The Verge</tle><sc>The Verge logo.</sc><path d="m231.196 17.897-.302 9.071c-10.592-.726-13.618 1.996-13.618 10.885V39h-9.078V18.441h9.078v5.866c2.724-4.777 6.416-6.954 13.92-6.41ZM15.131 54.786h9.078V19.71h-9.078v35.075Zm44.968-36.828c-6.355 0-10.228 2.842-12.286 5.986V4.593H0v8.466h39.34V39h8.654c0-7.438 4.298-12.697 9.563-12.697 4.54 0 6.597 2.237 6.597 10.28v18.203h9.078V33.318c0-10.28-5.265-15.36-13.133-15.36ZM95.807 47.83c-5.507 0-9.078-3.326-9.683-8.829H77.59c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.15 3.447-3.268 5.261-7.989 5.261Zm-.363-29.692a19.226 19.226 0 0 0-9.32 2.177l4.357 6.168c1.634-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68H95.02v6.048h17.31c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM185.32 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.302-29.692a19.226 19.226 0 0 0-9.321 2.177l4.358 6.168c1.634-.846 3.389-1.27 5.265-1.21 5.084 0 7.687 3.327 8.05 7.68h-8.776v6.048h17.31c.121-.907.181-1.754.181-2.66.061-13.184-8.655-18.203-17.067-18.203ZM291.416 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.484-29.692a19.225 19.225 0 0 0-9.32 2.177l4.357 6.168c1.635-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68h-8.775v6.048h17.309c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM117.172.299 133.5 39h9.926L130.971 8.221h16.099V.36L117.172.3Zm48.418.06L146.888 47.71l-2.784 7.076h9.502L176.06.36h-10.47Zm83.461 53.58c3.873 0 7.081-1.089 9.32-2.963l-3.631-5.745c-1.15.484-2.421.665-3.692.665-4.963 0-7.808-2.963-8.776-6.894h-8.897c1.211 8.406 7.263 14.937 15.676 14.937Zm11.196-30.418c-2.057-3.265-6.234-5.624-12.044-5.624-5.689-.06-10.954 3.024-13.738 8.043l7.565 4.838c1.392-2.903 4.116-4.838 8.292-4.838 5.931 0 9.925 4.596 9.925 10.038 0 1.029-.121 2.057-.423 3.024h9.502v-20.5h-9.079v5.019Zm-8.775 38.642c-5.871 0-8.05-2.842-8.474-6.168h-8.654c.181 6.35 4.418 13.304 17.309 13.304 8.715 0 14.404-4.354 16.765-10.885l-8.171-2.842c-1.15 4.233-4.297 6.591-8.775 6.591Z"></path></svg></a><a class="absolute left-0 top-0 z-10 h-[60px] w-[265px] md:hidn" href="/"><span class="sr-only">The Verge homepage</span></a></div></div><div class="md:px-34 poter-events-none relative mx-to mb-16 flex h-[48px] w-full max-w-ntaer-lg ems-end px-20 font-polysans text-15 md:mb-80 md:h-80 md:text-20 lg:px-0"><nav class="poter-events-to relative ml-to borr-b pb-6 md:pb-8 text-black"><ul class="flex ems-end font-light"><li class="hidn md:flex"><a href="/"><span class="sr-only">The Verge homepage</span><svg xmlns=" viewBox="0 0 309 70" role="img" class="h-[28px] w-[117px] hover:opacy-60 hover:transn-all hover:ease--out md:translate-y-2 fill-black" width="100%" height="100%" fill="none"><tle>The Verge</tle><sc>The Verge logo.</sc><path d="m231.196 17.897-.302 9.071c-10.592-.726-13.618 1.996-13.618 10.885V39h-9.078V18.441h9.078v5.866c2.724-4.777 6.416-6.954 13.92-6.41ZM15.131 54.786h9.078V19.71h-9.078v35.075Zm44.968-36.828c-6.355 0-10.228 2.842-12.286 5.986V4.593H0v8.466h39.34V39h8.654c0-7.438 4.298-12.697 9.563-12.697 4.54 0 6.597 2.237 6.597 10.28v18.203h9.078V33.318c0-10.28-5.265-15.36-13.133-15.36ZM95.807 47.83c-5.507 0-9.078-3.326-9.683-8.829H77.59c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.15 3.447-3.268 5.261-7.989 5.261Zm-.363-29.692a19.226 19.226 0 0 0-9.32 2.177l4.357 6.168c1.634-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68H95.02v6.048h17.31c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM185.32 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.302-29.692a19.226 19.226 0 0 0-9.321 2.177l4.358 6.168c1.634-.846 3.389-1.27 5.265-1.21 5.084 0 7.687 3.327 8.05 7.68h-8.776v6.048h17.31c.121-.907.181-1.754.181-2.66.061-13.184-8.655-18.203-17.067-18.203ZM291.416 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.484-29.692a19.225 19.225 0 0 0-9.32 2.177l4.357 6.168c1.635-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68h-8.775v6.048h17.309c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM117.172.299 133.5 39h9.926L130.971 8.221h16.099V.36L117.172.3Zm48.418.06L146.888 47.71l-2.784 7.076h9.502L176.06.36h-10.47Zm83.461 53.58c3.873 0 7.081-1.089 9.32-2.963l-3.631-5.745c-1.15.484-2.421.665-3.692.665-4.963 0-7.808-2.963-8.776-6.894h-8.897c1.211 8.406 7.263 14.937 15.676 14.937Zm11.196-30.418c-2.057-3.265-6.234-5.624-12.044-5.624-5.689-.06-10.954 3.024-13.738 8.043l7.565 4.838c1.392-2.903 4.116-4.838 8.292-4.838 5.931 0 9.925 4.596 9.925 10.038 0 1.029-.121 2.057-.423 3.024h9.502v-20.5h-9.079v5.019Zm-8.775 38.642c-5.871 0-8.05-2.842-8.474-6.168h-8.654c.181 6.35 4.418 13.304 17.309 13.304 8.715 0 14.404-4.354 16.765-10.885l-8.171-2.842c-1.15 4.233-4.297 6.591-8.775 6.591Z"></path></svg></a><span aria-hidn="te" class="hidn px-16 md:le">/</span></li><li class="hidn md:le"><a href="/tech" class="hover:opacy-50 hover:transn-all hover:ease--out">Tech</a><span aria-hidn="te" class="hidn px-16 md:le">/</span></li><li class="hidn md:le"><a href="/reviews" class="hover:opacy-50 hover:transn-all hover:ease--out">Reviews</a><span aria-hidn="te" class="hidn px-16 md:le">/</span></li><li class="hidn md:le"><a href="/science" class="hover:opacy-50 hover:transn-all hover:ease--out">Science</a><span aria-hidn="te" class="hidn px-16 md:le">/</span></li><li class="hidn md:le"><a href="/entertament" class="hover:opacy-50 hover:transn-all hover:ease--out">Entertament</a><span aria-hidn="te" class="hidn px-16 md:le">/</span></li><li><button class="flex cursor-poter flex-nowrap ems-center hover:opacy-50 hover:transn-all hover:ease--out"><span class="hidn md:le">More</span><span class="md:hidn">Menu</span><svg width="100%" height="100%" viewBox="0 0 28 28" xmlns=" class="ml-8 le-block h-18 w-18 md:mt-2 md:h-[22px] md:w-[22px] fill-black"><tle>Expand</tle><path d="M28 11.76H16.24V0h-4.48v11.76H0v4.48h11.76V28h4.48V16.24H28v-4.48Z"></path></svg></button></li></ul></nav></div></div><div class="duet--navigatn--sticky-nav fixed set-x-0 top-0 z-40 w-full bg-whe drop-shadow-sticky-nav transn-opacy duratn-200 poter-events-none opacy-0"><div class="mx-to flex h-50 w-full max-w-ntaer-lg ems-center jtify-between jtify-self-start px-12 lg:px-0"><a class="flex" href="/" aria-label="The Verge logo. Click to vis the homepage" tabx="-1"><svg xmlns=" viewBox="0 0 309 70" role="img" class="w-[141px] fill-black hover:opacy-60 hover:transn-all hover:ease--out" width="100%" height="100%" fill="none"><tle>The Verge</tle><sc>The Verge logo.</sc><path d="m231.196 17.897-.302 9.071c-10.592-.726-13.618 1.996-13.618 10.885V39h-9.078V18.441h9.078v5.866c2.724-4.777 6.416-6.954 13.92-6.41ZM15.131 54.786h9.078V19.71h-9.078v35.075Zm44.968-36.828c-6.355 0-10.228 2.842-12.286 5.986V4.593H0v8.466h39.34V39h8.654c0-7.438 4.298-12.697 9.563-12.697 4.54 0 6.597 2.237 6.597 10.28v18.203h9.078V33.318c0-10.28-5.265-15.36-13.133-15.36ZM95.807 47.83c-5.507 0-9.078-3.326-9.683-8.829H77.59c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.15 3.447-3.268 5.261-7.989 5.261Zm-.363-29.692a19.226 19.226 0 0 0-9.32 2.177l4.357 6.168c1.634-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68H95.02v6.048h17.31c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM185.32 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.302-29.692a19.226 19.226 0 0 0-9.321 2.177l4.358 6.168c1.634-.846 3.389-1.27 5.265-1.21 5.084 0 7.687 3.327 8.05 7.68h-8.776v6.048h17.31c.121-.907.181-1.754.181-2.66.061-13.184-8.655-18.203-17.067-18.203ZM291.416 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.484-29.692a19.225 19.225 0 0 0-9.32 2.177l4.357 6.168c1.635-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68h-8.775v6.048h17.309c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM117.172.299 