Newest developments regarding the LastPass hack

Options
danito
danito
Community Member
edited September 2023 in Lounge

I don't think this has been covered by the press yet, but I urge everyone to read this Twitter thread:

tldr: It seems like the LastPass incident is worse than previously known, which led to security-literate people - who thought they were doing everything correctly - losing millions.

I really hope that this could never happen with 1Password.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Dave_1P
    Dave_1P
    edited August 2023
    Options

    Hello @danito! 👋

    Thanks for sharing, I can't comment on the claims and findings in that thread but I would like to speak to something that you said:

    I really hope that this could never happen with 1Password.

    1Password's unique Secret Key architecture sets it apart from others in the password manager space. An attacker would need both your account password and your Secret Key to decrypt and access your account. Without both your account password and Secret Key, even if an attacker was to breach our other defences, they would only see encrypted gibberish.

    In other words: even if we are breached, our design ensures that your data is protected, encrypted, and unreadable to an attacker.

    We also encrypt metadata. Things like vault names and website URLs are all secured using the same end-to-end encryption that protects your passwords. If anyone were to obtain your encrypted vault they would have no idea about what you're storing inside of that vault.

    We have some great blog posts on the subjects:

    I hope that helps!

    -Dave

  • afokoue
    afokoue
    Community Member
    Options

    Hi @Dave_1P, @danito,

    As I described here, in case of a breach, the attacker does not need to guess the Security Key and master password to decrypt the information in the stolen vaults. The attacker can succeed by breaking the user's 2048-bit RSA public key, which according to NIST, provides only a 112-bit security protection (i.e., far less than the 208-bit security protection provided by combining a 80-bit strong master password and a 128-bit Secret Key).

    Best regards

  • danito
    danito
    Community Member
    Options

    Interesting. As someone who is unfortunately too cryptography illiterate to understand I'd be curious to here an official response to this.

  • Dave_1P
    Dave_1P
    edited September 2023
    Options

    @afokoue

    I've responded to you in the other thread: https://1password.community/discussion/comment/694874/#Comment_694874

    Let's continue the conversation there to prevent having parallel discussions about the same topic in multiple threads. Since the original post here has been answered, I'm closing this thread.

    -Dave

This discussion has been closed.