Which means the probabilities of the attackers decrypting one in every of the encrypted vaults they obtained could be very small within the event the master password was strong, meaning long, randomly generated, and has high entropy. Nonetheless, not everyone uses such master passwords. Within the event the master password was included in word lists exchanged by password crackers, the probabilities of success can be higher, although still unlikely.
Broadly speaking, the incident is analogous to the 2022 LastPass breach, which also allowed attackers to acquire encrypted user vaults. Eventually, the attackers managed to acquire decrypted information from a few of them. The success was the results of two things.
First, certain fields, equivalent to website URLs, remained unencrypted in vaults. That meant attackers could read them even without the master password. Second, a few of the stolen vaults used outdated algorithms that didn’t adequately intensify the method for converting the plain-text password right into a hash. Dashlane has said that no user fields in vaults are unencrypted. Further, when algorithms are periodically strengthened to account for advances in cracking abilities, the method occurs routinely, with no interaction required. The algorithm update process for LastPass vaults on the time got here with more user friction.
Dashlane’s initial notification omitted key details of the attack and led to considerable confusion in regards to the ongoing risk users faced.
Out of an abundance of caution, each master passwords and the contents of any of the recovered Dashlane vaults needs to be modified immediately to cut back the prospect, nonetheless unlikely, that the attackers reach breaking the master password. Unaffected Dashlane users don’t have to take any such motion.