[rosnd]

> Your encrypted data is compromised, it is in the hands of an attacker who really wants to decrypt it. You're pinning all of your digital security on encryption holding against an active attacker.

Well, yeah. Just like you leak your encrypted password to the internet every single time you log into a website.

>What if there is an undiscovered or undisclosed vulnerability in the encryption?

lmao, if aes-256-cbc is broken then LastPass is probably the least of anyone's concerns. This happens to also be one of the more difficult AES modes to screw up.

>What if last pass isn't using encryption as secure as they claimed?

Shit, if that was a real concern you would have to be a complete idiot to use LastPass in the first place.

[rolenthedeep]

What proof do you have that last pass uses that encryption scheme? Is there any evidence to suggest that it meets rigorous standards?

Remember that last pass has just been caught lying about their security, and you can't trust what they say.

Calling other people idiots just makes you look like an uninformed asshole, so stop that. You're wrong, and you're trying to justify yourself rather than just back down.

Changing passwords in the face of a breach like this is standard practice and is the only logical step forward. You cannot trust last pass security from this point forward. Whether or not you should have trusted them in the first place is irrelevant in the extreme.

Last pass users should change their passwords, period. Telling those users that they're idiots who shouldn't have trusted them to begin with makes you look foolish and toxic.

Do better.

[rosnd]

>Remember that last pass has just been caught lying about their security, and you can't trust what they say.

I'm curious, what were they caught lying about?

>What proof do you have that last pass uses that encryption scheme? Is there any evidence to suggest that it meets rigorous standards?

LastPass has been extensively reverse engineered. There are, for example, public Defcon talks about it.

>Changing passwords in the face of a breach like this is standard practice and is the only logical step forward.

This is not logical at all.

>You cannot trust last pass security from this point forward.

Why not? Because they disclosed a breach?

[paulpauper]

AES CBC not broken, but it's likely LastPass implementation of AES was bad , such as bad RNG or other possible problems.

[rosnd]

Why do you think it is likely? That's a very strong claim.

> such as bad RNG

How could that be a problem? The attacker doesn't control your passwords. How would you exploit a known IV as an attacker in this context?

[paulpauper]

there are many ways the encryption could have been implemented badly. a weak RNG is one

[bbbbb5]

Do you actually know anything about this subject, or are you just speculating?

[paulpauper]

faulty implementation of crpyto is not unheard of. it happens a lot.

[bbbbb5]

Yes, but how exactly is the LastPass implementation faulty? In your other comment you claim to know that it is.

[Bud]

>Shit, if that was a real concern you would have to be a complete idiot to use LastPass in the first place.

What are you even talking about? Of course it's a real concern. That exact kind of thing happens constantly. And of course, the nature of the concern here involves us not knowing that LastPass was fucking up. LastPass might not even know. It's not like companies regularly announce in public, "hey, customers! We're actually massive fuckups, we know it, we haven't fixed it, and we just thought you'd like to know!"

[rosnd]

If you don't trust LastPass to encrypt your passwords properly, why would you use it at all?

>That exact kind of thing happens constantly

Like when?

>And of course, the nature of the concern here involves us not knowing that LastPass was fucking up.

What do you mean? The cryptography used by LastPass is very well understood.

[paulpauper]

well understood and badly implemented, which is the same as no encryption

[rosnd]

How is the LastPass encryption badly implemented?

In your other comment you claimed it was "likely" to be badly implemented, but here you state it as a fact. What's up with that?