I always feared this would happen some day, this is why I chose to use KeePass with yubikey challenge response and a descend master-password but this is no fun neither because typing the pass takes to longā¦
Does somebody has a good suggestion for a hardware based 2FA - 3FA solution which doesnāt require much typingā¦
Something like a pluggable usb sender/ nfc receiver that needs authentication from a yubi nfc challenge response key to send its own challenge response(2nd) to the by a small pin and a file protected password manager ā¦?
Maybe itās better to learn faster typingā¦
but something better/more portable to smartphone etc than described aboveā¦
If you actually read the news youāll see that itās no big deal.
Itād take a very long time to do anything with stolen data and in the meantime anyone whoās concerned about this can change their master password (although LastPass users who enabled 2FA integration donāt even need to do that).
I just finished reading the article, and thereās not much to fear. All the attacker(s) sole were the hashed master passwords and account emails. The master passwords are hashed with 100,000 rounds of PBKDF2 and according to the article, one Nvidia GTX Titan X can perform 10,000 guesses per second on a password.
āOh no! They can certainly perform a brute force attack!ā, you say. Just look at the numbers though, if I used an 8 digit password (using upper/lowercase, numbers, and special characters) and the attacker had 10,000 GTX graphics cards, thatās 95 characters (just look at your keyboard) ^ 8 characters / (10,000 gusses per second * 10,000 graphics cards) / (60 seconds * 60 minutes * 24 hours) = about 2 years per password
By that time, users will have changed their master password. Keep in mind this is a 10 million dollar cost. Even if a nation was trying to crack the stolen password (assume 1 million graphics cards, which would cost 1 billion dollars), this would still take: about 8 days, and this isnāt even that great of a password!
If you decided to use a 10 character password, it would take a nation with a 1 billion dollar budget 190 years!!! And if you decided to use a 14 character password, the said nation might as well start looking for a new solar system because the sun will have died 11 billion years before they cracked it! **
** Not accounting for Moorās law.
Feel free to check my math at the links below:
- 8 Character password
- 10 Character password, advanced attacker
- 14 Character password, minus sun dying in 4.5 billion years
Thatās a little bit of an understatement!
I just want to point out that I use lastpass, and my password is 20+ characters long, also Iāve already changed my password.
I just reacted because I wanted a better solution then mine I didnāt read the article fully and saw it was no major issue but some years ago I decided not to use it because I wanted to store the db local on a usb without some other party involvedā¦ I just didnāt trust it in the days
Thatās assuming that the forensic report is not premature. Once you are owned, you are owned and the penetration could be deeper than what you thought.
This news is just one more exhibit to the need of MaidSafeās SafeNet in our lives.
Any security solution that is not based on SafeNet will be prone to penetration.
@pilusio, definitely would not rule out āprone to penetrationā letās say people could still try to find vulnerabilities; though success is unlikelyā¦
I agree with you on this
Fair enough, but the DB is encrypted locally the same way itās encrypted on LastPass servers (itās encrypted locally first and then uploaded to LastPass), so the risk is the same (as we can see from the above calculation, very low).
I also use it, but I didnāt change the master password. Maybe I will one day if I get bored.
Maybe MaidSafe will eventually have its own family of vulnerabilities, but at least it will up the ante for crackers. None of the existing bag of tricks will work, any zero day repository or framework will be obsolete.
MaidSafe at least will level the field, and thanks to its design everything is compartmentalized so any successful attack will only affect a specific user.
Some interesting studies suggest that Rust is 90% more secure against vulnerabilities than c++; I think they will be published soon.
I looks like my approach (didnāt change my LastPass master password) is OK. Hereās what a password expert said about it:
So no, Iām definitely not sweating this breach. I donāt even feel compelled to change my master password.