

LastPass teaches Sony how to handle a data breach - maskofsanity
http://www.securecomputing.net.au/News/256558,lastpass-warns-of-possible-data-breach.aspx
When LastPass, the popular and respected online password vault, saw an anomaly in its network traffic, it jumped. When it couldn't ascertain why there was slightly more output than input, it issued an alert for users to change their master passwords. It also installed better security measures like PBKDF2 and SHA-256.
The notification happened in less than a day and its fast tracking the crypto roll outs.
So Sony (and Epsilon), what's your defence now?
======
CodeMage
Please don't editorialize in your submission title. What LastPass did is in no
way related to Sony. The article's last paragraph only mentions Sony and
Epsilon as examples of lax disclosure efforts.

------
lvh
Wait. Why are they repeating SHA-256 10 __N times? What's the point? (I know
about key derivation and why you want it to be slow. I'm wondering why they're
doing that, when the article already mentions PBKDF2. Why it's PBKDF2 and not
scrypt or bcrypt is probably about buzzword compliance.)

~~~
derobert
Repeating a SHA-256 (or other hash) many times is essentially what PBKDF2 is.

Though since 100 million SHA-256/sec is apparently doable on GPUs, even with
100,000 rounds, you currently need at least an 8-character random password to
be secure from someone attacking without much budget.

~~~
lvh
Yes, I know -- the question stands: why would you have both of these
concurrently in the same system? Either you want a KDF, or you don't want a
KDF -- pick one, and don't start reinventing your own (potentially poorly),
please :-(

