![]() So I prompted them again in an email on March 15th and got the reply that the migration should take until end of May. When they reported fixing the issue I asked them about existing accounts. ![]() LastPass was notified through their bug bounty program on Bugcrowd. When 12 years ago, PBKDF2 had a recommended minimum iteration count of 1000.»” «I think it is irresponsible to tell your users the recommended iteration count is 500. To quote Sc00bz: “I shamed the CEO into increasing this. Except for the last one: it happened in February 2018 as a result of my research.Įdit (): I now know more, thanks to The switch to 500 iterations happened in June 2012, the one to 5,000 iterations in February 2013. I don’t know exactly when and how these changes happened. And the final change adjusted this value to 100,100 iterations. At some point this was changed to 500 iterations, later to 5,000. The default for LastPass accounts wasn’t always 100,100 iterations. How did the low iteration numbers come about? According to this older study, the average password has merely 40 bits of entropy. I’ll be using the cost estimate by Jeffrey Goldberg who works at 1Password.Īnd that’s a rather strong password. Let’s look at how time estimates and cost change depending on the number of iterations. But that’s the calculation for 100,100 iterations. Not unrealistic (someone could get more graphics cards) but usually not worth the effort. You’d need a rather long password to get 50 bits, and you’d need to avoid obvious patterns like dictionary words.Įither way, if this is your password and someone got your LastPass vault, guessing your master password on a single graphics card would take on average 200 years. Humans are inherently bad at choosing strong passwords. You took a word list for four dices (1296 words) and you randomly selected five words for your master password.Ĭhoosing a password with 50 bits entropy without it being randomized? No idea how one would do it. Or maybe you went for a diceware password. Yes, such password is already rather hard to remember but you want your passwords to be secure. ![]() For example, it could be an eight character random password, with uppercase and lowercase letters, digits and even some special characters. What’s the impact if you have an even lower iterations number configured? Let’s say you have a fairly strong master password, 50 bits of entropy. So the LastPass default is already factor three below the recommendation. The current OWASP recommendation is 310,000 iterations. The more iterations you have configured, the slower this guessing will be. In order to decrypt them, the perpetrators need to guess your master password. This setting is actually central to protecting your passwords if LastPass loses control of your data (like they did now). How did the low iteration numbers come about?. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |