11/10/2023 0 Comments Lastpass recover master password![]() One thing about this whole episode did give me pause: As LastPass has grown, it - and my data - have become a bigger target than if I had simply hosted my encrypted password database in my own cloud-based shared storage service. The product also supports two other multifactor authentication schemes: the software-based Sesame, which runs from a thumb drive, and Yubikey, a USB-based hardware key, for additional security. It randomly asks for the numbers from different positions on that grid every time I log in. LastPass's Grid feature generated a random grid of numbers which I printed out and carry in my wallet. That means any hacker not only would need to crack my user name and master password but also enter a string of data that only I know. So I had to wait - something that would have been nerve wracking had I used a weak password.īut I had another reason to chill: I use LastPass's Grid two-factor authentication feature, which is required from any computer except one in my home office. Unfortunately, LastPass' servers were overwhelmed when the news hit, and I was unable to log in. While you can log into your local copy of LastPass and access your data locally, you need to log into to change your master password. ![]() So I did try to change my master password - and that's where I ran into trouble. My hint was a little too cute, allowing me to glean the groups of values that make up my master password. But what worried me was that my password hint, which also might have been compromised, might possibly be used to figure out my master password. It also prompted users to change their master passwords upon login.įortunately, I didn't have a weak password, although I did run LastPass' security check feature just to double check. In other words, to protect users who might have had a weak master password, LastPass prevented everyone from getting access to the online password vault from an unrecognized IP address until they responded to an e-mailed verification. To gain access, they have to prove to us that they are who they say they are by clicking on an link that we send them by email." Specifically, if a user tries to log into their LastPass vault from a new location (an IP address from which they never logged in before), then we would deny them access. "We secured against this threat by locking down all user accounts. But even if they managed to do this they still don't have access to your actual encrypted data (sites, usernames, passwords, formfills, etc.). Sameer Kochhar, director at LastPass, says, "We only had the salted hash in our database, so they'd have to guess password, compute the salted hash, and then compare it to the value stored in the database. "That would be enough to set up a potential attacker so they could start going through and looking for people with weak master passwords without having to hit our servers," said LastPass CEO Joe Seigrist, who explained the "network traffic anomaly" in a PC World interview. The potentially compromised data from LastPass' servers included the salted hash and user names.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |