Welcome to Patota.io

Every penetration tester’s first move after dumping hashes is the same: run them against RockYou. It’s been the default wordlist since 2009 — 14.3 million passwords extracted from a single breach of a social gaming site. Kali ships it. Every hashcat tutorial references it. It’s the starting point for offline cracking, password spraying, and WiFi handshake attacks. How good is RockYou though? As far as I can tell, nobody has ever empirically measured RockYou’s coverage against modern breach data. I decided to fix that. ...

TL;DR: Four operational and architectural failures from the LastPass breach, each fixable with patterns that existed in 2022. Engineers with privileged access were permitted to run non-current macOS versions, which Apple has been shown to delay patches for, if they release them at all. This is a problem for organizations that stay 1 macOS version behind and follow the “patch within 30 days of availability” policy. Source code contained cleartext secrets instead of references to secrets fetched at runtime from a secrets manager. The decryption key for customer vault backups was stored in a LastPass vault instead of an HSM, and the rotation cost of that arrangement distorted the incident response in a dangerous direction. AWS credentials in the compromised vault had no IP, MFA, or VPC restrictions, so they worked from anywhere the moment the attacker had them. The detailed arguments and fixes are below. ...