Date: Sun, 11 Nov 2012 21:20:47 +0530 From: Dhiru Kholia <dhiru.kholia@...il.com> To: john-dev@...ts.openwall.com Subject: Fun with LastPass Hi, So far, I haven't been able to mount an offline attack against LastPass locally stored database. However, it is possible to sniff the LastPass authentication packets and mount an offline attack to recover the original password. Here is an screenshot of Burp Suite in action, http://dl.dropbox.com/u/1522424/LastPass_sniff.png ✗ ../run/john -fo:lastpass -t # AMD X3 720 CPU (single core) Benchmarking: LastPass sniffed sessions PBKDF2-HMAC-SHA-256 AES [32/64]... DONE Raw: 2520 c/s real, 2520 c/s virtual What prevents LastPass from using the same technique? Maybe they have another faster way to access user data ;). I urge LastPass to open up their database format, so that a proper third-party security analysis can be carried out. -- Cheers, Dhiru Download attachment "0001-LastPass-sniffed-session-cracker.patch" of type "application/octet-stream" (8045 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.