If you are technologically able, I would suggest moving away from centrally cloud-stored password solutions like lastpass or 1password, as you are painting a giant target on your secrets. The only solution if you are concerned is to walk through every single account in your vault and manually change each password on each website, to invalidate the backup they stole. If your master password becomes crackable in the future due to technology changes, you are utterly fucked. If you have a crackable master password you are now utterly fucked.
So anyway, this is basically the second worst hack that could occur, and it astonishes me how small of a deal lastpass are making about it. Changing your master password would mean if they crack your old one they can't re-use it on your current vault, but it's not going to change the security of the data they now have access to. They almost certainly are encrypting the note fields, given that they also encrypt secure notes which while a separate thing also has a notes field, and that there is existing code that interacts with vaults to extract the data and that code mentions the note field as being encrypted, there is also no user experience reason not to encrypt the notes field, unlike the URL field which while I do not agree with their decision to leave it unencrypted, there is a genuine use case for leaving it unencrypted, since it allows them to warn the user in case of a data breach relating to a specific URL without the user having to login.įrankly their extension and mobile application were always subpar in comparison to something like 1password, IMO their primary advantage used to be in allowing fairly unrestricted free accounts, which made it great to share passwords with people that might not care enough to go for a paid service, but that has kind of ended a while ago given they now only allow you to use lastpass free in either mobile or browser (from what I recall).Ĭlick to shrink.No, they already have your data.
They never said they don't encrypt it, they just didn't specifically specify if they do or don't, so there is ambiguity there.
0 kommentar(er)
