You can generate others by going to the sign in page at, open a console (Chrome: Ctrl+Shift+J, FireFox: Ctrl+Shift+K), and entering "password", 1), "password", 1) Įmail to security at lastpass dot com (09-19-2012 02:45 PM)
#LASTPASS COM LOGIN CRACKER#
If you want to implement this into a password cracker here's an example hash: PBKDF2-SHA256 with 5000 rounds should see speeds just over 100000 H/s/GPU (GPU = 7970). So it is "good enough" if you have a really strong password. This number is still low since it should be doubled every two years (so 64000 should see speeds of 8400 H/s/GPU (GPU = 7970)).ĥ000 is 10 times better than it was and 64000 rounds probably takes a long time for slow clients. If you log into LastPass through their web site (which is a dumb idea since they can then steal your plaintext password) it sends the old method (double SHA256) first then gets an error.ĭefault number of PBKDF2 rounds is now 5000. Note that their encrypted data looks like this "!IV|DATA" Password:!s2VUiEvz45xyWZZoqpQv0Q=|NCR52+NBUfJ8EVE/CRqHwA=Įxtra:!RMYdIMV0vy9XxmxyF2qz7g=|ZlUu2LfyWJ5ta/YdwSuAQg= Username:!E3jSnQLNrvhgUyNKMO1IXA=|bYrKihIbgw9zgN+BEF6Drg= Grouping:!Sjz4qFbyBxZEDITi6bvjxw=|fLvH圎C6x3KDX7W8rX1wOA= Name:!zTV1xfF8uKjuJH1sUwDctA=|gQ+TBtD1JZS9X28fL9VQog= Here's the important form data sent when adding a new site: Well beside that it took twice as long to login. Then the client will calculate and send the correct value and all of that happens without the user knowing anything out of the ordinary happened. Then the server just sends the correct number of iterations: Then the client will calculate and send sha256(sha256_hex(email + password) + password). The user can get this error during login: Hmm not too crazy after all (just like all the other nuts :)). Sometime before May 2th, I wanted to tweet "If I were the #FBI I'd ask for double SHA256s (possible during login) of users that have credentials for certain domains.", but I didn't want to look crazy. I try to think highly of my government but then shit like this happens. You should note that LastPass is a US company. The problem with this is a single HD7970 GPU should be able to get over 350 MH/s. Then a half year ago in the middle of my speech on password hashing fails I had a PSA on not using LastPass (wow I forgot how bad I am at speeches).
![lastpass com login lastpass com login](https://askleo.com/wp-content/uploads/2014/10/lastpass-login.png)
I reported the double SHA256 bug again a year and a half ago and again a year ago. They put out videos that say eight character random passwords of upper, lower, and digits is secure.Ībout two years ago, I anonymously reported a bug that the LastPass server can ask for a double SHA256 of a password during login.Īlong with a few minor bugs about checks being done only on the client side (these got fixed).
![lastpass com login lastpass com login](https://assets.cdngetgo.com/4a/00/2e04c929461289bb36abe05774ec/wbe-infieldmulitplecreds-omar.png)
They originally thought that SHA256 is a good way to turn a password in to an encryption key. I guess I don't need to say more, but here you go.
#LASTPASS COM LOGIN UPDATE#
Update (): LastPass just alerted me to the fact that 3.0 is out for all browsers.Īlso I'm pretty sure that all the smart phone apps have been updated. So update LastPass plug-in to at least version 2.5.4 (sorry FireFox and IE your still stuck on 2.5.0 as of ).
![lastpass com login lastpass com login](https://i.ytimg.com/vi/6TsBPj7yBv0/maxresdefault.jpg)
Also URLs are unencrypted for use with bookmarklets. Update: LastPass told me that they have never been asked by the government to silently downgrade a hash.