133.5 39h9.926L130.971 8.221h16.099V.36L117.172.3Zm48.418.06L146.888 47.71l-2.784 7.076h9.502L176.06.36h-10.47Zm83.461 53.58c3.873 0 7.081-1.089 9.32-2.963l-3.631-5.745c-1.15.484-2.421.665-3.692.665-4.963 0-7.808-2.963-8.776-6.894h-8.897c1.211 8.406 7.263 14.937 15.676 14.937Zm11.196-30.418c-2.057-3.265-6.234-5.624-12.044-5.624-5.689-.06-10.954 3.024-13.738 8.043l7.565 4.838c1.392-2.903 4.116-4.838 8.292-4.838 5.931 0 9.925 4.596 9.925 10.038 0 1.029-.121 2.057-.423 3.024h9.502v-20.5h-9.079v5.019Zm-8.775 38.642c-5.871 0-8.05-2.842-8.474-6.168h-8.654c.181 6.35 4.418 13.304 17.309 13.304 8.715 0 14.404-4.354 16.765-10.885l-8.171-2.842c-1.15 4.233-4.297 6.591-8.775 6.591Z"></path></svg></a><div class="group flex flex-nowrap"><button class="cursor-poter ems-center font-polysans text-15 flex"><span class="group-hover:opacy-60">Menu</span><svg width="100%" height="100%" viewBox="0 0 28 28" xmlns=" class="ml-8 le-block h-18 w-18 fill-black group-hover:opacy-60 md:mt-2 md:h-[22px] md:w-[22px]"><tle>Expand</tle><path d="M28 11.76H16.24V0h-4.48v11.76H0v4.48h11.76V28h4.48V16.24H28v-4.48Z"></path></svg></button></div></div></div></div><div class="duet--page-layout--standard-article _6ytxv90"><div style="posn:fixed;top:1px;left:1px;width:1px;height:0;paddg:0;marg:-1px;overflow:hidn;clip:rect(0, 0, 0, 0);whe-space:nowrap;borr-width:0;display:none"></div><div style="posn:fixed;top:1px;left:1px;width:1px;height:0;paddg:0;marg:-1px;overflow:hidn;clip:rect(0, 0, 0, 0);whe-space:nowrap;borr-width:0;display:none"></div><ma class="md:px-34 relative px-20"><div style="m-height:90px;m-width:728px;marg-top:40px;marg-bottom:40px" class="_1gsaw2w0 _1gsaw2w3" data-ncert="tablet_learboard"></div><div style="m-height:90px;m-width:728px;marg-top:100px;marg-bottom:60px" class="_1gsaw2w0 _1gsaw2w5" data-ncert="sktop_learboard_variable"></div><article id="ntent" class="mx-to my-24 w-full max-w-ntaer-lg md:mt-16 lg:mt-45"><div class="duet--article--le mx-to mb-28 w-full md:max-w-ntaer-md lg:mb-36 lg:max-w-none"><ul class="lg:px-0 article-groups leadg-100 mb-8"><li class="le font-polysans-mono text-12 font-medium upperse trackg-12 text-blurple"><a class="hover:shadow-unrle-her" href="/cyber-secury">Secury</a><span class="px-6">/</span></li><li class="le font-polysans-mono text-12 font-medium upperse trackg-12 text-blurple"><a class="hover:shadow-unrle-her" href="/policy">Policy</a><span class="px-6">/</span></li><li class="le font-polysans-mono text-12 font-medium upperse trackg-12 text-blurple"><a class="hover:shadow-unrle-her" href="/tech">Tech</a></li></ul><h1 class="mb-28 hidn max-w-[900px] font-polysans text-45 font-bold leadg-100 selectn:bg-ankl-20 lg:block">The LastPass disclosure of leaked password vlts is beg torn apart by secury experts</h1><span class="sticky-nav-trigger"></span><div class="flex flex-l lg:flex-row-reverse lg:jtify-end"><div class="flex-l lg:flex lg:ml-40"><div class="mb-24 grow"><h1 class="le font-polysans text-22 font-bold leadg-110 md:text-33 lg:hidn">The LastPass disclosure of leaked password vlts is beg torn apart by secury experts</h1><span class="font-polysans text-22 font-light leadg-110 md:text-30 lg:block"><span class="text-blurple"> / </span><h2 class="le selectn:bg-ankl-20">The pany announced last week that ers' password vlts had been stolen. Thgs have gone downhill om there.</h2></span></div><div><div class="mb-16 w-[200px] borr-t borr-gray-bd lg:hidn"></div><div class="mb-2 text-blurple [&>p>span:first-child]:text-gray-13 [&]:text-gray-13"><p class="duet--article--article-byle max-w-[550px] font-polysans text-12 leadg-120"><span>By</span> <span><span class="duet--article-byle-and"></span> <span class="font-medium"><a class="hover:shadow-unrle-her" href="/thors/mchell-clark">Mchell Clark</a></span></span></p></div><div class="duet--article--date-and-ments mb-12 le-block font-polysans text-12 text-gray-5a"><time dateTime="2022-12-29T00:39:47.346Z" class="duet--article--timtamp font-polysans text-12">Updated<!-- --> <!-- -->Dec 29, 2022, 12:39 AM UTC</time><span class="mx-8">|</span><button tle="Go to ments" class="duet--article--ments-lk le-block md:le"><svg class="mr-4 le" width="12" height="12" fill="none" viewBox="0 0 12 12" stroke-width="1px" xmlns="><tle>Comments</tle><path d="M2.4 9.1h-.207l-.147.146L.5 10.793V1.2c0-.384.316-.7.7-.7h9.6c.384 0 .7.316.7.7v7.2c0 .384-.316.7-.7.7H2.4Z" stroke="currentColor"></path></svg><span class="font-polysans text-12 unrle"><span class="ral-unt" data-ral-id="ff4c0524-4136-4088-b6d7-ce7e060f117d"></span></span></button></div><div class="mb-24 flex jtify-between lg:mb-20 lg:mb-36"><div><h2 class="sr-only">Share this story</h2><ul class="duet--article--share-buttons flex leadg-[0]"><li class="mr-8"><button aria-label="Share on Twter" class="round-full bg-gray-e9 transn hover:bg-blurple"><svg width="30" height="30" class="fill-blurple transn hover:fill-whe" xmlns="><path d="M20.608 13.49c.008.108.008.216.008.326 0 3.336-2.44 7.184-6.9 7.184v-.002A6.667 6.667 0 0 1 10 19.866c.192.024.384.036.577.037a4.747 4.747 0 0 0 3.011-1.083c-1.037-.02-1.947-.725-2.265-1.754.364.073.738.058 1.095-.043-1.131-.238-1.945-1.273-1.945-2.475v-.032c.337.195.714.304 1.1.316-1.065-.742-1.393-2.218-.75-3.371 1.231 1.577 3.047 2.536 4.997 2.637a2.594 2.594 0 0 1 .701-2.412 2.36 2.36 0 0 1 3.431.11 4.75 4.75 0 0 0 1.54-.613 2.518 2.518 0 0 1-1.066 1.396c.48-.059.95-.193 1.392-.397-.325.508-.735.95-1.21 1.307Z"></path></svg></button></li><li class="mr-8"><button aria-label="Share on Facebook" class="round-full bg-gray-e9 transn hover:bg-blurple"><svg width="30" height="30" class="fill-blurple transn hover:fill-whe" xmlns="><path d="m18.393 16.258.355-2.335H16.53v-1.515c0-.639.31-1.262 1.303-1.262h1.01V9.158S17.926 9 17.051 9c-1.827 0-3.021 1.118-3.021 3.143v1.78H12v2.335h2.031v5.644a7.944 7.944 0 0 0 2.499 0v-5.644h1.863Z"></path></svg></button></li><li><div class="relative flex ems-center"><button aria-label="Copy lk" class="round-full bg-gray-e9 transn hover:bg-blurple"><svg width="30" height="30" class="fill-blurple transn hover:fill-whe" xmlns="><path d="M14.187 21.112a3.044 3.044 0 0 1-4.299 0 3.044 3.044 0 0 1 0-4.299l2.388-2.388a3.044 3.044 0 0 1 4.299 0 .507.507 0 1 1-.717.717c-.8-.8-2.065-.8-2.865 0l-2.388 2.388c-.8.8-.8 2.065 0 2.865.8.8 2.065.8 2.865 0l2.269-2.268a.507.507 0 1 1 .716.716l-2.268 2.269Zm4.537-4.537a3.044 3.044 0 0 1-4.299 0 .506.506 0 1 1 .717-.717c.8.8 2.065.8 2.865 0l2.388-2.388c.8-.8.8-2.065 0-2.865-.8-.8-2.065-.8-2.865 0l-2.269 2.268a.507.507 0 1 1-.716-.716l2.268-2.269a3.044 3.044 0 0 1 4.299 0 3.044 3.044 0 0 1 0 4.299l-2.388 2.388Z"></path></svg></button></div></li></ul></div><div style="marg:0;m-height:40px;m-width:200px" class="_1gsaw2w0 _1gsaw2w1" data-ncert="article_sponsorship"></div></div></div></div><div class="w-full shrk-0 lg:basis-[600px]"><div class="md:pl-0"><figure class="duet--article--le-image w-full"><span style="box-sizg:borr-box;display:block;overflow:hidn;width:ial;height:ial;background:none;opacy:1;borr:0;marg:0;paddg:0;posn:relative"><span style="box-sizg:borr-box;display:block;width:ial;height:ial;background:none;opacy:1;borr:0;marg:0;paddg:0;paddg-top:66.63636363636364%"></span><img alt="" siz="(max-width: 768px) lc(100vw - 100px), (max-width: 1180px) 700px, 600px" srcSet="(1020x680:1021x681):format(webp)/ 16w, (1020x680:1021x681):format(webp)/ 32w, (1020x680:1021x681):format(webp)/ 48w, (1020x680:1021x681):format(webp)/ 64w, (1020x680:1021x681):format(webp)/ 96w, (1020x680:1021x681):format(webp)/ 128w, (1020x680:1021x681):format(webp)/ 256w, (1020x680:1021x681):format(webp)/ 376w, (1020x680:1021x681):format(webp)/ 384w, (1020x680:1021x681):format(webp)/ 415w, (1020x680:1021x681):format(webp)/ 480w, (1020x680:1021x681):format(webp)/ 540w, (1020x680:1021x681):format(webp)/ 640w, (1020x680:1021x681):format(webp)/ 750w, (1020x680:1021x681):format(webp)/ 828w, (1020x680:1021x681):format(webp)/ 1080w, (1020x680:1021x681):format(webp)/ 1200w, (1020x680:1021x681):format(webp)/ 1440w, (1020x680:1021x681):format(webp)/ 1920w, (1020x680:1021x681):format(webp)/ 2048w, (1020x680:1021x681):format(webp)/ 2400w" src="(1020x680:1021x681):format(webp)/" dg="async" data-nimg="rponsive" style="posn:absolute;top:0;left:0;bottom:0;right:0;box-sizg:borr-box;paddg:0;borr:none;marg:to;display:block;width:0;height:0;m-width:100%;max-width:100%;m-height:100%;max-height:100%;object-f:ver"/></span><div class="duet--media--ptn pt-6 font-polysans-mono text-12 font-light leadg-130 trackg-1"> <ce class="duet--article--dangeroly-set-cms-markup le not-alic text-gray-63 dark:text-gray-bd [&>a:hover]:text-gray-63 [&>a:hover]:shadow-unrle-black dark:[&>a:hover]:text-gray-bd dark:[&>a:hover]:shadow-unrle-gray [&>a]:shadow-unrle-gray-63 dark:[&>a]:text-gray-bd dark:[&>a]:shadow-unrle-gray">Photo by Amelia Holowaty Kral / The Verge</ce></div></figure></div></div></div></div><div class="relative md:mx-to md:flex md:max-w-ntaer-md lg:max-w-none"><div class="duet--article--article-body-ponent-ntaer clearfix sm:ml-to md:ml-100 md:max-w-article-body lg:mx-100"><div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Last week, jt before Christmas, LastPass <a href="/2022/12/22/23523322/lastpass-data-breach-cloud-encrypted-password-vlt-hackers">dropped a bombshell announcement</a>: as the rult of a breach Augt, which led to another breach November, hackers had gotten their hands on ers’ password vlts. While the pany sists that your log rmatn is still secure, some cybersecury experts are heavily cricizg <a href=">s post</a>, sayg that uld make people feel more secure than they actually are and potg out that this is jt the latt a seri of cints that make hard to tst the password manager.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">LastPass’ December 22nd statement was “full of omissns, half-tths and outright li,” reads <a href=">a blog post om Wladimir Palant</a>, a secury rearcher known for helpg origally velop AdBlock Pro, among other thgs. Some of his cricisms al wh how the pany has amed the cint and how transparent ’s beg; he acc the pany of tryg to portray <a href="/2022/8/26/23323738/lastpass-secury-cint-source-">the Augt cint</a> where LastPass says “some source and technil rmatn were stolen” as a separate breach when he says that realy the pany “failed to nta” the breach.</p></div><div class="duet--article--article-body-ponent clear-both block md:float-left md:mr-30 md:w-[320px] lg:-ml-100"><div class="duet--article--article-pullquote mb-20"><div class="mb-10 h-[22px] w-[65px] bg-ankl"></div><p class="duet--article--dangeroly-set-cms-markup relative bg-repeatg-l-dark bg-[length:1px_1.2em] pb-8 font-polysans text-28 font-medium leadg-120 trackg-1 selectn:bg-ankl-20 dark:bg-repeatg-l-light dark:text-whe dark:selectn:bg-blurple">“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie.”</p></div></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">He also highlights LastPass’ admissn that the leaked data clud “the IP addrs om which ctomers were accsg the LastPass service,” sayg that uld let the threat actor “create a plete movement profile” of ctomers if LastPass was loggg every IP addrs you ed wh s service.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Another secury rearcher, Jeremi Gosney, wrote <a href=">a long post on Mastodon</a> explag his remendatn to move to another password manager. “LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” he says, allegg that the pany has “about as much knowledge as a password manager n possibly get away wh.” </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">LastPass claims s “zero knowledge” archecture keeps ers safe bee the pany never has accs to your master password, which is the thg that hackers would need to unlock the stolen vlts. While Gosney don’t dispute that particular pot, he do say that the phrase is misleadg. “I thk most people envisn their vlt as a sort of encrypted database where the entire file is protected, but no — wh LastPass, your vlt is a platext file and only a few select fields are encrypted.”</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Palant also not that the encryptn only do you any good if the hackers n’t crack your master password, which is LastPass’ ma fense s post: if you e s flts for password length and strengtheng and haven’t rsed on another se, “ would take lns of years to gus your master password g generally-available password-crackg technology” wrote Karim Toubba, the pany’s CEO. </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">“This prepar the ground for blamg the ctomers,” wr Palant, sayg that “LastPass should be aware that passwords <em>will</em> be crypted for at least some of their ctomers. And they have a nvenient explanatn already: the ctomers clearly didn’t follow their bt practic.” However, he also pots out that LastPass hasn’t necsarily enforced those standards. Dpe the fact that ma 12-character passwords the flt 2018, Palant says, “I n log wh my eight-character password whout any warngs or prompts to change .”</p></div><div class="duet--article--article-body-ponent clear-both block md:float-left md:mr-30 md:w-[320px] lg:-ml-100"><div class="duet--media--embed m-h-[270px] mb-20 w-full md:max-w-[460px]"></div></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">LastPass’ post has even eliced a rponse om a petor, 1Password — on Wednday, the pany’s prcipal secury archect Jefey Goldberg <a href=">wrote a post for s se</a> tled “Not a ln years: It n take far ls to crack a LastPass password.” In , Goldberg lls LastPass’ claim of takg a ln years to crack a master password “highly misleadg,” sayg that the statistic appears to assume a 12 character, randomly generated password. “Passwords created by humans e nowhere near meetg that requirement,” he wr, sayg that threat actors would be able to prrize certa gus based on how people nstct passwords they n actually remember. </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Of urse, a petor’s word should probably be taken wh a gra of salt, though Palant echos a siar ia his post — he claims the <a href=">viral XKCD method</a> of creatg passwords would take around 3 years to gus wh a sgle GPU, while some 11-character passwords (that many people may nsir to be good) would only take around 25 mut to crack wh the same hardware. It go whout sayg that a motivated actor tryg to crack to a specific target’s vlt uld probably throw more than one GPU at the problem, potentially cuttg that time down by orrs of magnu.