There is lots of confusion about how someone got their hands on lots of master passwords, and the official LastPass statement is certainly not helping. I analyzed the possible scenarios to find out what most likely happened here.

@WPalant #bitwarden has been my chosen password manager, fully open source and white papers to back its security

@WPalant wasn't Lastpass supposed to not even have your master password?

@AgreeableLandscape That’s what the article says. But since you sometimes enter it into their website, there is no way to prove that it isn’t sometimes logging it after all.

The more likely explanation is still that the attackers got only the master password hash, not the password itself (pass the hash).

@WPalant even then, they must have used a real shitty hashing algorithm (and/or didn't salt it) for the attacker to be able to get the actual password from it.

I was under the impression that they worked like Protonmail and actually used the password as a key to encrypt your data, not just a regular user account authentication thing.

@AgreeableLandscape The hashing algorithm is PBKDF-HMAC-SHA1 with 100,000 iterations. Bruteforcing the master password from it isn’t trivial but it’s also not impossible if the password isn’t too strong. And they can choose which targets are worth the efforts, with the websites visible in the LastPass data.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.