LastPass all lies report security experts

Last week, LastPass he said that they managed to steal of its customers after they breached the cloud they were using, with information stolen during a security incident in August 2022.

"While the company insists that your login details are still safe, some cybersecurity experts have strongly criticized its post, saying it makes people feel more secure than they really are." according with The Verge:lastpass password manager

Η December 22 statement from LastPass was "full of omissions, half-truths and outright lies," says Wladimir Palant, a security researcher who helped develop the Pro, among others.

Some of his criticisms are about how the company has framed the incident and how transparent it is. It accuses the company of trying to present the August incident where "certain source code and technical information was stolen" as a separate breach, when in fact it says the company "failed to contain" the breach.

It also highlights LastPass's admission that the leaked data included "the IP addresses from which customers accessed the LastPass service," saying that this could allow hackers to "build a complete traffic profile" of LastPass customers.

Another security researcher, Jeremi Gosney, wrote one great post on Mastodon explaining why he decided to use another password manager.

"LastPass' claim of 'zero knowledge' is a lie," he says, arguing that the company has "as much knowledge as a password manager can have."

LastPass claims its 'zero knowledge' architecture keeps users safe because the company never has access to your master password, which hackers would need to unlock stolen data. Although Gosney does not dispute this particular point, he states that the phrase 'zero knowledge' is misleading.

"I think most people envision that their data is protected by some kind of encrypted database that protects all files, but no — LastPass stores it in a plain text file and only a few select fields are encrypted."

Of course encryption at this stage only does you any good if hackers can't crack your master password, which is LastPass's main defense as it states in its post:

If you use the defaults for password length and strength and haven't used it anywhere else "It would take millions of years for someone to guess the master password using generally available password cracking technology," wrote Karim Toubba, CEO the company's.

"This prepares the ground for them to blame the customers", says o Vladimir Palant, saying that “LastPass already knows that passwords will be decrypted for at least some of its customers. And they already have a convenient explanation: these customers clearly did not follow best practices.”

However, he also points out that LastPass has not enforced the standards it recommends. Despite making 12-character passwords the default since 2018, Palant reports: “I can log in with my eight-character password without pre or exhortations to change him.”

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
LastPass

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).