![]() ![]() A malicious user breaches development accounts with a long-term arc purpose, the intention being to get back doors built in for the future, with benefits taking months to come to fruition. Even in a dire circumstance where a private key store was theoretically breached, or the key generation process mined somehow, there is still a pragmatic reality of matching private keys discovered to customers, which LastPass have millions of at the consumer level. LastPass notes they don’t even have their consumer private keys stored a legitimately lost customer master vault key must be restored by the consumer regenerating it themselves through secure techniques. The algorithms used doesn’t help one decipher anything at all without private keys. You need the private key(s) to “crack” anything. Private key encryption is based on mathematical cryptography, so if you are in possession of the cryptographical algorithms, it doesn’t matter. Why is that important? We know how crypto-algorithms work, it’s not a secret set of algorithms to be obtained this way on a developer account as the goal. LastPass uses the same cryptographically sound algorithms the rest of the best-in-class world uses. That has a huge weight on how one should evaluate their claims and their responsiveness. Subsequently, I don’t find myself doubting a word they say. That’s the sign of a company that is very ethically grounded, clear-eyed and with mature incident response. They could have buried it or waited until customers were found to be exposed to risk, however, they didn’t. ![]() Even with this knowledge, LastPass deserves its due credit as they came very clean, very quickly. ![]() The reality is that development accounts getting hacked goes on with some alarming frequency. Our assessment of the response of LastPass and risk ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |