Which means the probabilities of the attackers decrypting one of many encrypted vaults they obtained may be very small within the occasion the grasp password was sturdy, that means lengthy, randomly generated, and has excessive entropy. Nonetheless, not everybody makes use of such grasp passwords. Within the occasion the grasp password was included in phrase lists exchanged by password crackers, the probabilities of success could be increased, though nonetheless unlikely.
Broadly talking, the incident is similar to the 2022 LastPass breach, which additionally allowed attackers to acquire encrypted person vaults. Ultimately, the attackers managed to acquire decrypted info from a few of them. The success was the results of two issues.
First, sure fields, comparable to web site URLs, remained unencrypted in vaults. That meant attackers may learn them even with out the grasp password. Second, among the stolen vaults used outdated algorithms that didn’t adequately intensify the method for changing the plain-text password right into a hash. Dashlane has mentioned that no person fields in vaults are unencrypted. Additional, when algorithms are periodically strengthened to account for advances in cracking skills, the method happens mechanically, with no interplay required. The algorithm replace course of for LastPass vaults on the time got here with extra person friction.
Dashlane’s preliminary notification not noted key particulars of the assault and led to appreciable confusion concerning the ongoing threat customers confronted.
Out of an abundance of warning, each grasp passwords and the contents of any of the recovered Dashlane vaults must be modified instantly to scale back the prospect, nonetheless unlikely, that the attackers achieve breaking the grasp password. Unaffected Dashlane customers don’t must take any such motion.
