If you stored SSNs, credit cards, addresses, drivers licenses, debt pins, and those pesky security questions (what's your fathers middle name), they are going to eventually be accessible to hackers and scammers. Maybe tomorrow, maybe a year from now, or maybe 10. Whatever data you had on lastpass WILL get revealed.
I am, and am making the migration to another.
The attackers now know exactly who has an account with a particular bank, so they can send them phishing emails for that exact bank. Merely knowing who has the account where exposes users to phishing attacks for example. Someone with access to ? And this account has also been updated recently? Clearly someone who is worth the effort.Īnd it’s not only that. Nobody will do that for all the millions of LastPass accounts.īut the unencrypted metadata allows prioritizing. Why is unencrypted metadata an issue?Īs I’ve already established in the previous article, decrypting LastPass data is possible but expensive. If decrypting this value yields the user’s email address then the encryption key is working correctly.Īnd: yes, this is AES-ECB, a long deprecated encryption scheme. LastPass merely uses this field to verify that it got the correct encryption key. They wouldn’t be able to send out breach notifications to everyone otherwise. That’s of course not the case, LastPass knows the email address of each user. What’s the deal with the encrypted_username field? Does it mean that LastPass doesn’t know the decrypted account name (email address)? There are more unencrypted settings here, for example: Metadata like modification times and account settings is plain text.
The url attributes in particular are merely hex encoded, any hex to text web page can decode that easily. But LastPass only replaced it around five years ago, and I’m not sure whether they managed to migrate all existing passwords.Īs you can see here, the encrypted fields are name, username (duplicated as u), p (password) and extra (password notes).Įverything else is not encrypted. If you see encrypted data that is merely a base64 string: that’s AES-ECB encryption which absolutely shouldn’t be used today. The first base64 string is the initialization vector, the second one the actual encrypted data.
First of all, encrypted data should have the format !|.
0 kommentar(er)
