Security experts say LastPass mislead customers in August data breach updates

By Scott Marlette Last updated Dec 29, 2022

Security experts are calling LastPass out on its “misleading” December security breach update.

The breach originates from an incident in August that led to a subsequent breach in November, where cyber criminals gained access to user password vaults. LastPass posted two updates since August, with the latter one coming earlier this month. The company said there was no cause for concern as passwords remain encrypted. While hackers could use brute force to access master passwords, LastPass said it “would take millions of years to guess” if the company’s best practices for passwords were followed.

Jeffrey Goldberg, the Principal Security Architect at 1Password, said the “claim is highly misleading.” The statement assumes users randomly generated their own master passwords, which Goldberg said people aren’t very good at doing.

“Unless your password was created by a good password generator, it is trackable,” Goldberg wrote in a blog post. The best practices LastPass mentions don’t include anything about a password generator, which Goldberg insinuates is the way to create uncrackable passwords.

It also isn’t expensive to guess passwords, Goldberg wrote, with 10 billion guesses equaling $100 USD (roughly $135 Canadian).

“Given that the attacker is starting with the most likely human-created passwords first, that $100 worth of effort is likely to get results unless the password was machine generated.”

LastPass’ transparency claims have also been called out. Security researcher Wladimir Palant called out the company’s “commitment to transparency.” LastPass stated its updates were to remain transparent to its customers. However, Palant wrote in a blog post that LastPass has to share data breaches immediately under U.S. law.

He further accused the company of portraying the August breach and November incident as two separate events. In reality, LastPass could not contain the August breach. “Because of that failure, people’s data is now gone,” Palant wrote.

Source: 1Password, Wladimir Palant Via: The Verge

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.