I might play devil’s advocate and say it’s the opposite — 1Password enforces the secret key to protect their business, to “CYA” so that they are not liable if their servers are breached. More charitably, they want to reduce the “attractiveness” of their servers to attackers (which they have admitted was a motivation for this feature).
Tonight I received a notice from MS Authenticator asking me to approve a login attempt (while I was watching TV). Just now got around to looking it up as I had previously denied it. Came from IP 23.152.225.5, which is googa.lopumac.de – “networking sharing device or proxy server” out of Rotan Texas. ISP is listed as Rydell Properties, LLC. No way a .de domain name is from Texas. Unfortunately, logging into live.com doesn’t ask for your password. It usually defaults to sending the MS Authenticator app prompt first. I wish there was a way to change that.
This is very suspicious given the recent LastPass incident. I’m assuming I don’t need to change my password since Microsoft isn’t asking for the password currently and I denied the login attempt.
That is listed as a TOR exit node. The purpose of TOR is anonymous communication, the person making the login request could be anywhere in the world.
I would be very scared. 
I know it’s difficult to estimate password entropy but did you have a weak password or low iteration?
No, it’s a lengthy password. That’s not how Microsoft’s accounts work though. The majority of times, it doesn’t ask for a password. You enter your email address and it sends an authentication notification to the app to approve the login.
I believe that’s what happened here. I don’t think they have my password.
What are the odds of enabling a memory hard function like argon2 (ahem) as PBKDF2 has shown how much weaker it is.
I have a question about this. Clearly, the icons make things easier. But, is that just as bad as LastPass not encrypting the URI? If there is a Chase icon that is not encrypted, can a hacker easily know that it is a bank login and focus their “attack” on that single login?
I have seen this addressed in the help file. I think it does leak some information but not from an encrypted vault so nothing as bad as LP who don’t even encrypt the website URL.
Also icons can be disabled.
I left LastPass after the Dec 2022 breach revelation. I chose Bitwarden over 1Password. Bitwarden open source code gives me more confidence they’re actually doing what they’re selling. Nothing against 1Password but whenever there’s proprietary code its too easy for developers to hide screwups when they happen.
LastPass needs to be shut down. Losing all their customers vaults is bad. But not encrypting all the vault data is outrageous malfeasance. I have no doubt this was intentional for monetizing their users. I trust my LP vaults will not be easily hacked but revealing my email and websites sends shivers down my spine. Can’t wait for the phishing emails to start pouring in my inbox.
1 Like
I’ve definitely noticed an uptick on those in the past week.
Side channel attack risk with Argon?
underdog99 Welcome to the community forums.
Interesting. Aren’t most side channel attack vectors shared environments? Would the browser be a shared environment in this case, allowing for eavesdropping by malicious javascript?
So Argon2i or Argon2id would appear to be resistant to the side channel attack vectors mentioned. The follow from LP continues and we keep learning new things about the weaknesses of PBKDF2. Seems like a great opportunity to shake things up, and BW appears to be responding to all of it, which is something that LP isn’t doing.
Isn’t it best to encrypt all field (for eg. “revisionDate”) and field contents. Also if a custom field name is created it will also be visible in json file. For more details refer here.
@giantboxer Of course, more encryption may marginally improve privacy or security. But can you propose a plausible attack scenario in which a conscientious user (i.e., one who uses only unique, randomly generated, strong passwords for the logins stored in their vault, and for their Master Password) would be exposed to risk based on the clear-text storage of revision/creation dates in their vault?
This is not accurate (assuming that you are referring to the data.json file that holds the cached vault contents).
1 Like