LastPass shine mai sarrafa kalmar sirri na kyauta wanda ke adana rufaffen kalmomin shiga cikin gajimare, wanda kamfanin Marvasol, Inc. ya kirkira.
Masu haɓakawa mai sarrafa kalmar sirri LastPass, wanda fiye da mutane miliyan 33 da kamfanoni fiye da 100.000 ke amfani da su. sanar da masu amfani game da abin da ya faru wanda maharan suka sami damar samun damar ajiya na ajiya tare da bayanan mai amfani daga sabis.
Bayanan sun haɗa da bayanai kamar sunan mai amfani, adireshi, imel, waya, da adiresoshin IP waɗanda aka sami damar sabis ɗin daga gare su, da kuma sunayen rukunin yanar gizon da ba a ɓoye ba da aka adana a cikin manajan kalmar sirri da shiga, kalmomin shiga, bayanan tsari, da bayanan sirri da aka adana a waɗannan rukunin yanar gizon. .
Don kare shiga da kalmomin shiga na shafukan, An yi amfani da ɓoyayyen AES tare da maɓallin 256-bit da aka samar ta amfani da aikin PBKDF2 bisa babban kalmar sirri da mai amfani kaɗai ya sani, tare da mafi ƙarancin tsawon haruffa 12. Rufewa da ɓoye bayanan shiga da kalmomin shiga a cikin LastPass ana yin su ne kawai a gefen mai amfani, kuma ana ɗaukar madaidaicin kalmar sirri akan kayan aikin zamani, idan aka ba da girman babban kalmar sirri da adadin adadin da aka yi amfani da shi na PBKDF2 .
Don kai harin, sun yi amfani da bayanan da maharan suka samu a lokacin harin na karshe da ya faru a watan Agusta kuma an kai shi ta hanyar lalata asusun daya daga cikin masu samar da sabis.
Harin na watan Agusta ya sa maharan samun damar shiga yanayin ci gaba, lambar aikace-aikace da bayanan fasaha. Daga baya ya bayyana cewa maharan sun yi amfani da bayanai daga yanayin ci gaba don kai hari ga wani mai haɓakawa, wanda don haka sun sami damar samun maɓallan ma'ajiyar girgije da maɓalli don cire bayanan daga kwantena da aka adana a wurin. Sabar gajimare da aka yi sulhu sun dauki nauyin adana cikakkun bayanan sabis na ma'aikaci.
Bayyanar yana wakiltar sabuntawa mai ban mamaki ga madaidaicin madaidaicin da LastPass ya bayyana a cikin Agusta. Mawallafin ya yarda cewa masu satar bayanan "sun dauki sassan lambar tushe da wasu bayanan fasaha daga LastPass." Kamfanin ya ce a lokacin ba su shafi manyan kalmomin sirri na abokin ciniki, rufaffen kalmomin shiga, bayanan sirri da sauran bayanan da aka adana a asusun abokan ciniki ba.
256-bit AES kuma za a iya ɓoye shi kawai tare da maɓalli na musamman wanda aka samo daga babban kalmar sirri ta kowane mai amfani ta amfani da gine-ginen Ilimin Zero namu, "in ji Shugaban Kamfanin LastPass Karim Toubba, yana nufin Babban Tsarin ɓoyewa. Ilimin sifili yana nufin tsarin ajiya wanda ba zai yiwu ba ga mai bada sabis ya fasa. Shugaban ya ci gaba da cewa:
Har ila yau, ya jera mafita da dama da LastPass ya ɗauka don ƙarfafa tsaro bayan cin zarafin. Matakan sun haɗa da soke yanayin ci gaban da aka yi wa kutse da sake ginawa daga karce, kiyaye aikin gano ƙarshen ƙarshen aiki da sabis na amsawa, da juya duk takaddun shaida da takaddun shaida waɗanda wataƙila an lalata su.
Idan aka yi la’akari da sirrin bayanan da LastPass ke adana, yana da ban tsoro cewa an samu irin wannan faffadan bayanan sirri. Yayin da fasa hashes na “Password” za su kasance da amfani sosai, ba a magana ba, musamman idan aka yi la’akari da hanya da dabarar maharan.
Abokan ciniki na LastPass yakamata su tabbatar sun canza kalmar wucewa ta Jagora da duk kalmomin shiga da aka adana a cikin rumbun ku. Ya kamata su kuma tabbatar da cewa suna amfani da saitunan da suka wuce saitunan LastPass.
Waɗannan saitunan suna lalata kalmomin shiga ta amfani da nau'ikan 100100 na Password Based Key Derivation Function (PBKDF2), tsarin hashing wanda zai iya sa ba zai yiwu a fashe dogayen kalmomin sirri na musamman ba, kuma 100100 da aka ƙirƙira ba da gangan ba yana da wahala a ƙarƙashin shawarar OWASP na 310. iterations don PBKDF000 a hade tare da SHA2 hash algorithm wanda LastPass ke amfani dashi.
Abokan ciniki na LastPass Hakanan ya kamata su kasance cikin taka tsantsan game da saƙon imel da kuma kiran waya da ake zargin sun fito daga LastPass ko wasu ayyuka masu neman bayanai masu mahimmanci da sauran zamba waɗanda ke cin gajiyar bayanan sirri na ku. Kamfanin kuma yayi takamaiman jagora ga sha'anin abokan ciniki da suka aiwatar LastPass federated login sabis.
A ƙarshe, idan kuna sha'awar ƙarin sani game da shi, zaku iya tuntuɓar cikakkun bayanai A cikin mahaɗin mai zuwa.