Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Lastpass-vault-parser Alternatives
Similar projects and alternatives to lastpass-vault-parser
-
keepassxc
KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
SecLists
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
-
KeePassDX
Lightweight vault and password manager for Android, KeePassDX allows editing encrypted data in a single file in KeePass format and fill in the forms in a secure way.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
lastpass-vault-parser reviews and mentions
-
Millions of passwords stolen from LastPass earlier than company disclosed: Report
I know that I examined my local vault and fields that were associated with a credential were encrypted, but names and URLs were not. Some URLs were stored with a token in them. Regardless of that fact, I cycled all of my credentials as I migrated to another provider.
-
The Password Isn’t Dead Yet. You Need a Hardware Key
The biggest problem is that LastPass, in their infinite wisdom, made a vault format that is only partially encrypted. That means that would-be attackers will know what websites you have accounts on and can determine if your account is worth cracking without brute forcing a single password. We use LastPass at work and this puts a huge target on our backs and is the reason why we're rolling all passwords and switching password managers.
-
LastPass breach: The significance of these password iterations
[1] makes it seem like the number of rounds is included unencrypted at least on the client side binary databases. As it's sent over the wire when downloading the vault, lastpass would _have_ to have that in clear text somewhere.
https://github.com/cfbao/lastpass-vault-parser
-
A really interesting look at what LastPass got wrong, and, perhaps, why Bitwarden is doing things a bit better
FWIW, Here's the lastpass vault format, and you can see only a few fields are marked as encrypted. /u/rouv3n summarized this better
-
I'm sure LastPass setting the delete account to display: none was coincidental
https://github.com/cfbao/lastpass-vault-parser/blob/master/l...
This says notes (encrypted). Do you have a different source?
-
Lastpass Security Incident - December 22 update
According to some reverse engineering of the LastPass vault structure- notes are encrypted.
-
See what is unencrypted in your LastPass vault
The wiki (https://github.com/cfbao/lastpass-vault-parser/blob/master/l...) contains a list of all unencrypted fields in an `acct` data block. It is trivial to decode the custom format of LastPass (e.g. using exactly this tool, but figuring out the format manually doesn't seem much harder).
If anyone is interested, although this is originally from 2018, all of these fields still exist and still only the same 6 fields are encrypted. I checked this by creating a LastPass account with a temporary E-mail and looking at the `getaccts.php` network request made upon login to the website.
There also seem to be 3 new fields unknown to the tool (in the resulting csv these are just "?", "??", and "???"). "??" appears to be a timestamp related to settings or password change for a specific account.
Of particular interest are probably the following fields
-
LastPass users: Your info and vault data is now in hackers’ hands
It looks like the only relevant data that was unencrypted are the URLs [0]. I'm guessing that was some sort of design decision they made for the browser extension to be able to see if you had a password for that site.
If anything, apart from leaking the domain, which could still be a privacy issue, they should have at least sanitized the URLs to remove usernames or tokens if they were going to automatically save those URLs to the vault. I can guess that not doing so allowed their auto-login function to work on some websites by saving the login URL endpoint, but all I'd really want is the vault to keep the sanitized domain.
[0]: https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass...
-
LastPass: Notice of Recent Security Incident
This repo claims to document the vault format.
https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass...
-
A note from our sponsor - InfluxDB
www.influxdata.com | 5 May 2024
Stats
cfbao/lastpass-vault-parser is an open source project licensed under GNU General Public License v3.0 only which is an OSI approved license.
The primary programming language of lastpass-vault-parser is Python.
Sponsored