Which means the probabilities of the attackers decrypting one of many encrypted vaults they obtained could be very small within the occasion the grasp password was robust, that means lengthy, randomly generated, and has excessive entropy. Nonetheless, not everybody makes use of such grasp passwords. Within the occasion the grasp password was included in phrase lists exchanged by password crackers, the probabilities of success can be greater, though nonetheless unlikely.
Broadly talking, the incident is analogous to the 2022 LastPass breach, which additionally allowed attackers to acquire encrypted person vaults. Finally, the attackers managed to acquire decrypted data from a few of them. The success was the results of two issues.
First, sure fields, resembling web site URLs, remained unencrypted in vaults. That meant attackers may learn them even with out the grasp password. Second, a few of the stolen vaults used outdated algorithms that didn’t adequately intensify the method for changing the plain-text password right into a hash. Dashlane has mentioned that no person fields in vaults are unencrypted. Additional, when algorithms are periodically strengthened to account for advances in cracking skills, the method happens mechanically, with no interplay required. The algorithm replace course of for LastPass vaults on the time got here with extra person friction.
Dashlane’s preliminary notification omitted key particulars of the assault and led to considerable confusion concerning the ongoing danger customers confronted.
Out of an abundance of warning, each grasp passwords and the contents of any of the recovered Dashlane vaults needs to be modified instantly to scale back the possibility, nonetheless unlikely, that the attackers achieve breaking the grasp password. Unaffected Dashlane customers don’t must take any such motion.
