![]() ![]() We don't even need them as 2FA because they work fine as a first factor in most cases, though 2FA would be much better of course.Īnd to be honest, whoever manages normal people's IT is probably partially to blame for the hate most people have for passwords. This is why I'm looking forward to a future where physical keys and passkeys are supported essentially everywhere. Password security is like herding toddlers. When these people eventually get hacked, they will blame their computers, their antivirus, their browsers, the websites they use, and most likely also the most recent person who touched the computer. You can explain to them why passwords are important, how people from the outside can do all kinds of nasty things if you pick weak ones, but people will ignore all that because they never need to deal with the fallout. You want irate non-technical people? Tell them they need to come up with something better than Password123. Were I not a developer, I might not have had this factor at all. The decisive factor for why I did it anyway was that I realized that I might have some passwords/keys in my vault that I use professionally so, out of professional prudence, I switched. I did go through the hassle as I thought I would but articles like this make me glad I did. In the end, I did switch to Bitwarden though. I didn't believe they could make the same self-assessment that I did. I did reach out to family members whom I might've recommended LastPass to in the past though, and advised them to switch out. I think there was also a confluence of other factors why I didn't want this hassle on my plate at the time (e.g., I remember this was end of last year and I'd rather focus on my holiday arrangements). I know I'm playing the world's smallest violin with this grievance but that's really how it was. The alternative would be the hassle of evaluating a new password manager, exporting data from LastPass, setting up the new password manager on my devices, importing my pre-existing vault, tweaking the new password manager so it behaves as I expected, etc. Hence, on a personal basis, I didn't see much reason to switch out. But on a personal level, I didn't really care that much. (And yeah, I understand that the security issue isn't purely on technical merit but also a social question of LastPass' reputation as a company. Also, the three most important accounts forming the basis of my online identity were never on LastPass and had unique passwords. First, my LastPass settings were such that I shouldn't be too affected by their breach among other things in their self-assessment report, I had the "new" healthy default of 600K iterations. Simply put, after all the reports of last year's breach, I assessed how vulnerable I am. ![]() I'm a developer by profession and I almost didn't switch from LastPass after their breach last year. > Multifactor Authentication (MFA) seeds - MFA seeds assigned to the user when they first registered their multifactor authenticator of choice to authenticate to the LastPass vault. This summary links to a page with more information, but actually on this page they give less information, saying only: This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident. > Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). They were stolen but weren't very clear about it.įrom their summary of their latest security incident it says attackers stole: So they must suspect the MFA seeds were also stolen, but aren't saying it, right? The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |