I always feared this would happen some day, this is why I chose to use KeePass with yubikey challenge response and a descend master-password but this is no fun neither because typing the pass takes to long…
Does somebody has a good suggestion for a hardware based 2FA - 3FA solution which doesn’t require much typing…
Something like a pluggable usb sender/ nfc receiver that needs authentication from a yubi nfc challenge response key to send its own challenge response(2nd) to the by a small pin and a file protected password manager …?
Maybe it’s better to learn faster typing…
but something better/more portable to smartphone etc than described above…
If you actually read the news you’ll see that it’s no big deal.
It’d take a very long time to do anything with stolen data and in the meantime anyone who’s concerned about this can change their master password (although LastPass users who enabled 2FA integration don’t even need to do that).
I just finished reading the article, and there’s not much to fear. All the attacker(s) sole were the hashed master passwords and account emails. The master passwords are hashed with 100,000 rounds of PBKDF2 and according to the article, one Nvidia GTX Titan X can perform 10,000 guesses per second on a password.
“Oh no! They can certainly perform a brute force attack!”, you say. Just look at the numbers though, if I used an 8 digit password (using upper/lowercase, numbers, and special characters) and the attacker had 10,000 GTX graphics cards, that’s 95 characters (just look at your keyboard) ^ 8 characters / (10,000 gusses per second * 10,000 graphics cards) / (60 seconds * 60 minutes * 24 hours) = about 2 years per password
By that time, users will have changed their master password. Keep in mind this is a 10 million dollar cost. Even if a nation was trying to crack the stolen password (assume 1 million graphics cards, which would cost 1 billion dollars), this would still take: about 8 days, and this isn’t even that great of a password!
If you decided to use a 10 character password, it would take a nation with a 1 billion dollar budget 190 years!!! And if you decided to use a 14 character password, the said nation might as well start looking for a new solar system because the sun will have died 11 billion years before they cracked it! **
** Not accounting for Moor’s law.
Feel free to check my math at the links below:
- 8 Character password
- 10 Character password, advanced attacker
- 14 Character password, minus sun dying in 4.5 billion years
That’s a little bit of an understatement!
I just want to point out that I use lastpass, and my password is 20+ characters long, also I’ve already changed my password.
I just reacted because I wanted a better solution then mine I didn’t read the article fully and saw it was no major issue but some years ago I decided not to use it because I wanted to store the db local on a usb without some other party involved… I just didn’t trust it in the days
That’s assuming that the forensic report is not premature. Once you are owned, you are owned and the penetration could be deeper than what you thought.
This news is just one more exhibit to the need of MaidSafe’s SafeNet in our lives.
Any security solution that is not based on SafeNet will be prone to penetration.
@pilusio, definitely would not rule out ‘prone to penetration’ let’s say people could still try to find vulnerabilities; though success is unlikely…
I agree with you on this
Fair enough, but the DB is encrypted locally the same way it’s encrypted on LastPass servers (it’s encrypted locally first and then uploaded to LastPass), so the risk is the same (as we can see from the above calculation, very low).
I also use it, but I didn’t change the master password. Maybe I will one day if I get bored.
Maybe MaidSafe will eventually have its own family of vulnerabilities, but at least it will up the ante for crackers. None of the existing bag of tricks will work, any zero day repository or framework will be obsolete.
MaidSafe at least will level the field, and thanks to its design everything is compartmentalized so any successful attack will only affect a specific user.
Some interesting studies suggest that Rust is 90% more secure against vulnerabilities than c++; I think they will be published soon.
I looks like my approach (didn’t change my LastPass master password) is OK. Here’s what a password expert said about it:
So no, I’m definitely not sweating this breach. I don’t even feel compelled to change my master password.