[rosnd]

Only the encrypted randomized passwords were leaked. Unless you knowingly used a bad password for your cloud-based password manager, you're fine.

If you did use a bad password for the cloud based password manager, you're the walnut. The whole sales pitch is that lastpass can't fuck you as long as you have a reasonable password protecting your vault.

[rolenthedeep]

Your encrypted data is compromised, it is in the hands of an attacker who really wants to decrypt it. You're pinning all of your digital security on encryption holding against an active attacker. What if there is an undiscovered or undisclosed vulnerability in the encryption? What if last pass isn't using encryption as secure as they claimed? What if the attacker just gets really lucky and your password is in the first thousand bruteforce attempts?

Same rationale applies when a random website gets hacked and leaks their password database. Yes, your password is salted and hashed, and hypothetically unrecoverable. But you change your password anyway.

You have the option to guarantee your accounts are secure, or do nothing and hope it will be fine.

There's a lot of situations where your vault might be decrypted. Sure, they're all pretty unlikely, but the risk is not zero. Changing your passwords does make that risk zero.

You're already fucked. LastPass lied in their sales pitch, and they released a bunch of your data unencrypted. Having absolute trust in their encryption as your sole layer of security at this point is incredibly reckless and stupid. You don't know that your master password isn't uncompromisable, you're trusting the company's sales pitch, and they've already lied to you. There is no reason at all to assume your vault will be secure forever.

[paulpauper]

n? What if last pass isn't using encryption as secure as they claimed? What if the attacker just gets really lucky and your password is in the first thousand bruteforce attempts?

This is why you always do your own encryption on offline computer using trusted tools like VeraCrypt . Relying on cloud storage to encrypt is doomed to fail eventually.

[rosnd]

> Your encrypted data is compromised, it is in the hands of an attacker who really wants to decrypt it. You're pinning all of your digital security on encryption holding against an active attacker.

Well, yeah. Just like you leak your encrypted password to the internet every single time you log into a website.

>What if there is an undiscovered or undisclosed vulnerability in the encryption?

lmao, if aes-256-cbc is broken then LastPass is probably the least of anyone's concerns. This happens to also be one of the more difficult AES modes to screw up.

>What if last pass isn't using encryption as secure as they claimed?

Shit, if that was a real concern you would have to be a complete idiot to use LastPass in the first place.

[rolenthedeep]

What proof do you have that last pass uses that encryption scheme? Is there any evidence to suggest that it meets rigorous standards?

Remember that last pass has just been caught lying about their security, and you can't trust what they say.

Calling other people idiots just makes you look like an uninformed asshole, so stop that. You're wrong, and you're trying to justify yourself rather than just back down.

Changing passwords in the face of a breach like this is standard practice and is the only logical step forward. You cannot trust last pass security from this point forward. Whether or not you should have trusted them in the first place is irrelevant in the extreme.

Last pass users should change their passwords, period. Telling those users that they're idiots who shouldn't have trusted them to begin with makes you look foolish and toxic.

Do better.

[rosnd]

>Remember that last pass has just been caught lying about their security, and you can't trust what they say.

I'm curious, what were they caught lying about?

>What proof do you have that last pass uses that encryption scheme? Is there any evidence to suggest that it meets rigorous standards?

LastPass has been extensively reverse engineered. There are, for example, public Defcon talks about it.

>Changing passwords in the face of a breach like this is standard practice and is the only logical step forward.

This is not logical at all.

>You cannot trust last pass security from this point forward.

Why not? Because they disclosed a breach?

[paulpauper]

AES CBC not broken, but it's likely LastPass implementation of AES was bad , such as bad RNG or other possible problems.

[rosnd]

Why do you think it is likely? That's a very strong claim.

> such as bad RNG

How could that be a problem? The attacker doesn't control your passwords. How would you exploit a known IV as an attacker in this context?

[paulpauper]

there are many ways the encryption could have been implemented badly. a weak RNG is one

[bbbbb5]

Do you actually know anything about this subject, or are you just speculating?

[Bud]

>Shit, if that was a real concern you would have to be a complete idiot to use LastPass in the first place.

What are you even talking about? Of course it's a real concern. That exact kind of thing happens constantly. And of course, the nature of the concern here involves us not knowing that LastPass was fucking up. LastPass might not even know. It's not like companies regularly announce in public, "hey, customers! We're actually massive fuckups, we know it, we haven't fixed it, and we just thought you'd like to know!"

[rosnd]

If you don't trust LastPass to encrypt your passwords properly, why would you use it at all?

>That exact kind of thing happens constantly

Like when?

>And of course, the nature of the concern here involves us not knowing that LastPass was fucking up.

What do you mean? The cryptography used by LastPass is very well understood.

[paulpauper]

well understood and badly implemented, which is the same as no encryption

[rosnd]

How is the LastPass encryption badly implemented?

In your other comment you claimed it was "likely" to be badly implemented, but here you state it as a fact. What's up with that?