![]() ![]() Since having the authentication hash does not equal your master password itself, a hash could not be derived or created from the authentication hash to create the key to decrypt the password database. The key required to decrypt the vault would require a hash with only an input of your master password and username. If an attacker gets ahold your authentication hash they could attempt to authenticate as you, however remember what I said about hashing - it's a one way operation which cannot be reversed.LastPass does not know or store your master password and therefore can't disclose or leak it.The decryption key itself is just your username and master password hashed via PBKDF2-SHA256. To summarize this, we can see that the PBKDF2-SHA256 hash used to authenticate you to LastPass is indeed comprised of your username, password, and your decryption key. Return hashlib.pbkdf2_hmac('sha256', password.encode('utf-8'), username.encode('utf-8'), key_iteration_count, 32) Return hashlib.sha256(username.encode('utf-8') + password.encode('utf-8')).digest() Make_key(username, password, key_iteration_count),ĭef make_key(username, password, key_iteration_count) Return bytearray(hashlib.sha256(hexlify(make_key(username, password, 1)) + password.encode('utf-8')).hexdigest(), 'ascii') I know Python so lets look at a python implementation of the cli that someone wrote which uses the same API endpoints - the source I'm referencing below can found here.ĭef make_hash(username, password, key_iteration_count) endpoints-login.c - used to authenticateīut.There are functions within the following source code which you can look more closely at in this repository (the official cli for LastPass): Obviously there is more infrastructure and software at play here to make the user experience (and security) a bit better, but there are several other "self-hosted" password management solutions out there that basically rely on that premise where instead you'd supply a place for the encrypted database and make it available. In theory, it could even be public and nobody but you could decrypt (or read) it because they don't have the key. It's a place that's up 24/7 (hopefully) where you can access and sync changes to your hundreds if not thousands of passwords. At the end of the day it's really just like DropBox or Google Drive. The best way I decided to describe this bit is to first understand that all LastPass really does is "host" your encrypted password database. There are other ways to attack or pre-compute hashes but for the sake of this explanation they key take away: in no way is your master password ever sent to LastPass. The hashing is done client side and the hash is then sent to LastPass. One simply can't "un-hash" or reverse a hash back to it's original value unless there is a fundamental flaw with the hashing algorithm. It should be noted that by design, a hash is a one way function - it's not encryption. This hash is used to authenticate you when you log into their website and/or services. LastPass explains how it doesn't store your master password - it stores a salted hash of your master password. They can't "leak" it.īut how do you know? Sure - they state this in several places on their website, as well as in that whitepaper I referenced above, but you shouldn't believe such critical process without validation! LastPass does not store or know your master password. There are two great resources: a high level here, and a whitepaper here, which I utilized to understand how they specifically implement their zero knowledge model. That being said, it isn't an excuse for most of the theories and reasoning behind this recent situation.Īlthough I thought had a good understanding of how it worked, I spent some time trying to figure out how to explain on a less technical level to the members of our programming community how their security model works. I totally get the sentiment regarding LastPass - I too jumped ship, after the March 2021 debacle where LastPass became a lot less useful to it's free-tier users. This was frustrating for me because HN is supposed to be a place where folks who think alike can discuss these sort of things. I reviewed all the comments on the Hacker News thread to get a better idea of what the general consensus was, and surprisingly I found no explanation of how LastPass protects it's users sensitive data. I didn't get time to respond until the evening, but throughout the day I saw many people making comments which didn't add up on a technical level. ![]() The topic came up yesterday in a programming community I help moderate. Several media outlets reported that LastPass might have "leaked" your master password, each citing a few posts on Hacker News as the source.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |