Password Manager LastPass Security Breach

 “LastPass, a company that offers users a way to centrally manage all of their passwords online with a single master password, disclosed Monday that intruders had broken into its databases and made off with user email addresses and password reminders, among other data.”

But, you probably shouldn’t worry too much. LastPass utilizes AES 256-bit encryption on your device with the lastest PBKDF2 algorithms. I’ll go more in-depth of these shortly, but what you really need to know is that since the data is encrypted on your device, by the time it arrives on the LastPass servers in what they call a vault, they don’t even know what your passwords are. They’ll need to know your salt encryption key to even begin exposing your password. Before this, however, anyone looking at your passwords will need to know your master password, which is also encrypted. If you have two-way authentication, you’ll have to approve their access to your vault. 

Can you explain these terms?

I first started talking about AES 256-bit encryption. AES stands for Advanced Encryption Standard and 256-bit is the block size (length of data). Block sizes can come in a variety of numbers like 128 or 192, as long as it’s a 32-bit number (multiple of 32). As with most things, the higher the number the better. Since LastPass uses 256-bit, it takes advantage of 14 cycle repetitions where it replaces one key with another key. So imagine the letter “a” being changed to another letter like “b” and “c”, only 14 times. So what determines what letter it gets replaced with? Your master password, which only you (should) know. The video below shows an example of this in detail.

What’s PBKDF2 and what does it have to do with salt?

PBKDF2 stands for Password-Based Key Derivation Function 2. It is a pseudorandom number that takes the input of your salt and the password to create a derived key. Salt, then, is a completely random number that alters your password through a system we call hashing (more terms, I know). Salts make using a using a dictionary of pre-determined encrypted passwords, called a rainbow table, more difficult. The primary purpose behind a hash function is to mix up your password to make it look like it isn’t a valid word. So a hash function will mix a randomly generated number (salt) and merge it with your master password, thus making your password rather difficult to read if the person looking at it doesn’t have both the salt and password. However, it’s not impossible. A person with the right rainbow table (basically translation dictionary of your hash) can still figure out your password. With enough processing power it may only take a few years. This is where PBKDF2 becomes useful. It requires both the salt and password, plus additional iterations to be created. Here’s an example of one:

DK = PBKDF2(PRF, Password, Salt, c, dkLen)

DK is generated derived key, PRF is a pseurandom function of two parameters, c is the number of iterations, and dkLen is the output length. 

The Wireless network in your home is probably setup with WPA2, which looks a lot like this:

DK = PBKDF2(HMAC−SHA1, your password, your ssid, 4096, 256)

It makes finding the password much more difficult, but not impossible. This brings me to my next point: You probably should change your master password. I wouldn’t worry too much about your password vault getting looked at by the wrong people, but I’d rather play it safe than be sorry by changing your master password. It will make your current PBKDF2 unreadable by non-privy eyes.

Article Source

Comments are closed.