It doesn’t matter which password manager best fits you or your organization if you aren’t using it properly.
A lot of users don’t know, but when you are using the popular password tool LastPass, it’s crucial to make sure your “password iteration count” is not “1”.
If this is the case, your entire vault might be decrypted in 61 seconds. No joke.
Many users are reporting that LastPass did not automatically upgrade iteration counts over time.
The password iteration count setting is what determines the number of times your master password is “hashed” (or scrambled) when creating the master encryption key for your password vault. Each iteration make it hard for a password cracking program to test every combination of characters in a password to guess your password and access the key.
But as password cracking technology became more powerful, the value should have been increased.
Since 2010 or so, we have seen “default” iteration counts used in password managers rise to intro the “hundreds of thousands”, with OWASP recommending 310,000 iterations. (You can change it manually, too)
Photo by Volodymyr Kondriianenko on Unsplash
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
I just heard, via Steve Gibson’ Security Now podcast, that many users of LastPass recently discovered that the password iterations count for generation of their vault’s encryption key was still set to “1” when they checked it.
Most people assumed that LastPass automatically increased the number of password iterations for every user’s vault, over time.
This doesn’t seem to always have been the case, and at this point, nobody knows why.
You should refer to Steve Gibson’s explanation on the Security Now Podcast (Episode 905) more more information on why he calculated the average cracking time to be 61 seconds by an average password cracking setup.
But for now, if you’ve ever had a LastPass account (and it still exists) and you haven’t checked the “password iteration count”, it’s possible that your vault may have been exposed and it may have had an iteration count of “1”.
If your vault was exposed in the recent breach, attackers will be able to target people with iteration counts of “1”, since it will likely be very easy to crack (unless you used an unusually long and random master password).
What is the recommended length of iteration?
Going forward, make sure your password manager’s iteration count is at least 300,100.
If you plan to use LastPass for any amount of time, you should go to “Account Settings”, then “Advanced Settings”, and change the value for “Password Iterations”, and save the settings.
This is yet another reason why people are moving from LastPass to another password manager, including me.
EDIT: In a later episode of Steve Gibson’s Security Now podcast, there was a discussion of LastPass’s claim of using additional “server side” iterations on the master password, which may have made the issue of the setting of “1” less concerning. However, in reality, the way that LastPass describes its server-side iterations implies that this protection only impacts the “user login” session for accessing the LastPass website, and does not appear to be done on the user’s stored vault. So, the user exposed parameter of Password Iterations is apparently still the accurate representation of how many hashing iterations are done on the password for accessing the vault’s key. All this to say, the description of the problem in the article above is still valid.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.