1 year ago
Password absorption work LastPass was hacked successful August 2022, and the attacker stole users’ encrypted passwords, according to a Dec. 23 connection from the company. This means that the attacker whitethorn beryllium capable to ace immoderate website passwords of LastPass users done brute unit guessing.
Notice of Recent Security Incident - The LastPass Blog#lastpasshack #hack #lastpass #infosec https://t.co/sQALfnpOTy
— Thomas Zickell (@thomaszickell) December 23, 2022LastPass archetypal disclosed the breach successful August 2022 but astatine that time, it appeared that the attacker had lone obtained root codification and method information, not immoderate lawsuit data. However, the institution has investigated and discovered that the attacker utilized this method accusation to onslaught different employee’s device, which was past utilized to get keys to lawsuit information stored successful a unreality retention system.
As a result, unencrypted lawsuit metadata has been revealed to the attacker, including “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
In addition, immoderate customers’ encrypted vaults were stolen. These vaults incorporate the website passwords that each idiosyncratic stores with the LastPass service. Luckily, the vaults are encrypted with a Master Password, which should forestall the attacker from being capable to work them.
The connection from LastPass emphasizes that the work uses state-of-the-art encryption to marque it precise hard for an attacker to work vault files without knowing the Master Password, stating:
“These encrypted fields stay secured with 256-bit AES encryption and tin lone beryllium decrypted with a unsocial encryption cardinal derived from each user’s maestro password utilizing our Zero Knowledge architecture. As a reminder, the maestro password is ne'er known to LastPass and is not stored oregon maintained by LastPass.”Even so, LastPass admits that if a lawsuit has utilized a anemic Master Password, the attacker whitethorn beryllium capable to usage brute unit to conjecture this password, allowing them to decrypt the vault and summation each of the customers’ website passwords, arsenic LastPass explains:
“it is important to enactment that if your maestro password does not marque usage of the [best practices the institution recommends], past it would importantly trim the fig of attempts needed to conjecture it correctly. In this case, arsenic an other information measure, you should see minimizing hazard by changing passwords of websites you person stored.”Can password manager hacks beryllium eliminated with Web3?
The LastPass exploit illustrates a assertion that Web3 developers person been making for years: that the accepted username and password login strategy needs to beryllium scrapped successful favour of blockchain wallet logins.
According to advocates for crypto wallet login, accepted password logins are fundamentally insecure due to the fact that they necessitate hashes of passwords to beryllium kept connected unreality servers. If these hashes are stolen, they tin beryllium cracked. In addition, if a idiosyncratic relies connected the aforesaid password for aggregate websites, 1 stolen password tin pb to a breach of each others. On the different hand, astir users can’t retrieve aggregate passwords for antithetic websites.
To lick this problem, password absorption services similar LastPass person been invented. But these besides trust connected unreality services to store encrypted password vaults. If an attacker manages to get the password vault from the password manager service, they whitethorn beryllium capable to ace the vault and get each of the user’s passwords.
Web3 applications lick the problem successful a antithetic way. They usage browser hold wallets similar Metamask oregon Trustwallet to motion successful utilizing a cryptographic signature, eliminating the request for a password to beryllium stored successful the cloud.
An illustration of a crypto wallet login page. Source: Blockscan ChatBut truthful far, this method has lone been standardized for decentralized applications. Traditional apps that necessitate a cardinal server don’t presently person an agreed-upon modular for however to usage crypto wallets for logins.
Related: Facebook is fined 265M euros for leaking lawsuit data
However, a caller Ethereum Improvement Proposal (EIP) aims to remedy this situation. Called “EIP-4361,” the connection attempts to provide a cosmopolitan modular for web logins that works for some centralized and decentralized applications.
If this modular is agreed upon and implemented by the Web3 industry, its proponents anticipation that the full satellite wide web volition yet get escaped of password logins altogether, eliminating the hazard of password manager breaches similar the 1 that has happened astatine LastPass.
English (US) 