Not everyone agrees with Gosney that the LastPass master passwords are safe.
#Lastpass superadmin how to master password reset software#
"Even weak passwords are fairly secure with that level of protection (unless you're using an absurdly weak password)," wrote Gosney, who uses software to jumble his own LastPass master password before it leaves his computer.Ībsurdly weak passwords include the examples LastPass provided in its breach notification: "robert1", "mustang", "123456799", "password1!". "Even with 100,000 computers, the NSA won't be able to brute-force a 12-letter password" run through LastPass's system. "What I could've in an hour now takes a decade," wrote Rob Graham, CEO of Atlanta-based Errata Security, in a blog posting about the LastPass hack. LastPass adds a third factor: Its password-hashing system re-hashes user passwords 100,000 times before storing them, making "cracking" a hash through brute-force decryption nearly impossible. With salts, two hashes for "password1" won't match.
Without salts, many password hashes could be guessed by comparing them to precalculated hashes of the 10,000 or 100,000 most common passwords. "Salting a hash," for those who do not know, involves adding a few random characters - the salt - to each password, which is then run through a mathematical algorithm to create a "hash" that looks like gibberish and cannot easily be reversed. Users need to remember only a single master password, which the service salts and hashes instead of writing it down as plaintext. Like other password managers, LastPass saves and fills in users' passwords on multiple online accounts. "I don't even feel compelled to change my master password." "I'm definitely not sweating this breach," Ars Technica Resident Password Expert Jeremi Gosney told the news site. Yet some experts say those master passwords, which LastPass stores as the aforementioned "authentication hashes," were so well protected that LastPass customers need not worry too much.
0 kommentar(er)
