![]() However, by stealing the vaults directly, the LastPass attacker has completely bypassed the whole authentication stage, including any multi-factor authentication you may have enabled. LastPass has zero access to the master password itself. It then uses a completely different encryption key, also derived from your master password, to decrypt vault data on your local device. LastPass hasn’t yet responded to our requests for comment.Īs I’ve explained in detail, LastPass uses an encryption key derived from your master password to prove that you’re authorized to download your vault data. In a December 22 blog post about the “security incident (Opens in a new window),” LastPass representatives noted that the person behind the breach obtained “unencrypted data, such as website URLs.” Leaving the URLs without encryption wasn’t an accident it was a policy decision. But there was no need to capture and analyze data streams, as LastPass freely admits that it transmits this information without encryption. One report points out that these URLs could include password reset tokens (Opens in a new window) or username/password pairs. Why Doesn’t LastPass Encrypt the Sites I Visit?Ī policy causing alarm in the online security community is the discovery that LastPass stores unencrypted website links in credential vaults along with your encrypted credentials. ![]() ![]() After all, using a password manager is all about trust.īut due to a recent breach, poor handling of communication about it, and questionable policies, LastPass is on the verge of losing that trust. But do they follow those protocols? We trust they do, because any failure would eventually be exposed, causing major damage to the company’s reputation. There are known and proven protocols for password manager companies to handle your data and verify your master password without ever getting access to your data.
0 Comments
Leave a Reply. |