Also concerning is the fact that user vaults are now in the hands of the threat actor. While cracking the password hashes would require massive amounts of resources, it’s not out of the question, particularly given how methodical and resourceful the threat actor was.
Dan Goodin and Ars Techica should be embarrassed about their reporting on this story. Yes someone MAY have your Lastpass vault. I use 2 factor Authentication, so this means nothing. If you don’t use 2 factor, it means if the bad guys aim a supercomputer at YOUR vault only, in about 50,000 years, that computer will probably crack it, and get your passwords. It will have cost millions in compute power, but they MAY get you Youtube password! OMG!
I have one question. In 100 years, will you, or anyone you know care? Why would they pick YOUR vault? If you are the head of the NSA or a spy in the Kremlin, your data might be valuable, but not mine, and probably not yours.
If a hacker can access this site using may password, stored in Lastpass, in a hundred years,I will be long dead, and so will this domain, my bank account, and my Twitter account.
PLEASE Ars Technica, focus on the real security issues, Phishing, browser and operating system vulnerabilities, and social engineering. Or perhaps Crypto scams. Even The Donalds NFT card scam. Not a theoretical risk from Lastpass.
More from this Clickbate on Ars:
LastPass customers should ensure they have changed their master password and all passwords stored in their vault. They should also make sure they’re using settings that exceed the LastPass default. Those settings hash stored passwords using 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a hashing scheme that can make it infeasible to crack master passwords that are long, unique, and randomly generated. The 100,100 iterations is woefully short of the 310,000-iteration threshold that OWASP recommends for PBKDF2 in combination with the SHA256 hashing algorithm used by LastPass. LastPass customers can check the current number of PBKDF2 iterations for their accounts here.
Whether they’re a LastPass user or not, everyone should also create an account on Have I been Pwned? to ensure they learn of any breaches affecting them as soon as possible
Say no more. – Phil Stephens