+1 They have shown a level of honesty and commitment to fix the breach in a very professional way.
Dave -----Original Message----- From: ProFox [mailto:[email protected]] On Behalf Of Ed Leafe Sent: 22 June 2015 22:10 To: ProFox Mailing List Subject: Re: [NF] LAST PASS Hacked On Jun 19, 2015, at 6:45 PM, Ken Dibble <[email protected]> wrote: > Anything that's in the "cloud" can be hacked. My advice: unless there is an > essential, functional reason that is much more serious than personal > convenience to put something there, don't. You're only asking for trouble. So they got in and perhaps might have been able to access the master passwords, but only if they were able to do some heavy decryption. From the press release: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Was my master password exposed? No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - So let's assume that the hackers *did* get your master password (unlikely, but just for the sake of argument). Now they could try to access your secure information by signing in as you, but unless they are on one of the devices you have registered with LastPass, they need to use multi-factor auth to even sign in, so that won't help them at all. If they *do* have access to one of your devices, well, then you're already screwed, no matter how you store your passwords. As Ted always says, security is a process, and I think this event shows that the process adopted by LastPass and its users is a strong one. I am a more loyal customer than ever after this. -- Ed Leafe --- StripMime Report -- processed MIME parts --- multipart/signed text/plain (text body -- kept) application/pgp-signature --- _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious. _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
