LastPass password vaults crackable for $100, alleges 1Password

Posted:
in General Discussion edited December 2022
LastPass has claimed that it would take millions of years to crack a user's master password, but a rival company claims that the process won't take nearly that long, and could be done for a mere $100.




LastPass, a popular password management company, recently came under fire when customer data vaults were obtained via an attack in August.

Now, the company's rival, 1Password, claims that LastPass isn't protecting customers' data enough.

A blog post by 1Password's principle security architect, Jeffrey Goldberg, explains the importance of using machine-generated passwords rather than user-generated passwords.

"If you consider all possible 12-character passwords, there are something around 272 possibilities. It would take many millions of years to try them all. Indeed, it would take much longer," he writes. "But the people who crack human-created passwords don't do it that way. They set up their systems to try the most likely passwords first."

Goldberg notes that most user-created passwords can be cracked in fewer than 10 billion guesses through a process costing just about $100.

This is bad news for the average user, who typically creates a shorter and less complex password than something generated by a machine.

He points out that 1Password adds an additional layer of protection -- the Secret Key. A customer's Secret Key is created on-device, never sent to 1Password, and is required to decrypt user data.

So while a hacker may theoretically be able to obtain a 1Password user's master password, it's useless without the Secret Key.

The blog ends by reassuring users that 1Password has gone above and beyond to protect their data, even if users aren't following best practices and using machine-generated passwords.

"We have not been breached, and we do not plan to be breached. But we understand that we have to plan for being breached," Goldberg writes. "The 1Password Secret Key may not be the most user-friendly aspect of our human-centered design, but it means that we can say with full confidence that your secrets will remain safe in the event of a breach."

LastPass has come under fire for questionable security practices in the past.

In December 2021, LastPass members reported multiple attempted logins using correct master passwords from various locations. The company assured customers that attacks were a result of passwords leaked in third-party breaches.

In February 2021, a security researcher uncovered seven trackers within the LastPass Android app.

AppleInsider will be covering the 2023 Consumer Electronics Show in person on January 2 through January 8 where we're expecting Wi-Fi 6e devices, HomeKit, Apple accessories, 8K monitors and more. Keep up with our coverage by downloading the AppleInsider app, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos throughout the event.

Read on AppleInsider
«1

Comments

  • Reply 1 of 21
    Whenever a need for a new password comes up I default to Keychain. I wish Apple would provide a tool to convert my old 1Password legacy vault to Keychain once and for all. They lost me when they switched to a subscription model. Hate all these vampire subscriptions! Also, wish Apple would hurry along conversion to biometrics or that other solution that promises to rid us of passwords forever. 
    watto_cobraviclauyycjony0
  • Reply 2 of 21
    They lost me when they switched to a subscription model. Hate all these vampire subscriptions!
    Ditto. I paid for the 1Password app and then all of a sudden I would have to pay every year? No, thanks.
    mSakappleinsideruserwatto_cobrazeus423jony0
  • Reply 3 of 21
    jibjib Posts: 58member
    I don't mind the subscription fee (less than $3 a month) for 1Password.  For that small fee, I get security, they get ongoing funds for updates, maintaining their servers and security infrastructure, etc. I view 1Password as an ongoing service, not just a one-time software package.

    Obviously, your opinion may vary.
    mdwjeffharriswatto_cobrajony0
  • Reply 4 of 21
    mSakmSak Posts: 23member
    jib said:
    I don't mind the subscription fee (less than $3 a month) for 1Password.  For that small fee, I get security, they get ongoing funds for updates, maintaining their servers and security infrastructure, etc. I view 1Password as an ongoing service, not just a one-time software package.

    Obviously, your opinion may vary.

    Many of us don't like ongoing subscription fees because it is very hard to keep track of these recurring expenses. An increasing number of software providers are using the subscription model and put together, it can make it very difficult for a user to keep track of these expenses and having to re-evaluate them from time to time whether a subscription is warranted. One of the lessons of Finance 101 is basically to GET RID OF subscriptions as much as possible.

    I much rather pay a one-time license fee and then if I want to upgrade the software (for whatever reason) use that moment to re-evaluate whether I should upgrade (want, need, etc.) I started using 1Password when it was in version 3 long time ago and paid for practically every upgrade until the subscription model came about. I'm on 1Password 7 and do not intend to subscribe.

