One comment on this post even mentions using a key file. Even if you don't treat it as secret, it chips away at the essential appeal of the concept.
#KYPASS CHANGE MASTER PASSWORD PASSWORD#
You end up adding counters and password rules, so you have state to maintain/sync. The problem, even if you ignore the straw men that usually get pummeled on threads like this, is that as you address the practical and security limitations of a naive scheme, you tend to lose the simplicity of the initial idea. If you generate random passwords for every single account, this is not for you, but it's probably better than storing weak passwords in a vault. The point is to improve on password reuse, or trivial transformations on a core password.
#KYPASS CHANGE MASTER PASSWORD GENERATOR#
To be clear, I was never under the illusion that a password generator is as secure as a vault full of random passwords. It's not too hard to find PBKDF2 in a Python or JavaScript library, or reimplement it yourself using even more commonly available primitives. I like the idea of a scheme that I can use with a preferred utility, but which I could assemble from commonly available tools if necessary. If I don't have the vault and a tool to use it, I can't access my accounts. Find one you trust.As someone who looked seriously at a scheme like this before reluctantly using a password manager instead, part of the appeal comes from vault anxiety. So “to be safe” means doing that, and also making sure at the same time you choose a sufficiently lengthy/complex password when you do it.īut, like I said, if you don’t feel convinced, then absolutely switch to another password manager. This completely invalidates the hash value the hackers have in their hands. But since the theory exists, it is easily thwarted by changing your master password.
This is still extremely unlikely, given the hashing algorithm that LastPass uses. With one exception: if your master password was WEAK – as in, say, one of the top 1,000,000 most common passwords in general, then **in theory** the hackers could mount some kind of a brute force attempt to determine your passwords. Having the hash does not allow the hackers to gain access to your LastPass account. ( ) That is NOT NOT NOT the same as actually having the password – which were NOT stolen because LastPass doesn’t store your password – only the hashed value of the password. The hashes of user’s master passwords were stolen. As a result, people – people that visit Ask Leo! – panic and make ill-conceieved decisions based on inaccurate information. My frustration is that the general technology press likes to make end-of-world headlines and thus overstate the impact (or at least imply that the impact is far greater than it actually is). By that I mean that you and I are not at any significantly additional risk than we were before the hack. My comments stem from the fact that I believe that, while this is of course serious – any breach is – there’s actually little impact on users of LastPass. I have no vested interest in LastPass, and if you choose to move to a different system I certainly won’t object. Not sure what you’re looking for from me. This is a security measure that would alert you to a password change that you did not initiate.ĭepending on your settings, and how many other locations in which you have Lastpass in use, you may need to re-login to Lastpass using your new master password. Shortly after making the change, you should receive an email that notifies you that a change was made. The phrase doesn’t need to make sense in fact, it’s probably better if it doesn’t, as long as it’s easy for you to remember. Multi-word, because that’s easier to remember. Pass phrase, because it’s longer which is more secure. I recommend using a multi-word passphrase. Click on Change Master Password.Įnter your old password, to confirm that you have the authority to make the change, and then enter your new master password twice. It should come up with the “General” tab selected. Log in with your current LastPass password.Īfter your vault is displayed, click on Account Settings. Go to on the web and click on the log-in link. However, to err on the side of caution, they are recommending that we all change our master passwords. It’s important to note that no user accounts have been hacked, and no unencrypted user account information has been compromised.
As I write this, the folks at LastPass recently announced that they saw unexplained traffic on their network and could potentially have seen some of their internal data compromised.
0 kommentar(er)
