Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 11 Nov 2012 21:20:47 +0530
From: Dhiru Kholia <>
Subject: Fun with LastPass


So far, I haven't been able to mount an offline attack against
LastPass locally stored database. However, it is possible to sniff the
LastPass authentication packets and mount an offline attack to recover
the original password.

Here is an screenshot of Burp Suite in action,

✗ ../run/john -fo:lastpass -t  # AMD X3 720 CPU (single core)
Benchmarking: LastPass sniffed sessions PBKDF2-HMAC-SHA-256 AES [32/64]... DONE
Raw:	2520 c/s real, 2520 c/s virtual

What prevents LastPass from using the same technique? Maybe they have
another faster way to access user data ;).

I urge LastPass to open up their database format, so that a proper
third-party security analysis can be carried out.


Download attachment "0001-LastPass-sniffed-session-cracker.patch" of type "application/octet-stream" (8045 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.