Specifically, if a user tries to log into their LastPass vault from a new location (an IP address from which they never logged in before), then we would deny them access. "We secured against this threat by locking down all user accounts. But even if they managed to do this they still don't have access to your actual encrypted data (sites, usernames, passwords, formfills, etc.). Sameer Kochhar, director at LastPass, says, "We only had the salted hash in our database, so they'd have to guess password, compute the salted hash, and then compare it to the value stored in the database. "That would be enough to set up a potential attacker so they could start going through and looking for people with weak master passwords without having to hit our servers," said LastPass CEO Joe Seigrist, who explained the "network traffic anomaly" in a PC World interview. The potentially compromised data from LastPass' servers included the salted hash and user names. This makes it even harder for a stolen password to be used. LastPass stores the result of the salt and uses that, not your master password, to authenticate you. Software running on your local computer encrypts your master password, applies a salted hash to it and sends the data to. LastPass doesn't know your master password. Your hosted data is encrypted, but access to your data is only as secure as your master password and the other security protections LastPass offers to help you protect it. LastPass has some very sophisticated methods for protecting your data, but it can't protect users from themselves. I could store all of my data locally, but LastPass allows me to store a local copy of my password data on each device and maintain a master copy in the cloud that keeps all of those local copies up to date. I use LastPass to synchronize my password database between the different devices I use - home PC, Mac Mini, MacBook, iPad, etc.
0 Comments
Leave a Reply. |