    It's interesting that every time an article about subscription based software comes up that displeasure with 1Password is mentioned (lol, including this post!). I hope AgileBits reverses course at some point and offer BOTH subscription and one-time license fee. For a while on 1Password 7, that was the model available.
    robin huberwatto_cobra
  • Reply 5 of 21
    They lost me when they switched to a subscription model. Hate all these vampire subscriptions!
    Ditto. I paid for the 1Password app and then all of a sudden I would have to pay every year? No, thanks.
    The subscription model sucks but I probably would have paid it. It’s the loss of the local vault support that was the dealbreaker for me. The non-native Mac app was just rubbing salt into the wound.
    mSakwatto_cobratokyojimumeterestnzwelshdogzeus423jony0
  • Reply 6 of 21
    NDWNDW Posts: 4member
    They lost me when they switched to a subscription model. Hate all these vampire subscriptions!
    Ditto. I paid for the 1Password app and then all of a sudden I would have to pay every year? No, thanks.
    Absolutely, there are so many apps that require subscriptions that people just cannot afford them all. I bought 1Password 4 then when I had the cash I upgraded to v7. There is no way I’m going to add another monthly charge to my bank balance. When v7 no longer works for me I’ll jump to another, one time purchase, app. Failing that Keychain passwords will work for me. 1Password has lost me as a recurring customer. 
    mSakwatto_cobrazeus423
  • Reply 7 of 21
    mSakmSak Posts: 23member
    NDW said:
    Absolutely, there are so many apps that require subscriptions that people just cannot afford them all. I bought 1Password 4 then when I had the cash I upgraded to v7. There is no way I’m going to add another monthly charge to my bank balance. When v7 no longer works for me I’ll jump to another, one time purchase, app. Failing that Keychain passwords will work for me. 1Password has lost me as a recurring customer. 

    Exactly as you said! It is very hard to keep track of these kinds of expenses. And, even if one were to argue that it is not hard to keep track, there is absolutely a psychological burden. For instance, I find it absolutely burdensome if I had to keep remembering that, oh I have a subscription to 1Password, DEVONThink, Scrivener, Gentler Streak, WorkOutdoors, HealthMate etc. etc. (btw, some of these apps mentioned here are NOT under subscription model; just using examples of apps that I have or still use). That's insane!

    Currently, I have zero software under a subscription model but I do have some services under subscription model which is so-far acceptable because they are providing an ongoing service that I don't already have. This includes iCloud storage, newspaper subscriptions to about 3 different sources (NYT, Washington Post, Apple News+). That's it! Of course, I'm not counting ones that almost anyone who is housed would have such as electricity, gas, water, etc. :)

    But yeah, it is absolutely insane to keep track of software subscriptions. Too many! We have even come to the point of ridiculousness of monetization when companies like BMW are charging their customers a subscription fee for using heated car seats (in certain regions only). Like how the F are heated seats a service at all that requires BMW to provide ongoing maintenance?
    watto_cobra
  • Reply 8 of 21
    1Password lost me with subscription only. Same with Adobe. 
    watto_cobrazeus423
  • Reply 9 of 21
    I love 1Password and have no issues with their subscription model.  I am happy to support the evolution of the software that way, rather than having to pay upgrade fees. Their 1PW8 electron based app is excellent, no complaints there, it's better than 1PW7.

    And having your vault in the cloud is not less secure. It is encrypted by the "secret key" which is long enough to make your vault essentially unbreakable by any foreseeable computer technology.  Far more likely, someone steals your physical device and guesses your personal password - having a local vault won't help you there!
    watto_cobra
  • Reply 10 of 21
    It boggles the mind. Why would anyone use Lastpass? It’s the last password manager I’d ever use: Lastpass. 

    Used to use 1Password until, I forget exactly but something about their upgrades or subscriptions I didn’t like. iCloud Keychain now suffices for me. 
    watto_cobramSak
  • Reply 11 of 21
    I'm just hoping passwords go away in the near future. In 2023 passwords for this and that shouldn't need to exist. There are better authentication methods out there. Apple, Microsoft and Google are working on one together I believe that eliminates passwords. 
    watto_cobra
  • Reply 12 of 21
    I've been using 1Password since version 1!

    Yeah, the subscription blows, but I have so much stuff in it I can't imagine moving to something else.
    My wife and I have a "family" subscription, so it's not so bad.
    watto_cobra
  • Reply 13 of 21
    macxpress said:
    I'm just hoping passwords go away in the near future. In 2023 passwords for this and that shouldn't need to exist. 
    It’s not only passwords. I save credit cards, memberships, passports, secure notes etc. 
    watto_cobrajony0
  • Reply 14 of 21
    macxpress said:
    I'm just hoping passwords go away in the near future. In 2023 passwords for this and that shouldn't need to exist. 
    It’s not only passwords. I save credit cards, memberships, passports, secure notes etc. 
    You could look at Keepass, for both a Mac and iOS - and can share the password protected database by airdrop between the two devices if you want to keep it completely off any 'cloud' 

    I'll let you search for it rather than link to it - here's a quote from the Appleinsider artcile linked above abnout those 7 trackers in Lastpass Android:
    "However, LastPass rival 1Password and open-source KeePass do not feature trackers at all."

