If you were a LastPass user prior to last year’s breach, hopefully by now you’ve changed your passwords.
Since hacking a 256bit encryption would take years for most all people, an opposing theory is that they simply used a dictionary attack to break those with simple passwords.
As much as the whole LastPass thing is a serious debacle, I agree with Al that it seems most likely that the people who are being impacted are those with weak passwords. That’s not to discourage anyone from changing passwords that might be at risk, but just to be realistic about how much effort that would be for some people.
I think it would be smart to change important passwords, certainly anything that leads to money.
That’s not really an opposing theory. The article implies that’s what likely happened. The article moreover notes, in the fourth paragraph, that the reason the story is noteworthy is because the victims were “reasonably secure,” and it suggests LastPass’s failures played a significant role in leaving these people’s vaults vulnerable to being compromised.
It is certainly possible that the cracked vaults reflect nothing more than poor passwords and a low number of iterations.
However, recall that the vaults were not completely encrypted; the URL was left in plaintext and as a result, it’s probably trivial to identify potentially high-value vaults.
I personally suspect that extraordinary cracking efforts were made against only high-value vaults.
Weaver said a password or passphrase with average complexity — such as “Correct Horse Battery Staple” is only secure against online attacks, and that its roughly 40 bits of randomness or “entropy” means a graphics card can blow through it in no time.
“An Nvidia 3090 can do roughly 4 million [password guesses] per second with 1000 iterations, but that would go down to 8 thousand per second with 500,000 iterations, which is why iteration count matters so much,” Weaver said. “So a combination of ‘not THAT strong of a password’ and ‘old vault’ and ‘low iteration count’ would make it theoretically crackable but real work, but the work is worth it given the targets.”
The thieves have had over half a year to attack high-value vaults with multiple, simultaneous assaults offline during a period of time that high-end GPU rigs became readily available due to the crypto winter.
[the time crack a password] radically come[s] down when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.