Lastpass data breach reddit11/10/2023 ![]() ![]() Posts discussing political issues that affect security are fine, but the post must be geared towards the security implication. No editorializing and no political agendas. ![]() This is the guiding principle for all posts. No fundamental security questions or tech support requestsīasic questions on security concepts and fundamentals and requests for tech support are not appropriate for this subreddit. Posts related to burglar alarms, weapons, and similar concepts are not appropriate for this sub. This is not a general security subreddit. Must be relevant to security professionals For example, "why passwords are important" is too fundamental. "This security forum is oriented towards private white hat security professionals." If a post has very basic information, it is not appropriate for this sub. Please note, the 'old' Reddit is no longer kept up to date. ![]() This security forum is oriented towards private white hat security professionals. To see the current sidebar and rules you must view them on new reddit. In fact, the attackers used information they obtained in the August breach to execute the December breach, which means that LastPass failed to contain the original breach.NOTICE: This sidebar and rules are no longer being updated. For starters, they tried to portray the December breach as an event isolated from the one that occurred in August. LastPass has been pretty dishonest in their public statements about the breach. What continues to give the IT Security Office confidence is LastPass’s ongoing transparency – there are lots of eyes on LastPass at the moment and barring significant code compromise we expect their security will only continue to improve. (For what it's worth, OWASP now recommends that 310,000 rounds of PBKDF2 be used.) I started using LastPass in 2018, and luckily, my master password is encrypted with 100k rounds of PBKDF2, but some user accounts created before mine may still have passwords with 5k rounds. Unfortunately, while they upgraded the default number of iterations on the master password from 5,000 to 100,100 iterations in 2018, they apparently have not forced or notified all users to update their passwords to the new setting. Multiple iterations or "rounds" of PBKDF2 can be applied to a password to make it more secure. The master password is protected using PBKDF2, a hashing function that converts a password into an encryption key. So you're already vulnerable to phishing attempts by nature of your email addresses and phone numbers being leaked, and adversaries can tell a lot about you from the websites you visit.Īlso, LastPass has failed to follow responsible security practices. Your email addresses, phone numbers, usernames, website URLs, and billing addresses are stored in cleartext, which means that the hackers already have access to them without needing to decrypt them. They literally only encrypt your passwords, secure notes, and saved form data (using your master password). People should know that "zero knowledge architecture" doesn't mean what you might think it does. “zero knowledge architecture” essentially means that there were no passwords to be stolen and the encryption algorithms LastPass used would take significant compute power to crack the vaults provided they are protected with a strong master password. I think the Cornell IT staff are a bit naive, to say the least. ![]() Posts and comments will be removed (and users can be banned) at the discretion of the moderators.Any posts outside of the megathread will be removed. ALL ADMISSIONS-RELATED POSTS GO IN THE MEGATHREAD.Do not post personal/identifying information about yourself or anyone else (this does not apply in the case of questions about professors).Search the subreddit to see if your question has already been asked recently before posting it.You are free to appeal these decisions with the mods. Be nice - antagonistic and/or offensive comments or posts will be removed at the discretion of the mods.NO SPAM/ADs - If you are advertising for a Cornell-related event, please check with the mods first.Posts should be somehow relevant to Cornell or the Cornell community. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |