It doesn’t matter which password manager best fits you or your organization if you aren’t using it properly.

A lot of users don’t know, but when you are using the popular password tool LastPass, it’s crucial to make sure your “password iteration count” is not “1”.

Photo by Volodymyr Kondriianenko on Unsplash

Gone in 61 seconds.

I just heard, via Steve Gibson’ Security Now podcast, that many users of LastPass recently discovered that the password iterations count for generation of their vault’s encryption key was still set to “1” when they checked it.

Most people assumed that LastPass automatically increased the number of password iterations for every user’s vault, over time.

This doesn’t seem to always have been the case, and at this point, nobody knows why.

You should refer to Steve Gibson’s explanation on the Security Now Podcast (Episode 905) more more information on why he calculated the average cracking time to be 61 seconds by an average password cracking setup.

But for now, if you’ve ever had a LastPass account (and it still exists) and you haven’t checked the “password iteration count”, it’s possible that your vault may have been exposed and it may have had an iteration count of “1”.

If your vault was exposed in the recent breach, attackers will be able to target people with iteration counts of “1”, since it will likely be very easy to crack (unless you used an unusually long and random master password).

Password manager best iteration count

What is the recommended length of iteration?

Going forward, make sure your password manager’s iteration count is at least 300,100.

If you plan to use LastPass for any amount of time, you should go to “Account Settings”, then “Advanced Settings”, and change the value for “Password Iterations”, and save the settings.

This is yet another reason why people are moving from LastPass to another password manager, including me.

EDIT: In a later episode of Steve Gibson’s Security Now podcast, there was a discussion of LastPass’s claim of using additional “server side” iterations on the master password, which may have made the issue of the setting of “1” less concerning. However, in reality, the way that LastPass describes its server-side iterations implies that this protection only impacts the “user login” session for accessing the LastPass website, and does not appear to be done on the user’s stored vault. So, the user exposed parameter of Password Iterations is apparently still the accurate representation of how many hashing iterations are done on the password for accessing the vault’s key. All this to say, the description of the problem in the article above is still valid.

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.