Newest developments regarding the LastPass hack

danito

I don't think this has been covered by the press yet, but I urge everyone to read this Twitter thread:

https://twitter.com/tayvano_/status/1696222671699329271

tldr: It seems like the LastPass incident is worse than previously known, which led to security-literate people - who thought they were doing everything correctly - losing millions.

I really hope that this could never happen with 1Password.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Dave_1P

Hello @danito! 👋

Thanks for sharing, I can't comment on the claims and findings in that thread but I would like to speak to something that you said:

I really hope that this could never happen with 1Password.

1Password's unique Secret Key architecture sets it apart from others in the password manager space. An attacker would need both your account password and your Secret Key to decrypt and access your account. Without both your account password and Secret Key, even if an attacker was to breach our other defences, they would only see encrypted gibberish.

In other words: even if we are breached, our design ensures that your data is protected, encrypted, and unreadable to an attacker.

We also encrypt metadata. Things like vault names and website URLs are all secured using the same end-to-end encryption that protects your passwords. If anyone were to obtain your encrypted vault they would have no idea about what you're storing inside of that vault.

We have some great blog posts on the subjects:

• Not in a Million Years: It can take far less to crack a LastPass password
• How 1Password Keeps Your Data Safe, Even In the Event of a Breach

I hope that helps!

-Dave

afokoue

Hi @Dave_1P, @danito,

As I described here, in case of a breach, the attacker does not need to guess the Security Key and master password to decrypt the information in the stolen vaults. The attacker can succeed by breaking the user's 2048-bit RSA public key, which according to NIST, provides only a 112-bit security protection (i.e., far less than the 208-bit security protection provided by combining a 80-bit strong master password and a 128-bit Secret Key).

Best regards

danito

Interesting. As someone who is unfortunately too cryptography illiterate to understand I'd be curious to here an official response to this.

Dave_1P

@afokoue

I've responded to you in the other thread: https://1password.community/discussion/comment/694874/#Comment_694874

Let's continue the conversation there to prevent having parallel discussions about the same topic in multiple threads. Since the original post here has been answered, I'm closing this thread.

-Dave