</p></div><div class="duet--article--article-body-ponent clear-both block md:float-left md:mr-30 md:w-[320px] lg:-ml-100"><div class="duet--article--article-pullquote mb-20"><div class="mb-10 h-[22px] w-[65px] bg-ankl"></div><p class="duet--article--dangeroly-set-cms-markup relative bg-repeatg-l-dark bg-[length:1px_1.2em] pb-8 font-polysans text-28 font-medium leadg-120 trackg-1 selectn:bg-ankl-20 dark:bg-repeatg-l-light dark:text-whe dark:selectn:bg-blurple">“They sentially m every ‘crypto 101’ s”</p></div></div><div class="duet--article--article-body-ponent clear-both block md:float-left md:mr-30 md:w-[320px] lg:-ml-100"><div class="duet--recirculatn--related-list mb-40"><h3 class="mb-16 font-polysans-mono text-14 font-medium leadg-120 -trackg-1 text-blurple after:pl-8 after:ntent-['/']">Related</h3><ul class="list-disc pl-18 font-polysans text-16 font-medium leadg-110 marker:text-ankl"><li class="mb-16 pl-12"><a class="hover:shadow-unrle-black" href="/22311182/bt-ee-password-manager-bwarn-zoho-vlt-roboform-sticky-password">The bt ee password manager</a></li><li class="mb-16 pl-12"><a class="hover:shadow-unrle-black" href="/22285499/password-manager-lastpass-ee-bwarn-zoho">Six ee alternativ to the LastPass password manager</a></li></ul></div></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Both Gosney and Palant take issue wh LastPass’ actual cryptography too, though for different reasons. Gosney acc the pany of basilly mtg “every ‘crypto 101’ s” wh how s encryptn is implemented and how manag data once ’s been load to your vice’s memory. </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Meanwhile, Palant criciz the pany’s post for patg s password-strengtheng algorhm, known as PBKDF2, as “stronger-than-typil.” The ia behd the standard is that mak harr to bte-force gus your passwords, as you’d have to perform a certa number of lculatns on each gus. “I serly wonr what LastPass nsirs typil,” wr Palant, “given that 100,000 PBKDF2 eratns are the lowt number I’ve seen any current password manager.” </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Bwarn, another popular password manager, <a href=">says that s app 100,001 eratns</a>, and that adds another 100,000 eratns when your password is stored on the server for a total of 200,001. <a href=">1Password says</a> 100,000 eratns, but s encryptn scheme means that you have to have both a secret key and your master password to unlock your data. That feature “ensur that if anyone do obta a py of your vlt, they simply nnot accs wh the master password alone, makg uncrackable,” acrdg to Gosney.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Palant also pots out that LastPass hasn’t always had that level of secury and that olr acunts may only have 5,000 eratns or ls — somethg <em>The Verge</em> nfirmed last week. That, along wh the fact that still lets you have an eight-character password, mak hard to take LastPass’ claims about takg lns of years to crack a master password serly. Even if that’s te for someone who set up a new acunt, what about people who have ed the software for years? If LastPass hasn’t issued a warng about or forced an upgra to those better settgs (which Palant says hasn’t happened for him), then s “flts” aren’t necsarily eful as an ditor of how worried s ers should be.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Another stickg pot is the fact that LastPass has, <a href=">for years</a>, ignored pleas to encrypt data such as URLs. Palant pots out that knowg where people have acunts uld help hackers specifilly target dividuals. “Threat actors would <em>love</em> to know what you have accs to. Then they uld produce well-targeted phishg emails jt for the people who are worth their effort,” he wrote. He also pots out that sometim URLs saved LastPass uld give people more accs than tend, g the example of a password ret lk that isn’t properly expired.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">There’s also a privacy angle; you n tell a <em>lot</em> about a person based on what webs they e. What if you ed LastPass to store your acunt for a niche porn se? Could someone figure out what area you live based on your utily provir acunts? Would the that you e a gay datg app <a href="/2022/2/9/22925073/grdr-lims-visibily-beijg-olympics-village">put your eedom or life danger</a>?</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">One thg that several secury experts, cludg Gosney and Palant, seem to agree on is the fact that this breach isn’t proof posive that cloud-based password managers are a bad ia. This seems to be rponse to people who evangelize the benefs of pletely offle password managers (or even jt wrg down randomly-generated passwords a notebook, as I <a href="/2022/12/22/23523322/lastpass-data-breach-cloud-encrypted-password-vlt-hackers?mentID=8f8d23ea-0756-46c2-8bf8-34b745c751">saw one menter suggt</a>). There are, of urse, obv benefs to this approach — a pany that <a href=">stor lns of people’s passwords</a> will get more attentn om hackers than one dividual’s puter will, and gettg at somethg that’s not on the cloud is a lot harr. </p></div><div class="duet--article--article-body-ponent clear-both block md:float-left md:mr-30 md:w-[320px] lg:-ml-100"><div class="duet--media--embed m-h-[270px] mb-20 w-full md:max-w-[460px]"></div></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">But, like crypto’s promis of lettg you be your own bank, nng your own password manager n e wh more challeng than people realize. Losg your vlt via a hard drive crash or another cint uld be tastrophic, but backg up troduc the risk of makg more vulnerable to theft. (And you did remember to tell your tomatic cloud backup software to not upload your passwords, right?) Pl, syncg an offle vlt between vic is, to put dly, a b of a pa.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">As for what people should do about all this, both Palant and Gosney remend at least nsirg swchg to another password manager, part bee of how LastPass has handled this breach and the fact that ’s the <a href=">pany’s seventh secury cint</a> a ltle over a . “It’s abundantly clear that they do not re about their own secury, and much ls about your secury,” Gosney wr, while Palant qutns why LastPass didn’t tect that hackers were pyg the vlts om s third-party cloud storage while was happeng. (The pany’s post says ’s “add addnal loggg and alertg pabili to help tect any further unthorized activy.”)</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">LastPass has said that most ers won’t have to take any actn to secure themselv after this breach. Palant disagre, llg the remendatn “gross negligence.” Instead, he says that anyone who had a simple master password, a low number of eratns (<a href=">here’s how you n check</a>), or who’s potentially a “high value target” should nsir changg all of their passwords immediately. </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Is that the most fun thg to do over the holidays? No. But neher is cleang up after someone accsed your acunts wh a stolen password.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe"><em><strong>Update December 28th, 7:39PM ET: </strong>Updated to clu ments om 1Password, which published s own rebuttal to LastPass’ claims.</em></p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe"><em><strong>Correctn December 29th 11:24AM ET: </strong>A prev versn of this article misterpreted Palant’s claims about how easy is to crack the password nstctn popularized by XKCD. We regret the error.</em></p></div></div><div class="mb-40 mt-30"><button class="duet--article--ments-button group le-flex h-40 w-full ems-center jtify-center round-[2px] borr-[1px] borr-solid borr-blurple font-polysans-mono text-11 font-light upperse trackg-12 text-blurple hover:bg-blurple hover:text-whe md:w-to md:px-30"><svg class="mr-10 le pt-2" width="12" height="14" fill="none" viewBox="0 0 12 12" stroke-width="1px" xmlns="><tle>Comments

dead gay passwords

There are many webs onle to buy the bt gay passwords. But which one is the bt and most nvenient for you? Here’s a list of top 10 products that we

Contents:

TOP 20 BT GAY PASSWORDS

Gay datg app Manhunt was hacked Febary, pany officials have nfirmed.

