In December 2022, it came to light that attackers had captured the encrypted vaults of LastPass. The only thing that stands between the attackers and the encrypted passwords is the master password of the respective users. Configured 2-factor methods are completely useless in this scenario, but why is this actually the case?
In the talk I will provide an overview over the end-to-end encryption of password managers that are considered the industry standard, such as LastPass, 1Password, Dashlane, and Bitwarden. I will especially focus on 2FA and key stretching and explain how they protect against brute force attacks. Finally, I will show a new way of building an architecture that works without a master password.
Speaker: Dominik Schürmann
Dr. Dominik Schürmann holds a PhD in IT security and published over 15 scientific papers during his time in academia. Besides research, he developed apps for email encryption and supervised Google Summer of Code for 3 years in a row. In 2018, he founded heylogin GmbH and launched the first password manager without a master password.
1 CPE point