This week on Home Gadget Geeks Jim and Christian catch up on the Last Pass Data Breach. We talk about why the security industry had a field day and introduce foundational concepts to password managers along the way. We also walk through some other password managers with similar bumps in the road over the years and what are some of the characteristics that stand out for password managers that can earn consumer trust. We then explore Christian’s migration to Bitwarden and what makes it a stand-out option amongst some of the preferred options for password management. It’s 2023 and we are still talking about password managers…. If that’s not insanity what is?! Thanks for listening!
Full show notes, transcriptions (available on request), audio and video at
http://theAverageGuy.tv/hgg559
Join Jim Collison /
@jcollison for show #559 of Home Gadget Geeks brought to you by the Average Guy Network.
WANT TO SUBSCRIBE?
http://theAverageGuy.tv/subscribe
Join us for the show live each Thursday at 8pmC/9E/1UTC at
http://theAverageGuy.tv/live
Podcast, Home Gadget Geeks
Find Us!
Join us in the Facebook group at
https://www.facebook.com/groups/theaverageguy/
On Discord at
https://theaverageguy.tv/discord
Save $40 on your first Box of HelloFresh
Last Pass Breach
https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/
* “Lots of buzzwords here. 256-bit AES encryption, unique encryption key, Zero Knowledge architecture, all that sounds very reassuring. It masks over a simple fact: the only thing preventing the threat actors from decrypting your data is your master password. If they are able to guess it, the game is over.”
Zero Knowledge Encryption Principles:
* Password is NEVER stored.
* All data is encrypted locally on the client, never on the server.
* Servers only ever store encrypted bits.
* Encryption key on the client is always generated and derived from the master password.
Some of the main issues discussed in the Last Pass breach (or as some would say, lack of containment):
* Default for 12 character minimum password wasn’t enforced until 2018. Previous customers weren’t asked to move over to that standard.
* PBKDF2 is a critical feature of reducing brute force attack likelihoods. Minimum expected is 100K iterations in most modern password managers.
* Many Last Pass accounts were still configured with only 5000 iterations. Some accounts later on found were as low as 500. OWASP recommends 310K
What’s PBKDF2 (Password-Based Key Derivation Function)?
* Put simply, it’s a modern cryptographic hashing function that computes iterative HMACs to make passwords resistant to dictionary attacks and rainbow attacks:
https://cryptobook.nakov.com/mac-and-key-derivation/pbkdf2
What is driving the need for higher KDF iterations?
* Advent of GPUs coming along and becoming very efficient and cheap hash calculators.