*BEAR-MAGAZINE.COM* DEAD GAY PASSWORDS

The Verge</tle><sc>The Verge logo.</sc><path d="m231.196 17.897-.302 9.071c-10.592-.726-13.618 1.996-13.618 10.885V39h-9.078V18.441h9.078v5.866c2.724-4.777 6.416-6.954 13.92-6.41ZM15.131 54.786h9.078V19.71h-9.078v35.075Zm44.968-36.828c-6.355 0-10.228 2.842-12.286 5.986V4.593H0v8.466h39.34V39h8.654c0-7.438 4.298-12.697 9.563-12.697 4.54 0 6.597 2.237 6.597 10.28v18.203h9.078V33.318c0-10.28-5.265-15.36-13.133-15.36ZM95.807 47.83c-5.507 0-9.078-3.326-9.683-8.829H77.59c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.15 3.447-3.268 5.261-7.989 5.261Zm-.363-29.692a19.226 19.226 0 0 0-9.32 2.177l4.357 6.168c1.634-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68H95.02v6.048h17.31c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM185.32 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.302-29.692a19.226 19.226 0 0 0-9.321 2.177l4.358 6.168c1.634-.846 3.389-1.27 5.265-1.21 5.084 0 7.687 3.327 8.05 7.68h-8.776v6.048h17.31c.121-.907.181-1.754.181-2.66.061-13.184-8.655-18.203-17.067-18.203ZM291.416 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.484-29.692a19.225 19.225 0 0 0-9.32 2.177l4.357 6.168c1.635-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68h-8.775v6.048h17.309c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM117.172.299 133.5 39h9.926L130.971 8.221h16.099V.36L117.172.3Zm48.418.06L146.888 47.71l-2.784 7.076h9.502L176.06.36h-10.47Zm83.461 53.58c3.873 0 7.081-1.089 9.32-2.963l-3.631-5.745c-1.15.484-2.421.665-3.692.665-4.963 0-7.808-2.963-8.776-6.894h-8.897c1.211 8.406 7.263 14.937 15.676 14.937Zm11.196-30.418c-2.057-3.265-6.234-5.624-12.044-5.624-5.689-.06-10.954 3.024-13.738 8.043l7.565 4.838c1.392-2.903 4.116-4.838 8.292-4.838 5.931 0 9.925 4.596 9.925 10.038 0 1.029-.121 2.057-.423 3.024h9.502v-20.5h-9.079v5.019Zm-8.775 38.642c-5.871 0-8.05-2.842-8.474-6.168h-8.654c.181 6.35 4.418 13.304 17.309 13.304 8.715 0 14.404-4.354 16.765-10.885l-8.171-2.842c-1.15 4.233-4.297 6.591-8.775 6.591Z"></path></svg></a><a class="absolute left-0 top-0 z-10 h-[60px] w-[265px] md:hidn" href="/"><span class="sr-only">The Verge homepage</span></a></div></div><div class="md:px-34 poter-events-none relative mx-to mb-16 flex h-[48px] w-full max-w-ntaer-lg ems-end px-20 font-polysans text-15 md:mb-80 md:h-80 md:text-20 lg:px-0"><nav class="poter-events-to relative ml-to borr-b pb-6 md:pb-8 text-black"><ul class="flex ems-end font-light"><li class="hidn md:flex"><a href="/"><span class="sr-only">The Verge homepage</span><svg xmlns=" viewBox="0 0 309 70" role="img" class="h-[28px] w-[117px] hover:opacy-60 hover:transn-all hover:ease--out md:translate-y-2 fill-black" width="100%" height="100%" fill="none"><tle>The Verge</tle><sc>The Verge logo.</sc><path d="m231.196 17.897-.302 9.071c-10.592-.726-13.618 1.996-13.618 10.885V39h-9.078V18.441h9.078v5.866c2.724-4.777 6.416-6.954 13.92-6.41ZM15.131 54.786h9.078V19.71h-9.078v35.075Zm44.968-36.828c-6.355 0-10.228 2.842-12.286 5.986V4.593H0v8.466h39.34V39h8.654c0-7.438 4.298-12.697 9.563-12.697 4.54 0 6.597 2.237 6.597 10.28v18.203h9.078V33.318c0-10.28-5.265-15.36-13.133-15.36ZM95.807 47.83c-5.507 0-9.078-3.326-9.683-8.829H77.59c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.15 3.447-3.268 5.261-7.989 5.261Zm-.363-29.692a19.226 19.226 0 0 0-9.32 2.177l4.357 6.168c1.634-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68H95.02v6.048h17.31c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM185.32 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.302-29.692a19.226 19.226 0 0 0-9.321 2.177l4.358 6.168c1.634-.846 3.389-1.27 5.265-1.21 5.084 0 7.687 3.327 8.05 7.68h-8.776v6.048h17.31c.121-.907.181-1.754.181-2.66.061-13.184-8.655-18.203-17.067-18.203ZM291.416 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.484-29.692a19.225 19.225 0 0 0-9.32 2.177l4.357 6.168c1.635-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68h-8.775v6.048h17.309c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM117.172.299 133.5 39h9.926L130.971 8.221h16.099V.36L117.172.3Zm48.418.06L146.888 47.71l-2.784 7.076h9.502L176.06.36h-10.47Zm83.461 53.58c3.873 0 7.081-1.089 9.32-2.963l-3.631-5.745c-1.15.484-2.421.665-3.692.665-4.963 0-7.808-2.963-8.776-6.894h-8.897c1.211 8.406 7.263 14.937 15.676 14.937Zm11.196-30.418c-2.057-3.265-6.234-5.624-12.044-5.624-5.689-.06-10.954 3.024-13.738 8.043l7.565 4.838c1.392-2.903 4.116-4.838 8.292-4.838 5.931 0 9.925 4.596 9.925 10.038 0 1.029-.121 2.057-.423 3.024h9.502v-20.5h-9.079v5.019Zm-8.775 38.642c-5.871 0-8.05-2.842-8.474-6.168h-8.654c.181 6.35 4.418 13.304 17.309 13.304 8.715 0 14.404-4.354 16.765-10.885l-8.171-2.842c-1.15 4.233-4.297 6.591-8.775 6.591Z"></path></svg></a><span aria-hidn="te" class="hidn px-16 md:le">/</span></li><li class="hidn md:le"><a href="/tech" class="hover:opacy-50 hover:transn-all hover:ease--out">Tech</a><span aria-hidn="te" class="hidn px-16 md:le">/</span></li><li class="hidn md:le"><a href="/reviews" class="hover:opacy-50 hover:transn-all hover:ease--out">Reviews</a><span aria-hidn="te" class="hidn px-16 md:le">/</span></li><li class="hidn md:le"><a href="/science" class="hover:opacy-50 hover:transn-all hover:ease--out">Science</a><span aria-hidn="te" class="hidn px-16 md:le">/</span></li><li class="hidn md:le"><a href="/entertament" class="hover:opacy-50 hover:transn-all hover:ease--out">Entertament</a><span aria-hidn="te" class="hidn px-16 md:le">/</span></li><li><button class="flex cursor-poter flex-nowrap ems-center hover:opacy-50 hover:transn-all hover:ease--out"><span class="hidn md:le">More</span><span class="md:hidn">Menu</span><svg width="100%" height="100%" viewBox="0 0 28 28" xmlns=" class="ml-8 le-block h-18 w-18 md:mt-2 md:h-[22px] md:w-[22px] fill-black"><tle>Expand</tle><path d="M28 11.76H16.24V0h-4.48v11.76H0v4.48h11.76V28h4.48V16.24H28v-4.48Z"></path></svg></button></li></ul></nav></div></div><div class="duet--navigatn--sticky-nav fixed set-x-0 top-0 z-40 w-full bg-whe drop-shadow-sticky-nav transn-opacy duratn-200 poter-events-none opacy-0"><div class="mx-to flex h-50 w-full max-w-ntaer-lg ems-center jtify-between jtify-self-start px-12 lg:px-0"><a class="flex" href="/" aria-label="The Verge logo. Click to vis the homepage" tabx="-1"><svg xmlns=" viewBox="0 0 309 70" role="img" class="w-[141px] fill-black hover:opacy-60 hover:transn-all hover:ease--out" width="100%" height="100%" fill="none"><tle>The Verge</tle><sc>The Verge logo.</sc><path d="m231.196 17.897-.302 9.071c-10.592-.726-13.618 1.996-13.618 10.885V39h-9.078V18.441h9.078v5.866c2.724-4.777 6.416-6.954 13.92-6.41ZM15.131 54.786h9.078V19.71h-9.078v35.075Zm44.968-36.828c-6.355 0-10.228 2.842-12.286 5.986V4.593H0v8.466h39.34V39h8.654c0-7.438 4.298-12.697 9.563-12.697 4.54 0 6.597 2.237 6.597 10.28v18.203h9.078V33.318c0-10.28-5.265-15.36-13.133-15.36ZM95.807 47.83c-5.507 0-9.078-3.326-9.683-8.829H77.59c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.15 3.447-3.268 5.261-7.989 5.261Zm-.363-29.692a19.226 19.226 0 0 0-9.32 2.177l4.357 6.168c1.634-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68H95.02v6.048h17.31c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM185.32 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.302-29.692a19.226 19.226 0 0 0-9.321 2.177l4.358 6.168c1.634-.846 3.389-1.27 5.265-1.21 5.084 0 7.687 3.327 8.05 7.68h-8.776v6.048h17.31c.121-.907.181-1.754.181-2.66.061-13.184-8.655-18.203-17.067-18.203ZM291.416 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.484-29.692a19.225 19.225 0 0 0-9.32 2.177l4.357 6.168c1.635-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68h-8.775v6.048h17.309c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM117.172.299 