Showing posts with label Password Manager. Show all posts
Showing posts with label Password Manager. Show all posts

Tuesday, December 27, 2022

My New Criteria for a Password Manager

December 27, 2022

by Steve Endow


On December 22, 2022, LastPass disclosed that they had discovered that an attacker had copied a backup of customer "vault data" following a cyberattack and data breach that occurred in August 2022.

Aside from the obvious bad news, I initially learned of two interesting things about LastPass that I never would have thought to consider when evaluating password managers.

1. While web site username and password values are encrypted, the URL for the web site entry is not encrypted by LastPass.  I believe this poses a security risk for LastPass users.

2. Prior to 2018, LastPass used 5,000 iterations in the key derivation process. In 2018, they increased that to 100,100 iterations.  Even if you don't know what key derivation iterations are, just make note of that significant change.  From what I've read, older vaults were not automatically upgraded to the more secure configuration.  In theory, this means that vaults created prior to the 2018 upgrade are potentially more vulnerable to brute force password cracking.

How many digits can a Business Central Amount field actually support?

 by Steve Endow (If anyone has a technical explanation for the discrepancy between the Docs and the BC behavior, let me know!) On Sunday nig...