If these hashes are stolen, they can be cracked. The LastPass exploit illustrates a claim that Web3 developers have been making for years: that the traditional username and password login system needs to be scrapped in favor of blockchain wallet logins.Īccording to advocates for crypto wallet login, traditional password logins are fundamentally insecure because they require hashes of passwords to be kept on cloud servers. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.” Can password manager hacks be eliminated with Web3? As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”Įven so, LastPass admits that if a customer has used a weak Master Password, the attacker may be able to use brute force to guess this password, allowing them to decrypt the vault and gain all of the customers’ website passwords, as LastPass explains: “it is important to note that if your master password does not make use of the, then it would significantly reduce the number of attempts needed to guess it correctly. The statement from LastPass emphasizes that the service uses state-of-the-art encryption to make it very difficult for an attacker to read vault files without knowing the Master Password, stating: “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. Luckily, the vaults are encrypted with a Master Password, which should prevent the attacker from being able to read them. These vaults contain the website passwords that each user stores with the LastPass service. In addition, some customers’ encrypted vaults were stolen. However, the company has investigated and discovered that the attacker used this technical information to attack another employee’s device, which was then used to obtain keys to customer data stored in a cloud storage system.Īs a result, unencrypted customer metadata has been revealed to the attacker, including “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” LastPass first disclosed the breach in August 2022 but at that time, it appeared that the attacker had only obtained source code and technical information, not any customer data. Notice of Recent Security Incident - The LastPass Blog #lastpasshack #hack #lastpass #infosec - Thomas Zickell December 23, 2022 This means that the attacker may be able to crack some website passwords of LastPass users through brute force guessing.
Password management service LastPass was hacked in August 2022, and the attacker stole users’ encrypted passwords, according to a Dec.
0 kommentar(er)