133.5 39h9.926L130.971 8.221h16.099V.36L117.172.3Zm48.418.06L146.888 47.71l-2.784 7.076h9.502L176.06.36h-10.47Zm83.461 53.58c3.873 0 7.081-1.089 9.32-2.963l-3.631-5.745c-1.15.484-2.421.665-3.692.665-4.963 0-7.808-2.963-8.776-6.894h-8.897c1.211 8.406 7.263 14.937 15.676 14.937Zm11.196-30.418c-2.057-3.265-6.234-5.624-12.044-5.624-5.689-.06-10.954 3.024-13.738 8.043l7.565 4.838c1.392-2.903 4.116-4.838 8.292-4.838 5.931 0 9.925 4.596 9.925 10.038 0 1.029-.121 2.057-.423 3.024h9.502v-20.5h-9.079v5.019Zm-8.775 38.642c-5.871 0-8.05-2.842-8.474-6.168h-8.654c.181 6.35 4.418 13.304 17.309 13.304 8.715 0 14.404-4.354 16.765-10.885l-8.171-2.842c-1.15 4.233-4.297 6.591-8.775 6.591Z"></path></svg></a><div class="group flex flex-nowrap"><button class="cursor-poter ems-center font-polysans text-15 flex"><span class="group-hover:opacy-60">Menu</span><svg width="100%" height="100%" viewBox="0 0 28 28" xmlns=" class="ml-8 le-block h-18 w-18 fill-black group-hover:opacy-60 md:mt-2 md:h-[22px] md:w-[22px]"><tle>Expand</tle><path d="M28 11.76H16.24V0h-4.48v11.76H0v4.48h11.76V28h4.48V16.24H28v-4.48Z"></path></svg></button></div></div></div></div><div class="duet--page-layout--standard-article _6ytxv90"><div style="posn:fixed;top:1px;left:1px;width:1px;height:0;paddg:0;marg:-1px;overflow:hidn;clip:rect(0, 0, 0, 0);whe-space:nowrap;borr-width:0;display:none"></div><div style="posn:fixed;top:1px;left:1px;width:1px;height:0;paddg:0;marg:-1px;overflow:hidn;clip:rect(0, 0, 0, 0);whe-space:nowrap;borr-width:0;display:none"></div><ma class="md:px-34 relative px-20"><div style="m-height:90px;m-width:728px;marg-top:40px;marg-bottom:40px" class="_1gsaw2w0 _1gsaw2w3" data-ncert="tablet_learboard"></div><div style="m-height:90px;m-width:728px;marg-top:100px;marg-bottom:60px" class="_1gsaw2w0 _1gsaw2w5" data-ncert="sktop_learboard_variable"></div><article id="ntent" class="mx-to my-24 w-full max-w-ntaer-lg md:mt-16 lg:mt-45"><div class="duet--article--le mx-to mb-28 w-full md:max-w-ntaer-md lg:mb-36 lg:max-w-none"><ul class="lg:px-0 article-groups leadg-100 mb-8"><li class="le font-polysans-mono text-12 font-medium upperse trackg-12 text-blurple"><a class="hover:shadow-unrle-her" href="/cyber-secury">Secury</a><span class="px-6">/</span></li><li class="le font-polysans-mono text-12 font-medium upperse trackg-12 text-blurple"><a class="hover:shadow-unrle-her" href="/policy">Policy</a><span class="px-6">/</span></li><li class="le font-polysans-mono text-12 font-medium upperse trackg-12 text-blurple"><a class="hover:shadow-unrle-her" href="/tech">Tech</a></li></ul><h1 class="mb-28 hidn max-w-[900px] font-polysans text-45 font-bold leadg-100 selectn:bg-ankl-20 lg:block">The LastPass disclosure of leaked password vlts is beg torn apart by secury experts</h1><span class="sticky-nav-trigger"></span><div class="flex flex-l lg:flex-row-reverse lg:jtify-end"><div class="flex-l lg:flex lg:ml-40"><div class="mb-24 grow"><h1 class="le font-polysans text-22 font-bold leadg-110 md:text-33 lg:hidn">The LastPass disclosure of leaked password vlts is beg torn apart by secury experts</h1><span class="font-polysans text-22 font-light leadg-110 md:text-30 lg:block"><span class="text-blurple"> / </span><h2 class="le selectn:bg-ankl-20">The pany announced last week that ers' password vlts had been stolen. Thgs have gone downhill om there.</h2></span></div><div><div class="mb-16 w-[200px] borr-t borr-gray-bd lg:hidn"></div><div class="mb-2 text-blurple [&>p>span:first-child]:text-gray-13 [&]:text-gray-13"><p class="duet--article--article-byle max-w-[550px] font-polysans text-12 leadg-120"><span>By</span> <span><span class="duet--article-byle-and"></span> <span class="font-medium"><a class="hover:shadow-unrle-her" href="/thors/mchell-clark">Mchell Clark</a></span></span></p></div><div class="duet--article--date-and-ments mb-12 le-block font-polysans text-12 text-gray-5a"><time dateTime="2022-12-29T00:39:47.346Z" class="duet--article--timtamp font-polysans text-12">Updated<!-- --> <!-- -->Dec 29, 2022, 12:39 AM UTC</time><span class="mx-8">|</span><button tle="Go to ments" class="duet--article--ments-lk le-block md:le"><svg class="mr-4 le" width="12" height="12" fill="none" viewBox="0 0 12 12" stroke-width="1px" xmlns="><tle>Comments</tle><path d="M2.4 9.1h-.207l-.147.146L.5 10.793V1.2c0-.384.316-.7.7-.7h9.6c.384 0 .7.316.7.7v7.2c0 .384-.316.7-.7.7H2.4Z" stroke="currentColor"></path></svg><span class="font-polysans text-12 unrle"><span class="ral-unt" data-ral-id="ff4c0524-4136-4088-b6d7-ce7e060f117d"></span></span></button></div><div class="mb-24 flex jtify-between lg:mb-20 lg:mb-36"><div><h2 class="sr-only">Share this story</h2><ul class="duet--article--share-buttons flex leadg-[0]"><li class="mr-8"><button aria-label="Share on Twter" class="round-full bg-gray-e9 transn hover:bg-blurple"><svg width="30" height="30" class="fill-blurple transn hover:fill-whe" xmlns="><path d="M20.608 13.49c.008.108.008.216.008.326 0 3.336-2.44 7.184-6.9 7.184v-.002A6.667 6.667 0 0 1 10 19.866c.192.024.384.036.577.037a4.747 4.747 0 0 0 3.011-1.083c-1.037-.02-1.947-.725-2.265-1.754.364.073.738.058 1.095-.043-1.131-.238-1.945-1.273-1.945-2.475v-.032c.337.195.714.304 1.1.316-1.065-.742-1.393-2.218-.75-3.371 1.231 1.577 3.047 2.536 4.997 2.637a2.594 2.594 0 0 1 .701-2.412 2.36 2.36 0 0 1 3.431.11 4.75 4.75 0 0 0 1.54-.613 2.518 2.518 0 0 1-1.066 1.396c.48-.059.95-.193 1.392-.397-.325.508-.735.95-1.21 1.307Z"></path></svg></button></li><li class="mr-8"><button aria-label="Share on Facebook" class="round-full bg-gray-e9 transn hover:bg-blurple"><svg width="30" height="30" class="fill-blurple transn hover:fill-whe" xmlns="><path d="m18.393 16.258.355-2.335H16.53v-1.515c0-.639.31-1.262 1.303-1.262h1.01V9.158S17.926 9 17.051 9c-1.827 0-3.021 1.118-3.021 3.143v1.78H12v2.335h2.031v5.644a7.944 7.944 0 0 0 2.499 0v-5.644h1.863Z"></path></svg></button></li><li><div class="relative flex ems-center"><button aria-label="Copy lk" class="round-full bg-gray-e9 transn hover:bg-blurple"><svg width="30" height="30" class="fill-blurple transn hover:fill-whe" xmlns="><path d="M14.187 21.112a3.044 3.044 0 0 1-4.299 0 3.044 3.044 0 0 1 0-4.299l2.388-2.388a3.044 3.044 0 0 1 4.299 0 .507.507 0 1 1-.717.717c-.8-.8-2.065-.8-2.865 0l-2.388 2.388c-.8.8-.8 2.065 0 2.865.8.8 2.065.8 2.865 0l2.269-2.268a.507.507 0 1 1 .716.716l-2.268 2.269Zm4.537-4.537a3.044 3.044 0 0 1-4.299 0 .506.506 0 1 1 .717-.717c.8.8 2.065.8 2.865 0l2.388-2.388c.8-.8.8-2.065 0-2.865-.8-.8-2.065-.8-2.865 0l-2.269 2.268a.507.507 0 1 1-.716-.716l2.268-2.269a3.044 3.044 0 0 1 4.299 0 3.044 3.044 0 0 1 0 4.299l-2.388 2.388Z"></path></svg></button></div></li></ul></div><div style="marg:0;m-height:40px;m-width:200px" class="_1gsaw2w0 _1gsaw2w1" data-ncert="article_sponsorship"></div></div></div></div><div class="w-full shrk-0 lg:basis-[600px]"><div class="md:pl-0"><figure class="duet--article--le-image w-full"><span style="box-sizg:borr-box;display:block;overflow:hidn;width:ial;height:ial;background:none;opacy:1;borr:0;marg:0;paddg:0;posn:relative"><span style="box-sizg:borr-box;display:block;width:ial;height:ial;background:none;opacy:1;borr:0;marg:0;paddg:0;paddg-top:66.63636363636364%"></span><img alt="" siz="(max-width: 768px) lc(100vw - 100px), (max-width: 1180px) 700px, 600px" srcSet="(1020x680:1021x681):format(webp)/ 16w, (1020x680:1021x681):format(webp)/ 32w, (1020x680:1021x681):format(webp)/ 48w, (1020x680:1021x681):format(webp)/ 64w, (1020x680:1021x681):format(webp)/ 96w, (1020x680:1021x681):format(webp)/ 128w, (1020x680:1021x681):format(webp)/ 