Which means the probabilities of the attackers decrypting one of many encrypted vaults they obtained may be very small within the occasion the grasp password was sturdy, which means lengthy, randomly generated, and has excessive entropy. Nonetheless, not everybody makes use of such grasp passwords. Within the occasion the grasp password was included in phrase lists exchanged by password crackers, the probabilities of success could be larger, though nonetheless unlikely.
Broadly talking, the incident is similar to the 2022 LastPass breach, which additionally allowed attackers to acquire encrypted consumer vaults. Finally, the attackers managed to acquire decrypted data from a few of them. The success was the results of two issues.
First, sure fields, similar to web site URLs, remained unencrypted in vaults. That meant attackers may learn them even with out the grasp password. Second, a number of the stolen vaults used outdated algorithms that didn’t adequately intensify the method for changing the plain-text password right into a hash. Dashlane has stated that no consumer fields in vaults are unencrypted. Additional, when algorithms are periodically strengthened to account for advances in cracking skills, the method happens mechanically, with no interplay required. The algorithm replace course of for LastPass vaults on the time got here with extra consumer friction.
Dashlane’s preliminary notification unnoticed key particulars of the assault and led to appreciable confusion in regards to the ongoing threat customers confronted.
Out of an abundance of warning, each grasp passwords and the contents of any of the recovered Dashlane vaults ought to be modified instantly to scale back the possibility, nonetheless unlikely, that the attackers reach breaking the grasp password. Unaffected Dashlane customers don’t must take any such motion.
