• Marxism-Fennekinism
    link
    fedilink
    2
    edit-2
    1 year ago

    TL;DR and ELI5

    1. Hackers have your IP addresses, name/company name, email address and other personal information, and what websites you have passwords for, all in plain text and attached to your password data.

    2. Hackers have your encrypted data containing your passwords and other “senaitive fields.” They are encrypted with your master password, if they have that or can bruteforce/guess it they can decrypt everything.

    3. Due to their frontend architecture and how it interacts with their backend, you have no idea if they store your master password or associated encryption keys on their servers or not. They say they don’t, but they totally could and it’s impossible to prove or disprove.

    4. The process by which the master key is derived from the master password is weak, especially on older accounts which can be grossly weak. They may be susceptible to brute forcing by modern graphics cards, especially when you realize that most people don’t have the strongest of passwords.

    Sufficiently determined attackers will be able to decrypt the data for almost anyone. The question is merely whether it’s worth it for them.

    Yeah… It’s baaaad.

    • @ThreeHopsAhead@lemmy.ml
      link
      fedilink
      21 year ago

      Due to their frontend architecture and how it interacts with their backend, you have no idea if they store your master password or associated encryption keys on their servers or not. They say they don’t, but they totally could and it’s impossible to prove or disprove.

      What? That sounds really really bad. If that is true LastPass was an absolute security nightmare all along.

      • Marxism-Fennekinism
        link
        fedilink
        11 year ago

        Unless they (or someone compromising their servers) decide to store it. Because they absolutely could, and you wouldn’t even notice. E.g. when you enter your master password into the login form on their web page.

        But it’s not just that. Even if you use their browser extension consistently, it will fall back to their website for a number of actions. And when it does so, it will give the website your encryption key. For you, it’s impossible to tell whether this encryption key is subsequently stored somewhere.

        None of this is news to LastPass. It’s a risk they repeatedly chose to ignore. And that they keep negating in their official communication.

        Yeah…

    • @pingveno@lemmy.ml
      link
      fedilink
      31 year ago

      Eh… keepassxc doesn’t do everything that LastPass can do. Things like sharing a secret or secure file with someone securely and easily. If all you’re doing is storing passwords, great. But many people have different requirements than that.