Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration. ![]() One user reported receiving an email about their account being upgraded to a higher password iterations count, and that was mid-2019. We can now safely assume that the migration wasn’t actually underway even at this point. We are in the process of automatically migrating all existing LastPass users to the new default. After all the delays requested by LastPass, their simultaneously published statement said: My disclosure of the LastPass issues was finally published on July 9th, 2018. I replied asking whether the migration actually started now and got the response: yes, it did last week. On June 25th I was once again contacted by LastPass, asking me to delay disclosure until they finish migrating existing accounts. This time the reply was that the migration is starting right now and is expected to complete by mid-June. I asked again about the state of the migration on May 23rd. So I prompted them again in an email on March 15th and got the reply that the migration should take until end of May. When they reported fixing the issue I asked them about existing accounts. LastPass was notified through their bug bounty program on Bugcrowd. ![]() When 12 years ago, PBKDF2 had a recommended minimum iteration count of 1000.»” «I think it is irresponsible to tell your users the recommended iteration count is 500. To quote Sc00bz: “I shamed the CEO into increasing this. Except for the last one: it happened in February 2018 as a result of my research.Įdit (): I now know more, thanks to The switch to 500 iterations happened in June 2012, the one to 5,000 iterations in February 2013. I don’t know exactly when and how these changes happened. And the final change adjusted this value to 100,100 iterations. At some point this was changed to 500 iterations, later to 5,000. The default for LastPass accounts wasn’t always 100,100 iterations. How did the low iteration numbers come about? According to this older study, the average password has merely 40 bits of entropy. ![]() I’ll be using the cost estimate by Jeffrey Goldberg who works at 1Password.Īnd that’s a rather strong password. Let’s look at how time estimates and cost change depending on the number of iterations. But that’s the calculation for 100,100 iterations. Not unrealistic (someone could get more graphics cards) but usually not worth the effort. You’d need a rather long password to get 50 bits, and you’d need to avoid obvious patterns like dictionary words.Įither way, if this is your password and someone got your LastPass vault, guessing your master password on a single graphics card would take on average 200 years. Humans are inherently bad at choosing strong passwords. You took a word list for four dices (1296 words) and you randomly selected five words for your master password.Ĭhoosing a password with 50 bits entropy without it being randomized? No idea how one would do it. Or maybe you went for a diceware password. Yes, such password is already rather hard to remember but you want your passwords to be secure. For example, it could be an eight character random password, with uppercase and lowercase letters, digits and even some special characters. What’s the impact if you have an even lower iterations number configured? Let’s say you have a fairly strong master password, 50 bits of entropy. So the LastPass default is already factor three below the recommendation. The current OWASP recommendation is 310,000 iterations. The more iterations you have configured, the slower this guessing will be. In order to decrypt them, the perpetrators need to guess your master password. This setting is actually central to protecting your passwords if LastPass loses control of your data (like they did now). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |