Hello
I have 3 NEO's, each registered with LastPass for 2FA.
https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
On LastPass, I have changed my logon and security email accounts and master password.
Is there any way that the hackers could compromise the security provided by my 3 NEO's in regards to LastPass?Please advise and thank you.
Mark
Reading up on what was lost and how the rest of the information is protected, I am not as worried as I was when I first read the news. If you have a unique and strong master password, you're probably ok.
Why?
See the UPDATE sections on this post: http://arstechnica.com/security/2015/06 ... passwords/ as well as the comment by epixoip which states...
Code:
rounds = user_rounds || 5000 // the iteration count is user-defined. default is 5k
encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this is what unlocks your vault
auth_key = sha256(encryption_key) // this is what is sent to the server for authentication
server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // this is what is stored in the auth db
So the full algorithm for the password stored in the database, which is what the attackers obtained, is:
PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000)
encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this is what unlocks your vault
auth_key = sha256(encryption_key) // this is what is sent to the server for authentication
server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // this is what is stored in the auth db
So the full algorithm for the password stored in the database, which is what the attackers obtained, is:
PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000)
Code:
Ain't nobody got time for that.
Statistics: Posted by brendanhoar — Tue Jun 16, 2015 11:16 pm
]]>