by my standards.

Kotisivuni

Offline Vulcan

  • Plutonium Member
  • *******
  • Posts: 9830
Re: LastPass
« Reply #21 on: December 25, 2022, 01:51:26 PM »
"and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.

Sweet, pretty robust system then.