Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:11 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Tue Jun 16, 2015 10:06 am 
Offline

Joined: Tue Jun 16, 2015 9:30 am
Posts: 2
Hello

:geek: I have 3 NEO's, each registered with LastPass for 2FA.

:shock: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/

:!: On LastPass, I have changed my logon and security email accounts and master password.

:?: Is there any way that the hackers could compromise the security provided by my 3 NEO's in regards to LastPass?

Please advise and thank you.
Mark


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jun 16, 2015 11:16 pm 
Offline

Joined: Thu Oct 16, 2014 11:51 pm
Posts: 82
madpw wrote:
Hello

:geek: I have 3 NEO's, each registered with LastPass for 2FA.

:shock: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/

:!: On LastPass, I have changed my logon and security email accounts and master password.

:?: Is there any way that the hackers could compromise the security provided by my 3 NEO's in regards to LastPass?

Please advise and thank you.
Mark


Reading up on what was lost and how the rest of the information is protected, I am not as worried as I was when I first read the news. If you have a unique and strong master password, you're probably ok.

Why?

See the UPDATE sections on this post: http://arstechnica.com/security/2015/06 ... passwords/ as well as the comment by epixoip which states...

Code:
rounds = user_rounds || 5000 // the iteration count is user-defined. default is 5k
encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this is what unlocks your vault
auth_key = sha256(encryption_key) // this is what is sent to the server for authentication
server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // this is what is stored in the auth db

So the full algorithm for the password stored in the database, which is what the attackers obtained, is:

PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000)


Code:
Ain't nobody got time for that.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 17, 2015 2:13 pm 
Offline

Joined: Tue Jun 16, 2015 9:30 am
Posts: 2
@ brendanhoar

Nod. Yeah, I think I feel secure that the actual encrypted vault wasn't stolen as LastPass says it wasn't. Plus I had a good strong master password and have the vault secured with 2FA via the NEO's. On top of that, I immediately changed my master password to an even longer one, changed the associated email accounts and upped the password iterations significantly.

I guess my concern over somehow the NEO security portion of the overall equation being possibly compromised, is unfounded and simply is a non-factor and can be satisfyingly dismissed.

Peace!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group