Thanks to everyone for all the feedback. After logging out of LP on all but one mac, I changed the iterations successfully to 100100; this only took about a minute, and did populate to my other macs/phone when I logged back in on them. I’ll report back tomorrow if the change doesn’t stick (as happened to Adam earlier). Many thanks to all.
2 Likes
The Washington Post help desk column was actually quite good. So often the big media papers get these somewhat wrong. (This should not be behind the paywall.)
While the general drift of that article is excellent, I’m not sure I’d take much security advice from a columnist who stores their password manager password on a piece of paper in their wallet! Yikes.
1 Like
But what is the marginal value of increasing the number of iterations beyond a thousand?
My understanding is that there are only two benefits of PBKDF2:
- The salting and hashing of the Master Password make the resulting key more random (and possibly longer depending on the implementation); and
- Each guess takes longer.
For online attacks, wouldn’t LastPass notice even just 100 consecutive failed attempts to access a Vault and then prevent additional guesses. Does making each guess take longer make any difference for good passwords if LastPass limits the number of guesses?
For offline attacks of Vaults with good passwords, I don’t understand why PBKDF2 has any value at all. If the password is good enough to force a brute force attack in a huge search space, why is there any need to salt and hash each guess of the Master Password? Why wouldn’t the attacker just guess the the key itself as opposed to guessing the Password and then iteratively salting and hashing it?
Perhaps someone can explain why a large number of PBKDF2 iterations is anything other than a distraction from what really matters, namely, creating a Password that is vulnerable to nothing other than a very lucky guess among a vast number of possibilities.
UPDATE January 11, 2023 12:53 PM
See @ddmiller‘s response. I stand corrected regarding off-line attacks.
Lastpass uses SHA-256 bit hashing, so it would take on average 2 to the 255th guesses to get the resulting key (half of 2 to the 256th number of possible keys). That’s a lot more bits of entropy than what is likely a memorable master password, and even with key stretching iterations to slow down guesses with something like PBKDF2, brute force guessing of the password will be faster. (It should also be noted that there could be a hash collision between different passwords so it’s possible to guess the wrong password and still be right, but it’s a very remote chance.)
Funny you should ask. This was a discussion in the Firefox Bugzilla: 1320222 - Review FxA client-side key stretching parameters
A quick summary is that there’s a request to review the number of iterations (currently 1000), and considers increasing it to hundreds of thousands of iterations.
The argument is that 1000 was originally chosen in order to run reasonably fast on the hardware of the time and now we have much faster hardware that can handle more iterations without imposing a significant delay on the user.
The counter-argument is that it won’t really help. An attacker who can get by the TLS encryption (of the HTTPS connection) shouldn’t be able to extract the plaintext password from what he sees. For this purpose one iteration of PBKDF2 will be sufficient - more iterations may add a slight delay, but won’t have any significant impact on the attacker.
For other purposes (beyond intercepting the TLS stream), it all comes down to thwarting the brute-force attack. More iterations means each try takes longer. If you require so many iterations that it requires 1/2 second to generate a key from a password, then even a short password (e.g. 6 same-case characters) will take a long time to crack (about 5 years for 6 characters at 2 per second).
But chasing that goal is ultimately going to be futile. As the attacker’s computer gets more powerful (and leasing time on cloud services is no big deal these days - so he potentially has a lot of available power), the number of iterations is going to need to constantly be increasing in order to keep pace. And every time it does, the data needs to be re-encrypted (not trivial overhead if it happens a lot, and very inconvenient for users).
But if the master password used to generate the various other keys and tokens is already secure (long and complex), then it no longer matters that much. As one commenter wrote:
So just keep your passwords long and complex and don’t worry much about how much hashing and re-hashing is being performed against it. Even a small amount of hashing should be sufficient if it is, and extreme amounts won’t help very much if it isn’t.
1 Like
Here’s one more reason to ditch LastPass: It seems to be a product of LogMeIn, which has a D- rating in the BBB. They have a history of making it very difficult to unsubscribe from their services and continuing to charge people for discontinued accounts. This has been my experience, too, not with LastPass, but with GoToMeeting.