256w, (1020x680:1021x681):format(webp)/ 376w, (1020x680:1021x681):format(webp)/ 384w, (1020x680:1021x681):format(webp)/ 415w, (1020x680:1021x681):format(webp)/ 480w, (1020x680:1021x681):format(webp)/ 540w, (1020x680:1021x681):format(webp)/ 640w, (1020x680:1021x681):format(webp)/ 750w, (1020x680:1021x681):format(webp)/ 828w, (1020x680:1021x681):format(webp)/ 1080w, (1020x680:1021x681):format(webp)/ 1200w, (1020x680:1021x681):format(webp)/ 1440w, (1020x680:1021x681):format(webp)/ 1920w, (1020x680:1021x681):format(webp)/ 2048w, (1020x680:1021x681):format(webp)/ 2400w" src="(1020x680:1021x681):format(webp)/" dg="async" data-nimg="rponsive" style="posn:absolute;top:0;left:0;bottom:0;right:0;box-sizg:borr-box;paddg:0;borr:none;marg:to;display:block;width:0;height:0;m-width:100%;max-width:100%;m-height:100%;max-height:100%;object-f:ver"/></span><div class="duet--media--ptn pt-6 font-polysans-mono text-12 font-light leadg-130 trackg-1"> <ce class="duet--article--dangeroly-set-cms-markup le not-alic text-gray-63 dark:text-gray-bd [&>a:hover]:text-gray-63 [&>a:hover]:shadow-unrle-black dark:[&>a:hover]:text-gray-bd dark:[&>a:hover]:shadow-unrle-gray [&>a]:shadow-unrle-gray-63 dark:[&>a]:text-gray-bd dark:[&>a]:shadow-unrle-gray">Photo by Amelia Holowaty Kral / The Verge</ce></div></figure></div></div></div></div><div class="relative md:mx-to md:flex md:max-w-ntaer-md lg:max-w-none"><div class="duet--article--article-body-ponent-ntaer clearfix sm:ml-to md:ml-100 md:max-w-article-body lg:mx-100"><div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Last week, jt before Christmas, LastPass <a href="/2022/12/22/23523322/lastpass-data-breach-cloud-encrypted-password-vlt-hackers">dropped a bombshell announcement</a>: as the rult of a breach Augt, which led to another breach November, hackers had gotten their hands on ers’ password vlts. While the pany sists that your log rmatn is still secure, some cybersecury experts are heavily cricizg <a href=">s post</a>, sayg that uld make people feel more secure than they actually are and potg out that this is jt the latt a seri of cints that make hard to tst the password manager.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">LastPass’ December 22nd statement was “full of omissns, half-tths and outright li,” reads <a href=">a blog post om Wladimir Palant</a>, a secury rearcher known for helpg origally velop AdBlock Pro, among other thgs. Some of his cricisms al wh how the pany has amed the cint and how transparent ’s beg; he acc the pany of tryg to portray <a href="/2022/8/26/23323738/lastpass-secury-cint-source-">the Augt cint</a> where LastPass says “some source and technil rmatn were stolen” as a separate breach when he says that realy the pany “failed to nta” the breach.</p></div><div class="duet--article--article-body-ponent clear-both block md:float-left md:mr-30 md:w-[320px] lg:-ml-100"><div class="duet--article--article-pullquote mb-20"><div class="mb-10 h-[22px] w-[65px] bg-ankl"></div><p class="duet--article--dangeroly-set-cms-markup relative bg-repeatg-l-dark bg-[length:1px_1.2em] pb-8 font-polysans text-28 font-medium leadg-120 trackg-1 selectn:bg-ankl-20 dark:bg-repeatg-l-light dark:text-whe dark:selectn:bg-blurple">“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie.”</p></div></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">He also highlights LastPass’ admissn that the leaked data clud “the IP addrs om which ctomers were accsg the LastPass service,” sayg that uld let the threat actor “create a plete movement profile” of ctomers if LastPass was loggg every IP addrs you ed wh s service.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Another secury rearcher, Jeremi Gosney, wrote <a href=">a long post on Mastodon</a> explag his remendatn to move to another password manager. “LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” he says, allegg that the pany has “about as much knowledge as a password manager n possibly get away wh.” </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">LastPass claims s “zero knowledge” archecture keeps ers safe bee the pany never has accs to your master password, which is the thg that hackers would need to unlock the stolen vlts. While Gosney don’t dispute that particular pot, he do say that the phrase is misleadg. “I thk most people envisn their vlt as a sort of encrypted database where the entire file is protected, but no — wh LastPass, your vlt is a platext file and only a few select fields are encrypted.”</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Palant also not that the encryptn only do you any good if the hackers n’t crack your master password, which is LastPass’ ma fense s post: if you e s flts for password length and strengtheng and haven’t rsed on another se, “ would take lns of years to gus your master password g generally-available password-crackg technology” wrote Karim Toubba, the pany’s CEO. </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">“This prepar the ground for blamg the ctomers,” wr Palant, sayg that “LastPass should be aware that passwords <em>will</em> be crypted for at least some of their ctomers. And they have a nvenient explanatn already: the ctomers clearly didn’t follow their bt practic.” However, he also pots out that LastPass hasn’t necsarily enforced those standards. Dpe the fact that ma 12-character passwords the flt 2018, Palant says, “I n log wh my eight-character password whout any warngs or prompts to change .”</p></div><div class="duet--article--article-body-ponent clear-both block md:float-left md:mr-30 md:w-[320px] lg:-ml-100"><div class="duet--media--embed m-h-[270px] mb-20 w-full md:max-w-[460px]"></div></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">LastPass’ post has even eliced a rponse om a petor, 1Password — on Wednday, the pany’s prcipal secury archect Jefey Goldberg <a href=">wrote a post for s se</a> tled “Not a ln years: It n take far ls to crack a LastPass password.” In , Goldberg lls LastPass’ claim of takg a ln years to crack a master password “highly misleadg,” sayg that the statistic appears to assume a 12 character, randomly generated password. “Passwords created by humans e nowhere near meetg that requirement,” he wr, sayg that threat actors would be able to prrize certa gus based on how people nstct passwords they n actually remember. </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Of urse, a petor’s word should probably be taken wh a gra of salt, though Palant echos a siar ia his post — he claims the <a href=">viral XKCD method</a> of creatg passwords would take around 3 years to gus wh a sgle GPU, while some 11-character passwords (that many people may nsir to be good) would only take around 25 mut to crack wh the same hardware. It go whout sayg that a motivated actor tryg to crack to a specific target’s vlt uld probably throw more than one GPU at the problem, potentially cuttg that time down by orrs of magnu.