Which means the probabilities of the attackers decrypting one of many encrypted vaults they obtained could be very small within the occasion the grasp password was robust, that means lengthy, randomly generated, and has excessive entropy. Nonetheless, not everybody makes use of such grasp passwords. Within the occasion the grasp password was included in phrase lists exchanged by password crackers, the probabilities of success can be greater, though nonetheless unlikely.
Broadly talking, the incident is similar to the 2022 LastPass breach, which additionally allowed attackers to acquire encrypted consumer vaults. Finally, the attackers managed to acquire decrypted data from a few of them. The success was the results of two issues.
First, sure fields, reminiscent of web site URLs, remained unencrypted in vaults. That meant attackers might learn them even with out the grasp password. Second, among the stolen vaults used outdated algorithms that didn’t adequately intensify the method for changing the plain-text password right into a hash. Dashlane has stated that no consumer fields in vaults are unencrypted. Additional, when algorithms are periodically strengthened to account for advances in cracking talents, the method happens routinely, with no interplay required. The algorithm replace course of for LastPass vaults on the time got here with extra consumer friction.
Dashlane’s preliminary notification ignored key particulars of the assault and led to appreciable confusion in regards to the ongoing threat customers confronted.
Out of an abundance of warning, each grasp passwords and the contents of any of the recovered Dashlane vaults ought to be modified instantly to cut back the prospect, nevertheless unlikely, that the attackers achieve breaking the grasp password. Unaffected Dashlane customers don’t must take any such motion.
