Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 11 Nov 2012 21:20:47 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: Fun with LastPass

Hi,

So far, I haven't been able to mount an offline attack against
LastPass locally stored database. However, it is possible to sniff the
LastPass authentication packets and mount an offline attack to recover
the original password.

Here is an screenshot of Burp Suite in action,
http://dl.dropbox.com/u/1522424/LastPass_sniff.png

✗ ../run/john -fo:lastpass -t  # AMD X3 720 CPU (single core)
Benchmarking: LastPass sniffed sessions PBKDF2-HMAC-SHA-256 AES [32/64]... DONE
Raw:	2520 c/s real, 2520 c/s virtual

What prevents LastPass from using the same technique? Maybe they have
another faster way to access user data ;).

I urge LastPass to open up their database format, so that a proper
third-party security analysis can be carried out.

-- 
Cheers,
Dhiru

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