</p></div><div class="duet--article--article-body-ponent clear-both block md:float-left md:mr-30 md:w-[320px] lg:-ml-100"><div class="duet--article--article-pullquote mb-20"><div class="mb-10 h-[22px] w-[65px] bg-ankl"></div><p class="duet--article--dangeroly-set-cms-markup relative bg-repeatg-l-dark bg-[length:1px_1.2em] pb-8 font-polysans text-28 font-medium leadg-120 trackg-1 selectn:bg-ankl-20 dark:bg-repeatg-l-light dark:text-whe dark:selectn:bg-blurple">“They sentially m every ‘crypto 101’ s”</p></div></div><div class="duet--article--article-body-ponent clear-both block md:float-left md:mr-30 md:w-[320px] lg:-ml-100"><div class="duet--recirculatn--related-list mb-40"><h3 class="mb-16 font-polysans-mono text-14 font-medium leadg-120 -trackg-1 text-blurple after:pl-8 after:ntent-['/']">Related</h3><ul class="list-disc pl-18 font-polysans text-16 font-medium leadg-110 marker:text-ankl"><li class="mb-16 pl-12"><a class="hover:shadow-unrle-black" href="/22311182/bt-ee-password-manager-bwarn-zoho-vlt-roboform-sticky-password">The bt ee password manager</a></li><li class="mb-16 pl-12"><a class="hover:shadow-unrle-black" href="/22285499/password-manager-lastpass-ee-bwarn-zoho">Six ee alternativ to the LastPass password manager</a></li></ul></div></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Both Gosney and Palant take issue wh LastPass’ actual cryptography too, though for different reasons. Gosney acc the pany of basilly mtg “every ‘crypto 101’ s” wh how s encryptn is implemented and how manag data once ’s been load to your vice’s memory. </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Meanwhile, Palant criciz the pany’s post for patg s password-strengtheng algorhm, known as PBKDF2, as “stronger-than-typil.” The ia behd the standard is that mak harr to bte-force gus your passwords, as you’d have to perform a certa number of lculatns on each gus. “I serly wonr what LastPass nsirs typil,” wr Palant, “given that 100,000 PBKDF2 eratns are the lowt number I’ve seen any current password manager.” </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Bwarn, another popular password manager, <a href=">says that s app 100,001 eratns</a>, and that adds another 100,000 eratns when your password is stored on the server for a total of 200,001. <a href=">1Password says</a> 100,000 eratns, but s encryptn scheme means that you have to have both a secret key and your master password to unlock your data. That feature “ensur that if anyone do obta a py of your vlt, they simply nnot accs wh the master password alone, makg uncrackable,” acrdg to Gosney.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Palant also pots out that LastPass hasn’t always had that level of secury and that olr acunts may only have 5,000 eratns or ls — somethg <em>The Verge</em> nfirmed last week. That, along wh the fact that still lets you have an eight-character password, mak hard to take LastPass’ claims about takg lns of years to crack a master password serly. Even if that’s te for someone who set up a new acunt, what about people who have ed the software for years? If LastPass hasn’t issued a warng about or forced an upgra to those better settgs (which Palant says hasn’t happened for him), then s “flts” aren’t necsarily eful as an ditor of how worried s ers should be.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Another stickg pot is the fact that LastPass has, <a href=">for years</a>, ignored pleas to encrypt data such as URLs. Palant pots out that knowg where people have acunts uld help hackers specifilly target dividuals. “Threat actors would <em>love</em> to know what you have accs to. Then they uld produce well-targeted phishg emails jt for the people who are worth their effort,” he wrote. He also pots out that sometim URLs saved LastPass uld give people more accs than tend, g the example of a password ret lk that isn’t properly expired.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">There’s also a privacy angle; you n tell a <em>lot</em> about a person based on what webs they e. What if you ed LastPass to store your acunt for a niche porn se? Could someone figure out what area you live based on your utily provir acunts? Would the that you e a gay datg app <a href="/2022/2/9/22925073/grdr-lims-visibily-beijg-olympics-village">put your eedom or life danger</a>?</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">One thg that several secury experts, cludg Gosney and Palant, seem to agree on is the fact that this breach isn’t proof posive that cloud-based password managers are a bad ia. This seems to be rponse to people who evangelize the benefs of pletely offle password managers (or even jt wrg down randomly-generated passwords a notebook, as I <a href="/2022/12/22/23523322/lastpass-data-breach-cloud-encrypted-password-vlt-hackers?mentID=8f8d23ea-0756-46c2-8bf8-34b745c751">saw one menter suggt</a>). There are, of urse, obv benefs to this approach — a pany that <a href=">stor lns of people’s passwords</a> will get more attentn om hackers than one dividual’s puter will, and gettg at somethg that’s not on the cloud is a lot harr. </p></div><div class="duet--article--article-body-ponent clear-both block md:float-left md:mr-30 md:w-[320px] lg:-ml-100"><div class="duet--media--embed m-h-[270px] mb-20 w-full md:max-w-[460px]"></div></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">But, like crypto’s promis of lettg you be your own bank, nng your own password manager n e wh more challeng than people realize. Losg your vlt via a hard drive crash or another cint uld be tastrophic, but backg up troduc the risk of makg more vulnerable to theft. (And you did remember to tell your tomatic cloud backup software to not upload your passwords, right?) Pl, syncg an offle vlt between vic is, to put dly, a b of a pa.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">As for what people should do about all this, both Palant and Gosney remend at least nsirg swchg to another password manager, part bee of how LastPass has handled this breach and the fact that ’s the <a href=">pany’s seventh secury cint</a> a ltle over a . “It’s abundantly clear that they do not re about their own secury, and much ls about your secury,” Gosney wr, while Palant qutns why LastPass didn’t tect that hackers were pyg the vlts om s third-party cloud storage while was happeng. (The pany’s post says ’s “add addnal loggg and alertg pabili to help tect any further unthorized activy.”)</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">LastPass has said that most ers won’t have to take any actn to secure themselv after this breach. Palant disagre, llg the remendatn “gross negligence.” Instead, he says that anyone who had a simple master password, a low number of eratns (<a href=">here’s how you n check</a>), or who’s potentially a “high value target” should nsir changg all of their passwords immediately. </p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe">Is that the most fun thg to do over the holidays? No. But neher is cleang up after someone accsed your acunts wh a stolen password.</p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe"><em><strong>Update December 28th, 7:39PM ET: </strong>Updated to clu ments om 1Password, which published s own rebuttal to LastPass’ claims.</em></p></div><div class="duet--article--article-body-ponent"><p class="duet--article--dangeroly-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leadg-160 -trackg-1 selectn:bg-ankl-20 dark:text-whe dark:selectn:bg-blurple [&_a:hover]:shadow-highlight-ankl dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-unrle-black dark:[&_a]:shadow-unrle-whe"><em><strong>Correctn December 29th 11:24AM ET: </strong>A prev versn of this article misterpreted Palant’s claims about how easy is to crack the password nstctn popularized by XKCD. We regret the error.</em></p></div></div><div class="mb-40 mt-30"><button class="duet--article--ments-button group le-flex h-40 w-full ems-center jtify-center round-[2px] borr-[1px] borr-solid borr-blurple font-polysans-mono text-11 font-light upperse trackg-12 text-blurple hover:bg-blurple hover:text-whe md:w-to md:px-30"><svg class="mr-10 le pt-2" width="12" height="14" fill="none" viewBox="0 0 12 12" stroke-width="1px" xmlns="><tle>Comments.

TOP