With any decent password hashing scheme, the only way to “crack” it is to try a password, hash it, and see if the result is the same. Once you see salting involved, you can rule out rainbow tables as an attack. This entry was posted on Tuesday 16th of June 2015 12:16 AM So what’s the takeaway here? If you entrust all of your passwords to LastPass, now would be a terrific time to change your master password. Except in the case of targeted phishing attacks,” which might try to leverage data known about a specific target (such as a password hint) to trick the user into giving up the answer to their password reminder. That means that if your password reminder or hint is not particularly revealing to someone who doesn’t know you, it probably doesn’t matter much. “But password reminders are useful for targeted attacks, not massive attacks. “I suspect that for a significant number of people, the password reminder - in addition to the user’s email address - is going to be useful for an attacker,” he said. More concerning in this particular breach, Bellovin said, is that users’ password reminders also were stolen. “With a salt, even if a bunch of users have the same password, like ‘123456,’ everyone would have a different hash.” “What a salt does it makes it hard to go after a lot of passwords at once as opposed to one users’ password, because every user requires a separate guess and that separate guess is going to take a considerable amount of time,” said Steve Bellovin, a professor in computer science at Columbia University. These days, computer hardware has gotten so cheap that attackers can easily and very cheaply build machines capable of computing tens of millions of possible password hashes per second for each corresponding username or email address.īut by adding a unique element, or “salt,” to each user password, database administrators can massively complicate things for attackers who may have stolen the user database and rely upon automated tools to crack user passwords. To make matters worse, there are plenty of tools capable of very rapidly mapping these hashes to common dictionary words, names and phrases, which essentially negates the effectiveness of hashing. The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash. Passwords are “hashed” by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse. Parsing LastPass’s statement requires a basic understanding of the way that passwords are generally stored. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.” LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. “We are confident that our encryption measures are sufficient to protect the vast majority of users. “The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,” the company said. In an alert posted to its blog, LastPass said the company has found no evidence that its encrypted user vault data was taken, nor that LastPass user accounts were accessed. LastPass, a company that offers users a way to centrally manage all of their passwords online with a single master password, disclosed Monday that intruders had broken into its databases and made off with user email addresses and password reminders, among other data.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |