Submitted by BasedSweet t3_10z1kx5 in technology
guatemaleco t1_j89nwz6 wrote
Reply to comment by spsteve in Millions of passwords stolen from LastPass earlier than company disclosed: Report by BasedSweet
I wasn't basing that on statements from Lastpass. I just presented on this at work and as part of preparing the presentation, we analyzed Lastpass Bitwarden and 1Password vaults as they are synced to their respective services. Palent's blog was certainly one of the sources we used in putting together the analysis.
Some interesting takeaways are that Shared Folders and Federated authentication offered some additional security. 2FA is completely meaningless in this situation as nothing from 2FA is used as part of the encryption key derivation.
As you also mentioned, age of the account made some differences (though not in username encrypted or not). Default iterations being a big one, and AES-CBC vs AES-ECB, which would certainly make usernames more easily determined.
Viewing a single comment thread. View all comments