  • Reply 15 of 21
    oldenboomoldenboom Posts: 31unconfirmed, member
    1Password lost me with their subscription model - I’ve been using it since before version 1. I switched to the - in the basics rather similar solution - Bitwarden. Perfect.
  • Reply 16 of 21
    webweasel said:
    They lost me when they switched to a subscription model. Hate all these vampire subscriptions!
    Ditto. I paid for the 1Password app and then all of a sudden I would have to pay every year? No, thanks.
    The subscription model sucks but I probably would have paid it. It’s the loss of the local vault support that was the dealbreaker for me. The non-native Mac app was just rubbing salt into the wound.
    Yes, for me it’s the lack of true Mac features even more than the subscription. I went through that with MYOB, when it changed from being a Mac centric software to a cross platform mess. I changed to secret, which allowed me to transfer my 1Password database. Now with the improvements to keychain, I think I’ll probably revert to just using the Apple system.
  • Reply 17 of 21
    I use 1Password 8 with my large household (family subscription), and for work (with Okta integration). We use the 2FA and command line features alongside YubiKeys. I’ve used version 8 since the early betas, out of concern that the move to an Electron base would be an issue. I’ve also used most of the other major password suites, commercial and open source within the last year.

    Two years ago we had a vetting process which involved everyone going to through the setup, management, and daily use of our top five picks for at least a month each. We found that while there’s something to like about all of them, 1Password was our best “daily driver”. For me personally, it shines in a work environment, where I manage multiple remote systems and local testing devices.

    Obviously this is all anecdotal and we have particular use-cases. I also can’t discuss the job-related selection process here in any detail. When the next round of household software/hardware upgrades and migrations comes up (in about a year from now) I can probably share some of that, if anyone is interested.

    Feedback welcomed, in case there’s something I missed. 


  • Reply 18 of 21
    Whenever a need for a new password comes up I default to Keychain. I wish Apple would provide a tool to convert my old 1Password legacy vault to Keychain once and for all. They lost me when they switched to a subscription model. Hate all these vampire subscriptions! Also, wish Apple would hurry along conversion to biometrics or that other solution that promises to rid us of passwords forever. 
    My issue with Keychain is that it's all secured through one weak link, a device passcode. Unlock a phone, generally secured with a code 8 characters long or less, disable Face ID, and you have the keys to the kingdom. Through a simple, probably numeric-only 8 long or less password, you get access to your "extra strong" passcodes. I don't share my device code with anyone, even family members, but I see people sharing their codes openly to let a friend or colleague look something up.
    MplsP
  • Reply 19 of 21
    welshdogwelshdog Posts: 1,903member
    barthrh said:
    Whenever a need for a new password comes up I default to Keychain. I wish Apple would provide a tool to convert my old 1Password legacy vault to Keychain once and for all. They lost me when they switched to a subscription model. Hate all these vampire subscriptions! Also, wish Apple would hurry along conversion to biometrics or that other solution that promises to rid us of passwords forever. 
    My issue with Keychain is that it's all secured through one weak link, a device passcode. Unlock a phone, generally secured with a code 8 characters long or less, disable Face ID, and you have the keys to the kingdom. Through a simple, probably numeric-only 8 long or less password, you get access to your "extra strong" passcodes. I don't share my device code with anyone, even family members, but I see people sharing their codes openly to let a friend or colleague look something up.

    Would a hardware key help this situation? I have started researching this idea since I have a lot of sensitive info on my Mac. I use Enpass and it keeps my data local - just on the MBP. My login on the Mac is not that complex, so a hardware key seems like an easy to really lock it down. Ayone using a USB key to unlock their Mac?
  • Reply 20 of 21
    MplsPMplsP Posts: 3,966member
    barthrh said:
    Whenever a need for a new password comes up I default to Keychain. I wish Apple would provide a tool to convert my old 1Password legacy vault to Keychain once and for all. They lost me when they switched to a subscription model. Hate all these vampire subscriptions! Also, wish Apple would hurry along conversion to biometrics or that other solution that promises to rid us of passwords forever. 
    My issue with Keychain is that it's all secured through one weak link, a device passcode. Unlock a phone, generally secured with a code 8 characters long or less, disable Face ID, and you have the keys to the kingdom. Through a simple, probably numeric-only 8 long or less password, you get access to your "extra strong" passcodes. I don't share my device code with anyone, even family members, but I see people sharing their codes openly to let a friend or colleague look something up.
    Keychain is nicely integrated with MacOS and iOS but can’t be extended to other platforms. Its interface also sucks, doubly so on iOS, almost to the point of being unusable for anything but entering passwords in Safari. 

    I’ve used 1Password for years and I agree the subscription model blows. In addition the newer versions have been getting worse, not better, and they took away the ability to have a locally synced vault. 

    Several months ago I looked at LastPass and DashLane and neither was really any better. They all use a subscription model, and the at the time 1Password was the only one that had an actual app instead of running in a browser. 1Password 7 is working for me for now but I’m going to check out bitwarden
Sign In or Register to comment.