LastPass all lies report security experts

Last week, LastPass he said that hackers managed to steal customer data after breaching the cloud they used, with information stolen during a security incident in August 2022.

"While the company insists that your login details are still safe, some cybersecurity experts have strongly criticized its post, saying it makes people feel more secure than they really are." according with The Verge:lastpass password manager

Η December 22 statement from LastPass it was "full of omissions, half-truths and outright lies," says Wladimir Palant, a security researcher who helped develop AdBlock Pro, among others.

Some of his criticisms are about how the company has framed the incident and how transparent it is. It accuses the company of trying to present the August incident where "certain source code and technical information was stolen" as a separate breach, when in fact it says the company "failed to contain" the breach.

It also highlights LastPass's admission that the leaked data included "the IP addresses from which customers had to the LastPass service,” saying that this could allow hackers to “build a complete traffic profile” of LastPass customers.

Another security researcher, Jeremi Gosney, wrote one great post on Mastodon explaining why he decided to use another password manager.

"LastPass' claim of 'zero knowledge' is a lie," he says, arguing that the company has "as much knowledge as a ".

LastPass claims its 'zero knowledge' architecture keeps users safe because the company never has access to your master password, which hackers would need to unlock stolen data. Although Gosney does not dispute this particular point, he states that the phrase 'zero knowledge' is misleading.

“I think most people envision their data being protected by some kind of encrypted base that protects all files, but not — LastPass, stores them in a plain text file and only a few selected fields are encrypted.”

Of course encryption at this stage only does you any good if hackers can't crack your master password, which is LastPass's main defense as it states in its post:

If you use the defaults for password length and strength and haven't used it anywhere else "It would take millions of years for someone to guess the master password using generally available password cracking technology," wrote Karim Toubba, CEO the company's.

"This prepares the ground for them to blame the customers", says o Vladimir Palant, saying that “LastPass already knows that passwords will be decrypted for at least some of its customers. And they already have a convenient explanation: these customers clearly did not follow best practices.”

However, he also points out that LastPass has not enforced the standards it recommends. Despite the fact that they did 12-character password as the default since 2018, Palant reports: "I can log in with my eight-character password without warnings or prompts to change it."

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.081 registrants.
LastPass

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).