LastPass password vaults crackable for $100, alleges 1Password
LastPass has claimed that it would take millions of years to crack a user's master password, but a rival company claims that the process won't take nearly that long, and could be done for a mere $100.
LastPass, a popular password management company, recently came under fire when customer data vaults were obtained via an attack in August.
Now, the company's rival, 1Password, claims that LastPass isn't protecting customers' data enough.
A blog post by 1Password's principle security architect, Jeffrey Goldberg, explains the importance of using machine-generated passwords rather than user-generated passwords.
"If you consider all possible 12-character passwords, there are something around 272 possibilities. It would take many millions of years to try them all. Indeed, it would take much longer," he writes. "But the people who crack human-created passwords don't do it that way. They set up their systems to try the most likely passwords first."
Goldberg notes that most user-created passwords can be cracked in fewer than 10 billion guesses through a process costing just about $100.
This is bad news for the average user, who typically creates a shorter and less complex password than something generated by a machine.
He points out that 1Password adds an additional layer of protection -- the Secret Key. A customer's Secret Key is created on-device, never sent to 1Password, and is required to decrypt user data.
So while a hacker may theoretically be able to obtain a 1Password user's master password, it's useless without the Secret Key.
The blog ends by reassuring users that 1Password has gone above and beyond to protect their data, even if users aren't following best practices and using machine-generated passwords.
"We have not been breached, and we do not plan to be breached. But we understand that we have to plan for being breached," Goldberg writes. "The 1Password Secret Key may not be the most user-friendly aspect of our human-centered design, but it means that we can say with full confidence that your secrets will remain safe in the event of a breach."
LastPass has come under fire for questionable security practices in the past.
In December 2021, LastPass members reported multiple attempted logins using correct master passwords from various locations. The company assured customers that attacks were a result of passwords leaked in third-party breaches.
In February 2021, a security researcher uncovered seven trackers within the LastPass Android app.
AppleInsider will be covering the 2023 Consumer Electronics Show in person on January 2 through January 8 where we're expecting Wi-Fi 6e devices, HomeKit, Apple accessories, 8K monitors and more. Keep up with our coverage by downloading the AppleInsider app, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos throughout the event.
Read on AppleInsider
LastPass, a popular password management company, recently came under fire when customer data vaults were obtained via an attack in August.
Now, the company's rival, 1Password, claims that LastPass isn't protecting customers' data enough.
A blog post by 1Password's principle security architect, Jeffrey Goldberg, explains the importance of using machine-generated passwords rather than user-generated passwords.
"If you consider all possible 12-character passwords, there are something around 272 possibilities. It would take many millions of years to try them all. Indeed, it would take much longer," he writes. "But the people who crack human-created passwords don't do it that way. They set up their systems to try the most likely passwords first."
Goldberg notes that most user-created passwords can be cracked in fewer than 10 billion guesses through a process costing just about $100.
This is bad news for the average user, who typically creates a shorter and less complex password than something generated by a machine.
He points out that 1Password adds an additional layer of protection -- the Secret Key. A customer's Secret Key is created on-device, never sent to 1Password, and is required to decrypt user data.
So while a hacker may theoretically be able to obtain a 1Password user's master password, it's useless without the Secret Key.
The blog ends by reassuring users that 1Password has gone above and beyond to protect their data, even if users aren't following best practices and using machine-generated passwords.
"We have not been breached, and we do not plan to be breached. But we understand that we have to plan for being breached," Goldberg writes. "The 1Password Secret Key may not be the most user-friendly aspect of our human-centered design, but it means that we can say with full confidence that your secrets will remain safe in the event of a breach."
LastPass has come under fire for questionable security practices in the past.
In December 2021, LastPass members reported multiple attempted logins using correct master passwords from various locations. The company assured customers that attacks were a result of passwords leaked in third-party breaches.
In February 2021, a security researcher uncovered seven trackers within the LastPass Android app.
AppleInsider will be covering the 2023 Consumer Electronics Show in person on January 2 through January 8 where we're expecting Wi-Fi 6e devices, HomeKit, Apple accessories, 8K monitors and more. Keep up with our coverage by downloading the AppleInsider app, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos throughout the event.
Read on AppleInsider
Comments
Obviously, your opinion may vary.
And having your vault in the cloud is not less secure. It is encrypted by the "secret key" which is long enough to make your vault essentially unbreakable by any foreseeable computer technology. Far more likely, someone steals your physical device and guesses your personal password - having a local vault won't help you there!
Yeah, the subscription blows, but I have so much stuff in it I can't imagine moving to something else.
My wife and I have a "family" subscription, so it's not so bad.
I'll let you search for it rather than link to it - here's a quote from the Appleinsider artcile linked above abnout those 7 trackers in Lastpass Android:
"However, LastPass rival 1Password and open-source KeePass do not feature trackers at all."
Two years ago we had a vetting process which involved everyone going to through the setup, management, and daily use of our top five picks for at least a month each. We found that while there’s something to like about all of them, 1Password was our best “daily driver”. For me personally, it shines in a work environment, where I manage multiple remote systems and local testing devices.
Obviously this is all anecdotal and we have particular use-cases. I also can’t discuss the job-related selection process here in any detail. When the next round of household software/hardware upgrades and migrations comes up (in about a year from now) I can probably share some of that, if anyone is interested.
Feedback welcomed, in case there’s something I missed.
Would a hardware key help this situation? I have started researching this idea since I have a lot of sensitive info on my Mac. I use Enpass and it keeps my data local - just on the MBP. My login on the Mac is not that complex, so a hardware key seems like an easy to really lock it down. Ayone using a USB key to unlock their Mac?