Overrode securities using fake LP

Moderators: admin, azitnay, anatoly_LP, chantieLP, JoeSiegrist, robyn

Overrode securities using fake LP

Postby 3dc6500 » Sat Mar 18, 2017 1:28 pm

I like to know: If a attacker have stoled a users LP username and masterpassword and build a modificated LP will the attacher then be able to overrode:
a) Login prevention from new IP and/or device without verify email address 1) with online requirement 2) without online requirement
b) The 2FA
3dc6500
 
Posts: 10
Joined: Sat Dec 20, 2014 2:47 am

Re: Overrode securities using fake LP

Postby jonat » Sun Mar 19, 2017 4:57 pm

No. The LastPass server is the one that decided if two-factor authentication passed.
jonat
 
Posts: 2198
Joined: Thu Dec 09, 2010 8:42 pm

Re: Overrode securities using fake LP

Postby 3dc6500 » Sun Mar 19, 2017 6:11 pm

Are you from LP?
Have you read my Q?
For Grid: User can Permit Offline Access...

If the attacker have a copy of the encrypted vault can the attacker then open the vault without access to the 2FA item by build a fake LP that just bypass the 2FA validate process?
3dc6500
 
Posts: 10
Joined: Sat Dec 20, 2014 2:47 am

Re: Overrode securities using fake LP

Postby jonat » Sun Mar 19, 2017 7:14 pm

I am not from LastPass. Yes, I read your question.

Unless the attacker ALSO has a device on which you previously logged in to LastPass, they don't get your vault until the 2FA challenge is met, or you have authorized the new IP from your email. As I said, the 2FA validation does not take place on your local device - it happens on LastPass' server. The server will not send the encrypted vault, and offline access is irrelevant if it's not one of your devices.

The best practice is:

1) Choose a strong master password and never share it
2) Enable 2FA
3) Set the "security email" to be an address you don't normally use and for which you don't need LastPass to log in to. (What I do is use webmail on a domain I have registered but isn't one I use for email. A free account on any of a number of email services would also work.)
4) Don't have LastPass "remember" your password and lock your device when you are away from it.
jonat
 
Posts: 2198
Joined: Thu Dec 09, 2010 8:42 pm

Re: Overrode securities using fake LP

Postby 3dc6500 » Sun Mar 19, 2017 8:54 pm

Why is offline access irrelevant if it's not one of your devices, if the attacker have a copy of the encrypted vault, users LP username and masterpassword and have make a modificated LP where he bypass the 2FA check or email check if the owner not use 2FA? What prevent the attacker to decrypt the vault?
3dc6500
 
Posts: 10
Joined: Sat Dec 20, 2014 2:47 am

Re: Overrode securities using fake LP

Postby jpenny84 » Mon Mar 20, 2017 12:03 am

If the attacker has a copy of the encrypted vault, and login information, two factor auth won't help you. They can simply unplug the computer from the internet and decrypt the vault offline. Two factor auth only protects data from being downloaded from LastPass' servers.
jpenny84
 
Posts: 8679
Joined: Tue Mar 06, 2012 9:10 pm

Re: Overrode securities using fake LP

Postby jonat » Mon Mar 20, 2017 8:47 pm

3dc6500 Wrote:Why is offline access irrelevant if it's not one of your devices, if the attacker have a copy of the encrypted vault, users LP username and masterpassword and have make a modificated LP where he bypass the 2FA check or email check if the owner not use 2FA? What prevent the attacker to decrypt the vault?


If it's not one of your devices, the attacker DOESN'T have a copy of the encrypted vault and can't get it unless they pass the 2FA/email challenge. That was the point I tried to get across. A "fake LP" will be of no use to them.
jonat
 
Posts: 2198
Joined: Thu Dec 09, 2010 8:42 pm

Re: Overrode securities using fake LP

Postby 3dc6500 » Tue Mar 21, 2017 5:47 am

Tank you for all A..
3dc6500
 
Posts: 10
Joined: Sat Dec 20, 2014 2:47 am


Return to Off Topic

Who is online

Users browsing this forum: No registered users and 2 guests