Yubico Forum :: View topic - LastPass hack on June 12, 2015

Hello

I have 3 NEO's, each registered with LastPass for 2FA.

:shock:

https://blog.lastpass.com/2015/06/lastpass-security-notice.html/

:!:

On LastPass, I have changed my logon and security email accounts and master password.

:?:

Is there any way that the hackers could compromise the security provided by my 3 NEO's in regards to LastPass?

Please advise and thank you.
Mark

rounds = user_rounds || 5000 // the iteration count is user-defined. default is 5k
encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this is what unlocks your vault
auth_key = sha256(encryption_key) // this is what is sent to the server for authentication
server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // this is what is stored in the auth db

So the full algorithm for the password stored in the database, which is what the attackers obtained, is:

PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000)

Author:	madpw [ Tue Jun 16, 2015 10:06 am ]
Post subject:	LastPass hack on June 12, 2015
Hello I have 3 NEO's, each registered with LastPass for 2FA. https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ On LastPass, I have changed my logon and security email accounts and master password. Is there any way that the hackers could compromise the security provided by my 3 NEO's in regards to LastPass? Please advise and thank you. Mark

Author:	brendanhoar [ Tue Jun 16, 2015 11:16 pm ]
Post subject:	Re: LastPass hack on June 12, 2015
madpw wrote: Hello I have 3 NEO's, each registered with LastPass for 2FA. https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ On LastPass, I have changed my logon and security email accounts and master password. Is there any way that the hackers could compromise the security provided by my 3 NEO's in regards to LastPass? Please advise and thank you. Mark Reading up on what was lost and how the rest of the information is protected, I am not as worried as I was when I first read the news. If you have a unique and strong master password, you're probably ok. Why? See the UPDATE sections on this post: http://arstechnica.com/security/2015/06 ... passwords/ as well as the comment by epixoip which states... Code: rounds = user_rounds \|\| 5000 // the iteration count is user-defined. default is 5k encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this is what unlocks your vault auth_key = sha256(encryption_key) // this is what is sent to the server for authentication server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // this is what is stored in the auth db So the full algorithm for the password stored in the database, which is what the attackers obtained, is: PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000) Code: Ain't nobody got time for that.

Author:	madpw [ Wed Jun 17, 2015 2:13 pm ]
Post subject:	Re: LastPass hack on June 12, 2015
@ brendanhoar Nod. Yeah, I think I feel secure that the actual encrypted vault wasn't stolen as LastPass says it wasn't. Plus I had a good strong master password and have the vault secured with 2FA via the NEO's. On top of that, I immediately changed my master password to an even longer one, changed the associated email accounts and upped the password iterations significantly. I guess my concern over somehow the NEO security portion of the overall equation being possibly compromised, is unfounded and simply is a non-factor and can be satisfyingly dismissed. Peace!

Yubico Forum https://forum.yubico.com/

LastPass hack on June 12, 2015 https://forum.yubico.com/viewtopic.php?f=26&t=1920	Page 1 of 1

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/