“There are solutions that do not permanently send data to third parties and record user behavior.” “If you actually use LastPass, I recommend changing the password manager,” wrote Kuketz (via machine translation). Even if the data transmitted isn’t personally identifiable, just integrating this third-party code in the first place introduces the potential for security vulnerabilities, according to Kuketz. Kuketz analyzed the data being transmitted and found it included information about the smartphone’s make and model, as well as information about whether a user has biometric security enabled. LastPass’s trackers include four from Google which handle analytics and crash reporting, as well as one from a company called Segment, which reportedly gathers data for marketing teams. He is also the author of ‘Ruby for Penetration testing and Metasploit’ section of Penetration Testing Course Professional.Users can opt out in the advanced settings menu He is the main developer of JustCryptItand IzzieCloud. Password manager cannot protect from weak master passwords, services like LastPass can audit and monitor suspicious activities and offer policies to avoid data breach, but they cannot protect at all from password guessing.Īndrea Tarquini is an IT Security researcher and software analyst/developer at eLearnSecurity. What advice would you give to companies how to keep passwords secure?Īlways the best thing to do is to train employees about basic security concepts. As suggested by the LastPass team you should also enable multifactor authentication. To fix this, you need to update it (and use a strong passphrase) and don’t use weak password reminder hints that may suggest a way to discover the master password to an attacker. The issue with LastPass is more on the users who use Weak Master Passwords. We use similar algorithms and strategies to implement client side encryption on IzzieDocs, our service to create and share secure documents on the google drive platform. Personally I don’t use LastPass but as reported by them, they use strong cryptographic algorithms and client side strategies (such as encryption/decryption) to protect their user data. Yes I will continue to use client side Password Managers. After hearing about this data breach, are you still going to use password service managers? I trust the common algorithms used by password managers, but the weakness about them is the complexity of the master password you choose. Personally I use client side only (and open-source) password managers like KeePass because as a geek and IT Security Researcher I’m a bit paranoid. Do you trust/use password service managers? We asked Andrea Tarquini, software analyst/developer, for his thoughts about security in Password service Managers. They advice users to update the Master Password especially when they send the email prompt. Steps were taken to ensure the security of the data such as having to verify the account via email when a user logs in from a new device/IP address. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256… This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.” “We are confident that our encryption measures are sufficient to protect the vast majority of users.” LastPass assures. The LastPass team had disovered and blocked suspicious network activity and have assured that no information was taken from their user vault. On a Monday, the company acknowledged in a post that they have been a target of a recent security breach where attackers accessed user email addresses, master passwords, and password reminder phrases. Password service manager, LastPass, was hacked.
0 Comments
Leave a Reply. |