But I also can't help being a little suspicious of how well they handled the encryption considering this all started because a devops engineer had his master password stolen from his home PC. Considering it looks like site URLs were also leaked, and it's best practice to have unique and strong passwords anyways. I could just be reading too much into it and I'm definitely not making an accusation.
So it really shouldn't matter if your passwords are strong and unique, from that perspective, all of the blob data should be unique. The point of a unique IV is to make even totally identical content encrypted with the same key appear different in the resulting encrypted binary. If you don't set a unique IV for each encrypted password, then any duplicate passwords would appear the same in the binary data. Perhaps, since they're using AES, not setting a unique IV for each item. The fact that they specifically ask, as one of the "What should I do" questions, if your stored passwords are strong and unique makes me wonder if they're misusing the encryption. Some of their response to the breach has me kind of suspicious of their implementation as well.
0 kommentar(er)
