Last week, LastPass he said that hackers managed to steal customer data after breaching the cloud they used, with information stolen during a security incident in August 2022.
“Ενώ η εταιρεία επιμένει ότι τα στοιχεία σύνδεσής σας εξακολουθούν να είναι ασφαλή, ορισμένοι ειδικοί στον τομέα της κυβερνοbetter safetyare strongly criticizing her post, saying it makes people feel safer than they actually are.” according with The Verge:
Η December 22 statement from LastPass it was "full of omissions, half-truths and outright lies," says Wladimir Palant, a security researcher who helped develop AdBlock Pro, among others.
Μερικές από τις επικρίσεις του αφορούν τον τρόπο με τον οποίο η εταιρεία έχει πλαισιώσει το περιστατικό και το πόσο διαφανές είναι. Κατηγορεί την εταιρεία ότι προσπάθησε να παρουσιάσει το περιστατικό του Αυγούστου όπου “κλάπηκαν ορισμένοι πηγαίος κώδικας και τεχνικές πληροφορίες” σαν ξεχωριστή infringement, when it states that the company actually “failed to contain” the breach.
It also highlights LastPass's admission that the leaked data included "the IP addresses from which customers accessed the LastPass service," saying that this could allow hackers to "build a complete traffic profile" of LastPass customers.
Another security researcher, Jeremi Gosney, wrote one great post on Mastodon explaining why he decided to use another password manager.
"LastPass' claim of 'zero knowledge' is a lie," he says, arguing that the company has "as much knowledge as a password manager can have."
LastPass claims its 'zero knowledge' architecture keeps users safe because the company never has access to your master password, which hackers would need to unlock stolen data. Although Gosney does not dispute this particular point, he states that the phrase 'zero knowledge' is misleading.
"I think most people envision that their data is protected by some kind of encrypted database that protects all files, but no — LastPass stores it in a plain text file and only a few select fields are encrypted."
Of course the encryption at this stage it only does you any good if hackers can't crack your master password, which is LastPass's main defense as it states in its post:
If you use the defaults for password length and strength and have never used it anywhere else “It would take millions of years for someone to guess the master password using the generally available technology password cracking," wrote Karim Toubba, the company's CEO.
"This prepares the ground for them to blame the customers", says o Vladimir Palant, saying that “LastPass already knows that passwords will be decrypted for at least some of its customers. And they already have a convenient explanation: these customers clearly did not follow best practices.”
However, he also points out that LastPass has not enforced the standards it recommends. Despite making 12-character passwords the default since 2018, Palant reports: "I can log in with my eight-character password without warnings or prompts to change it."
