Soldato
Lastpass compromised.
- Thread starter Danthus
- Start date
Soldato
Hashes are reversible. A 'rainbow table' is a list of words that have been hashed that you can compare the hash you have to. Salting them means you can't do this because the hash has been randomised in a way that only the server understands. Kind of.
Sorry to be pedantic (I've not watched the video so not sure if it explains it further) but the entire point of hashes is that they aren't "reversible" in a security context. That's what encryption is for.
http://www.securityinnovationeurope.com/blog/whats-the-difference-between-hashing-and-encrypting
It's for this reason that rainbow tables exist, as people are just noting down the resulting hash from common passwords (with a table for each hashing algorithm) as, at present, there's no other way to work backwards.
So yeah, just be mindful of your language used as a lot of misconceptions, and in turn problems, result from the improper use of specific language around this area.
Does adding vinegar as well as salt make any difference? Or do the hashes just get a bit soggy?
I keep my 16 character passwords in a text file on a luks encrypted USB stick. Then use 2 step authentication were available. Also use individual email addresses for individual accounts. If one email or account should fall, only that email or account falls. If the USB key is lost, you need the key to decrypt it. The decryption key for the USB is the only one I need to remember. Overkill? Absolutely.
Soldato
'Reversible' as in you can find out what they unhashed content is. I think that was clear enough for the layperson but I suppose I could have used other words, perhaps 'crackable'. So yeah you're being pedantic.
They make tasty hashes, as long as you put the vinegar on before the salt.
Caporegime
Hashes are irreversible. It is not possible to determine the original value of a hash from the hash alone.
Soldato
I use last pass but only to log me in to sites that are not terribly important, Paypal/bank and other such importants I just remember the password for each one and each has a unique one
Soldato
Are we just going keep hashing this out?
The point is unsalted hashes can be *insert whatever word you deem to be suitable here* and thus compromised.Talking about security is worse than talking to the network guys!
Caporegime
The most common passwords are simple words, and of those, apparently "monkey", "Arsenal" are the most popular (after "password", of course).
So if we know what those hash to, and we find any hashes that match one of those hashes (and we know they used the same algorithm) we now know what the password is.
People have been collecting common passwords and their relative hashed values for years. They've also been collecting not-so-common passwords as well. Tools that randomise the case of the letters, replace letters with numbers (like "p455w0rd") etc. and keeping these values in a table. This is what a rainbow table is. A collection of likely/common (and even not very common at all)passwords with their hashed-by-popular-algorithms values.
So what does a salt do? Technically speaking, it increases the entropy of the password. What does that mean? It adds some randomised characters to the password. The user still enters their chosen password, but we add extra characters to it, and remember what those extra characters were, so that we make the password less common.
TL;DR/Example:
If we hash "Arsenal" using the popular MD5 algorithm, the result is:
Code:
4fc9baf210346939946d5a49f255588bSo if we ever see that hash value in a database, we know the original password is "Arsenal".
But if we create a salt value (typically a GUID is used to do this) the password actually becomes something like: "c38b8e4a-0082-4a78-949a-c4d5820377c8 Arsenal" that results in:
Code:
eda07cf772f75b895980e356d235fb28which is completely different and will be very difficult for anyone to work out the original value. Even if they get the salt value, they won't know how we applied the salt. We could have appended the salt instead of prepended it, or any other combination.
(N.B. It's worth noting here that I'm using MD5 for example only, as it is recommended you don't use it and opt for a stronger algorithm such as SHA-256)
Last edited:
Caporegime
Are we just going keep hashing this out?
Talking about security is worse than talking to the network guys!
*shrug* you said they are reversible, which they are not. Correcting a mistake is all
I'm a LastPass user and as someone who's researched how it all works (as an IT developer), I am totally comfortable with the level of security it provides, despite this most recent leak. I will continue to use (and pay for) their services.
Soldato
So I use 2FA, should I still change my master password?
Associate
- Joined
- 17 Nov 2005
- Posts
- 931
Saved for posterity
http://arstechnica.co.uk/security/2...et-hackers-steal-keychain-1password-contents/
Didn't have to wait long, not exactly the same I agree as technically an attack on OSX rather than 1password but the net effect is the same. Anyway as long as we are part of the solution a system is never 100% secure, but in this case I am not sweating the breach in the slightest and to be honest the way lastpass manage breaches encourages me more than anything else.
Soldato
Pen, notebook, drawer. If anyone gets at your passwords there, you have larger problems to worry about
I don't even know if I'm using this program correctly. I simply input my password for websites, and it remembers them for me. I take it I'm using it just like Chrome password manager and not in the proper way? 
Edit: Yeah, I think mine needs a bit of work...
I simply input my password for websites, and it remembers them for me. I take it I'm using it just like Chrome password manager and not in the proper way? Edit: Yeah, I think mine needs a bit of work...
Last edited:
In basic terms, yes, it stores your passwords, and you don't need to remember them.
However, because it stores your passwords, you have the ability to generate random, multi-character, unique passwords, and not need to remember them - this is where you gain in security score - you are not using the same password for multiple services.
However, because it stores your passwords, you have the ability to generate random, multi-character, unique passwords, and not need to remember them - this is where you gain in security score - you are not using the same password for multiple services.
Had an email fired around by corporate security yesterday advising to change the master password for this and advising the use of KeyPass instead. Few seniors were having a freak out.
I was planning on using something like this and this thread has given me some good ideas on where to look
I was planning on using something like this and this thread has given me some good ideas on where to look
And if you aren't anywhere remotely close to said notebook...you just forget about accessing whatever it was you needed at that time?
Would it do any harm, especially if it's not been changed in a while?
I have 2FA and changed it anyway, this acted as a reminder of sorts
Lol
Always room for improvement...
Last edited: