Just before Christmas, LastPass issued an update on its security breach including the news that customer vaults were obtained by the hacker. After digging through all the technical claims, one security researcher says the situation is much worse than the company claims and beleives the statement is “full of omissions, half-truths and outright lies.”
Writing on his security blog, Almost Secure (via TechMeme), Wladimir Palant has picked apart 14 different statements in the LastPass update on its security breach.
Covering everything from the company’s claim of transparency to its own security practices and more, Palant believes LastPass has downplayed the risks and is guilty of “gross negligence.”
One of the claims at issue is LastPass telling customers “If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology.”
Palant says that’s probably closer to two months than “millions of years” for the average person:
I’ll translate: “If you’ve done everything right, nothing can happen to you.” This again prepares the ground for blaming the customers. One would assume that people who “test the latest password cracking technologies” would know better than that. As I’ve calculated, even guessing a truly random password meeting their complexity criteria would take less than a million years on average using a single graphics card.
But human-chosen passwords are far from being random. Most people have trouble even remembering a truly random twelve-character password. An older survey found the average password to have 40 bits of entropy. Such passwords could be guessed in slightly more than two months on the same graphics card. Even an unusually strong password with 50 bits of entropy would take 200 years on average – not unrealistic for a high value target that somebody would throw more hardware on.
If you’ve used LastPass and haven’t done so already, the safest move is to change all of your passwords.
Check out all the issues brought up with the LastPass security breach in Palant’s full blog post.
We’ve also got a walkthrough on getting set up with storing your passwords with AutoFill/iCloud Keychain on your Apple devices:
FTC: We use income earning auto affiliate links. More.
Comments