this post was submitted on 05 Jul 2023
1211 points (99.8% liked)

Android

28002 readers
210 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules


1. All posts must be relevant to Android devices/operating system.


2. Posts cannot be illegal or NSFW material.


3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.


4. Non-whitelisted bots will be banned.


5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.


6. Memes are not allowed to be posts, but are allowed in the comments.


7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.


8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.


Community Resources:


We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.


Our Partner Communities:

!android@lemmy.ml


founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] aalvare2@lemmy.world 1 points 1 year ago (1 children)

I’m no cryptography expert, but is it that big of a deal if hackers made away with the encrypted password data? LastPass says they encrypt with AES-256 so I figure that’s not getting cracked anytime this century. I’m more concerned about the unencrypted data, e.g. the Website URLs

[–] ChiefestOfCalamities@partizle.com 1 points 1 year ago (1 children)

The problem was that they were grandfathering existing users without notification every time they increased their PBKDF2 iterations. I think the current recommendation is 100,100 iterations, and LastPass was implementing that for new users. But it wasn't updating that for existing users, resulting in some having as few as 5000 iterations, making that user's encrypted data much easier to crack. You could change the iterations in the settings, but that required knowing that you needed to do this, and LastPass should have either changed it automatically or notified users that they needed to change it.

I was paying LastPass to be the security expert so I didn't have to learn all the ins and outs of data encryption, and they failed at that task.

[–] aalvare2@lemmy.world 1 points 1 year ago

After looking into this more, I’m definitely planning on switching from lastpass, but I did wanna clarify a couple things first.

Between this blog post, and this forum thread linking to this other blog post, I’m under the impression that LP’s number of PBKDF2 iterations used isn’t a big deal as long as your master password is secure, and I feel like that’s always gonna need to be the case no matter how much we want the password manager to take over.

That said if the crux of your point is that they didn’t do ANYTHING to address customers’ eventual concerns to low PBKDF2 iterations, whether that be via notification or forced config update, then that seems fair.