|
Message-ID: <CANO7a6yjXac+-4F0M8Oe-T6eWLzvNWHohBStwKa8WSwY_pSr_w@mail.gmail.com>
Date: Sun, 11 Nov 2012 21:20:47 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: Fun with LastPass
Hi,
So far, I haven't been able to mount an offline attack against
LastPass locally stored database. However, it is possible to sniff the
LastPass authentication packets and mount an offline attack to recover
the original password.
Here is an screenshot of Burp Suite in action,
http://dl.dropbox.com/u/1522424/LastPass_sniff.png
✗ ../run/john -fo:lastpass -t # AMD X3 720 CPU (single core)
Benchmarking: LastPass sniffed sessions PBKDF2-HMAC-SHA-256 AES [32/64]... DONE
Raw: 2520 c/s real, 2520 c/s virtual
What prevents LastPass from using the same technique? Maybe they have
another faster way to access user data ;).
I urge LastPass to open up their database format, so that a proper
third-party security analysis can be carried out.
--
Cheers,
Dhiru
Download attachment "0001-LastPass-sniffed-session-cracker.patch" of type "application/octet-stream" (8045 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.