LastPass users with weak master passwords may need to change their personal passwords stored on the service.
in August 2022. According to a report dated December 23, password management service LastPass was hacked and attackers stole encrypted user passwords. This means that an attacker who guessed some of LastPass users’ website passwords could .
LastPass first discovered the breach in August 2022. However, it was then discovered that the attacker had access to source code and technical information, not customer data, but the company investigated and found that the attacker had access to this technical information that was used for the attack. another computer that an employee got in the fall.
As a result, unencrypted customer metadata was exposed to attackers, including “company names, end user names, billing addresses, email addresses, etc. email addresses, phone numbers and IP addresses from which users have logged into LastPass”.
In addition, some customers had their encrypted storage stolen. This vault contains the website password that each user stores using the LastPass service. Fortunately, the vault is encrypted with a master password so attackers can’t read it.
The LastPass statement emphasized that the service uses strong encryption, making it difficult for attackers to read vault files without knowing the master password, saying:
“This encrypted field is protected by 256-bit AES encryption and can only be decrypted using a unique encryption key derived from each user’s master password using our no-knowledge architecture.” As a reminder, the LastPass master password is never revealed or stored. or supported by LastPass.
However, LastPass recognizes that if a client uses a weak master password, an attacker can use brute force to guess that password by decrypting its vault and all passwords in the client’s web browser. It gives you access, as LastPass explains:
Be safe with Web3. Learn more about Web3 Antivirus →
“It’s important to note that if your master password doesn’t use [company-recommended best practices], guessing will be significantly reduced as an added security measure.” You should consider changing passwords on the archive site to mitigate the risk. ”
Can Web3 Password Manager remove hacks?
The LastPass exploit illustrates a point that Web3 developers have been making for years: traditional username and password access systems should be done away with in favor of blockchain wallet access.
According to proponents of the cryptocurrency wallet approach, the traditional password approach is inherently insecure because it requires a password hash on a cloud server that can be cracked if stolen. Also, if a user uses the same password for multiple sites, one stolen password can compromise all others. On the other hand, most users cannot remember passwords for several different websites.
Password management services like LastPass were invented to solve this problem. However, they also rely on cloud services to store encrypted password sets. If an attacker has access to a pool of passwords from a password manager service, he can compromise the pool and obtain all user passwords.
Web3 applications solve the problem differently. They use browser extension wallets like MetaMask or TrustWallet to log in using cryptographic signatures, eliminating the need to store passwords in the cloud.
An example of a cryptocurrency wallet login page. Source: Blockscan Chat
However, so far this approach has only been standardized for decentralized applications. Traditional applications that require a central server currently have no agreed upon standards for using cryptocurrency wallets for access.
RELATED: Facebook fined 265 million euros for leaking user data
However, today’s Ethereum Improvement Proposal (EIP) aims to address this situation. The proposal, called EIP-4361, aims to provide a universal network access standard that works for both centralized and decentralized applications.
If the Web3 industry agrees to this standard and implements it, its proponents hope that eventually the entire World Wide Web will rid itself of access to passwords and eliminate the risk of password managers like LastPass being hacked. It happened