This allowed them to steal the customers' encrypted vaults and now they can work on decrypting them. In a blog article LastPass sheds light on the exact circumstances of how the attackers were able to gain access, this article from Ars Technica summarizes the blog in somewhat simpler terms.įor us, the outcome of the story is enough: the attackers gained access to the cloud infrastructure, bypassing or exploiting protective mechanisms of LastPass employees. Offline brute force attacks of the attacker
The attackers have taken advantage of this. And this is exactly where the problem lies: 2FA is not part of the end-to-end encryption, which depends solely on the security of the master password. The Role of 2-Factor Authentication (2FA)Ģ-factor authentication is an optional setting that is available for all users that provides additional protection when accessing the LastPass cloud infrastructure. The number of iterations tells how many times the encryption function is applied to the result to further encrypt it. LastPass uses the PBKDF2 key-stretching function with 100,100 iterations. In encryption, key stretching is used to derive a key from the master password that is used for end-to-end encryption of the vault. This brings us to the concept of key stretching, which is slightly more technical. So it is never perfectly random, but contains patterns due to the human way of thinking.
It is important to remember that the master password is chosen by the users. This is the one factor in LastPass security that is really used for end-to-end encryption. In short, everything revolves around the master password. Highly simplified representation of the LastPass architecture
0 kommentar(er)
