Thursday, 18 June 2015

LastPass: Password Vault Content Not In Danger

Users of the recently hacked online password manager LastPass who used a weak master password or had given a clear password hint at greater risk of attackers who knew the company to break into the master password know to figure out, but the contents of the Password Vault is not in danger.

That LastPass late in an updated statement about the attack. The attack on the online password safe were email addresses, reminders for passwords, user salts per server and authentication hashes captured. The master password is not immediately stolen by the attackers, but only the hash of this. Both the user's master password for Password Vault are hashed over 5,000 iterations of the PBKDF2-SHA256 hashing algorithm.

Creates a key that is hashed again, so as to make the authentication hash for the master password. This authentication hash is sent to the LastPass server as a user on his online password safe trying to login. "We then take that value and use a salt, a random string per user, and another 100,000 do hashing rounds and compare it with what is stored in our database in simple terms:. Cracking our algorithms is very difficult, even for the strongest computers, "said LastPass.


However, an attacker can try to guess the master password and then use the per-user salt and authentication hash to determine whether his guess was correct. Because of the large number hashing round, both locally and on the server, LastPass thinks that this will be a slow process for an attacker. If the user's master password is weak, however, whether he entered a password hint that makes it simple to guess, then an attacker much less effort required to retrieve the master password.

However, the contents of the safe password remains safe says LastPass. Once an attacker with the outdated master password namely trying to log on, he must first verify your email address. This measure applies to all login attempts from a new IP address or system.


Security expert Robert Graham investigated whether an attacker can crack the hashes. On his computer, he could guess more than 2500 passwords per second. "This may seem like a lot, but it's not as cracking passwords is exponentially difficult," said the expert. A password of five characters, with all possible characters are used and there are 64 possibilities for each character consists of up to 1 billion combinations.

A fast computer can crack this password quickly. Adding a character with 64 different options makes it 64 times harder to guess the password through a brute force attack. However, the cracking time can be shortened if a dictionary is used, says Graham. He advises LastPass users with a weak master password whatsoever to change that.

No comments:

Post a Comment