LastPass breach: The significance of these password iterations (opens in new tab)

(palant.info)

47 pointshjuutilainen3y ago15 comments

15 comments

As I feared, I changed the iterations myself at some point, and they never "migrated" it to the new value. So it's above the old default, but well below the recommended number of iterations.

I don't suppose it being a non-obvious value makes it any more secure? Is an attacker brute forcing the thing likely to try obvious default values first and then give up if they don't work? Or will they simply +1 the iteration count until they hit paydirt?

palant3y ago

Disclaimer: I’m the author of this article.

No, the iteration count is no secret. It’s even exposed via a public API, anyone can query it if they know the email address.

AdmiralAsshat3y ago

Well, balls. Thanks for confirming.

robin_reala3y ago

…why would you even do that?

1 more reply

BuildTheRobots3y ago

[1] makes it seem like the number of rounds is included unencrypted at least on the client side binary databases. As it's sent over the wire when downloading the vault, lastpass would _have_ to have that in clear text somewhere.

[1] https://github.com/cfbao/lastpass-vault-parser

postpawl3y ago

For anyone else having trouble finding the “show advanced settings” button: It’s at the bottom of the account settings pop up where ok/cancel buttons usually are.

foreverCarlos3y ago

Interesting. This is starting to look like gross negligence that might bite LogMeIn really hard.

stubish3y ago

Can attackers can easily tell the 1 and 500 iteration databases and focus their resources in breaching those ones?

palant3y ago

Disclaimer: I’m the author of this article.

Yes. The number of iterations is presumably stored in the same customers database that they stole. Even if not: the number of iterations can be queried via a public API, anyone can do it if they know the email address.

Havoc3y ago

>GTX 1080 Ti graphics card (cost factor: less than $1000) can be used to test 346,000 guesses per second.

>GeForce RTX 4090 graphics card could test more than 88,000 guesses per second!

Guessing we're missing a zero there?

palant3y ago

Disclaimer: I’m the author of this article.

I don’t think so. 346,000 guesses four years ago was for the old default: 5,000 iterations. 88,000 guesses is on more powerful hardware but with the new default: 100,100 iterations.

Havoc3y ago

Ah gotcha.

smoothgrammer3y ago

The article is missing key data. The password iterations that are set low are client side. The server side is different.

The writer of the article needs to retract.

https://support.lastpass.com/help/about-password-iterations-...

palant3y ago

Disclaimer: I’m the author of this article.

I’m not missing anything. It’s LastPass who finally need to retract this article. I proved back in 2018 that server-side iterations are misimplemented and have no security effect. That’s why they increased the client-side value in the first place. See https://palant.info/2018/07/09/is-your-lastpass-data-really-...

j / k navigate · click thread line to collapse

15 comments

AdmiralAsshat3y ago

As I feared, I changed the iterations myself at some point, and they never "migrated" it to the new value. So it's above the old default, but well below the recommended number of iterations.

palant3y ago

Disclaimer: I’m the author of this article.

No, the iteration count is no secret. It’s even exposed via a public API, anyone can query it if they know the email address.

AdmiralAsshat3y ago

Well, balls. Thanks for confirming.

robin_reala3y ago

…why would you even do that?

1 more reply

BuildTheRobots3y ago

[1] https://github.com/cfbao/lastpass-vault-parser

postpawl3y ago

For anyone else having trouble finding the “show advanced settings” button: It’s at the bottom of the account settings pop up where ok/cancel buttons usually are.

foreverCarlos3y ago

Interesting. This is starting to look like gross negligence that might bite LogMeIn really hard.

stubish3y ago

Can attackers can easily tell the 1 and 500 iteration databases and focus their resources in breaching those ones?

palant3y ago

Disclaimer: I’m the author of this article.

Havoc3y ago

>GTX 1080 Ti graphics card (cost factor: less than $1000) can be used to test 346,000 guesses per second.

>GeForce RTX 4090 graphics card could test more than 88,000 guesses per second!

Guessing we're missing a zero there?

palant3y ago

Disclaimer: I’m the author of this article.

I don’t think so. 346,000 guesses four years ago was for the old default: 5,000 iterations. 88,000 guesses is on more powerful hardware but with the new default: 100,100 iterations.

Havoc3y ago

Ah gotcha.

smoothgrammer3y ago

The article is missing key data. The password iterations that are set low are client side. The server side is different.

The writer of the article needs to retract.

https://support.lastpass.com/help/about-password-iterations-...

palant3y ago

Disclaimer: I’m the author of this article.

j / k navigate · click thread line to collapse