Not in a million years: It can take far less to crack a LastPass password

The company’s notice claimed that if users had followed default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology.” That claim is highly misleading. In this article, I’ll explore the LastPass claim and unique 1Password features that protect you — now and in the event of a similar breach.

If 1Password were to suffer a similar breach, the attacker would not be able to crack your combination of account password and Secret Key – even if they put every computer on Earth to work on the cracking and ran them for zillions of times the age of the universe.

The news

On December 22nd, LastPass posted an update to their announcement around an August 2022 breach. The update states that encrypted user data “remains secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.”

The notice goes on to state that “if you use the default settings above it would take millions of years to guess your master password using generally-available password-cracking technology.” The default settings they refer to are 100,100 rounds of PBKDF2 (Password-based Key Derivation Function 2) for processing passwords and a minimum password length of twelve characters.

That “millions of years” claim appears to rely on the assumption that the LastPass user’s 12-character password was generated through a completely random process.

Passwords created by humans come nowhere near meeting that requirement.

As I have said for more than a decade, humans just can’t create high-entropy passwords. Seemingly clever schemes to create passwords with a mix of letters, numbers, and symbols do more harm than good.

Here’s the bottom line: unless your password was created by a good password generator, it is crackable.

The LastPass account password “best practices” advice linked to in their announcement says nothing about using a password generator, so it would be incorrect to assume that users are generating their LastPass passwords using a strong password generator.

Human vs machine

If you consider all possible 12-character passwords, there are something around “2 to the power of 72” possibilities. It would take many millions of years to try them all. Indeed, it would take much longer.

But the people who crack human-created passwords don’t do it that way.

They set up their systems to try the most likely passwords first. The cracking systems will try things like F i d o 8 m y 2 S o x ! and 2 b | | ! 2 b . t i t q long before they try things like the machine-created z m - @ M v Y 7 * 7 e L .

Passwords created by humans are crackable even if they meet various complexity requirements.

So if you (or another human) created that 12-character password, it doesn’t matter if there are “2 to the power of 72” different possible 12-character passwords. What matters is whether yours is going to be among the few billion that attackers try first. The number “2 to the power of 72” has relevance only if each of the “2 to the power of 72” possibilities is equally likely.

Not searching far and wide

Let’s use a silly analogy.

If I forget where I parked my car after leaving the theater, I have some searching to do. My car, a Subaru Outback, is about 4.87 meters long and 1.88 meters wide. So it covers about 9 square meters. The surface of the Earth is about 510 trillion square meters. This means that there are about 57 trillion (2 to the power of 45) places on the surface of the earth my car could be.

It would take millions of years for me to make a dent in searching all of those places.

But let’s suppose that I start my search in the theater parking lot instead of haphazardly searching the surface of the earth. I can start in the area of the parking lot that I think it might be in, or the part where I typically park. It might take me a frustratingly long time to find my car. I might even have to start looking in adjacent parking lots or street parking. But I don’t have to consider all “2 to the power of 45” possible spaces because most of those are extremely unlikely. I start with the most likely places first and work from there.

It makes no sense to consider the time it takes to search “2 to the power of 45” places on Earth when estimating how long it will take for me to find my car. Similarly, it makes no sense to consider the time it takes to go through “2 to the power of 72” possible 12-character passwords when estimating how long it takes to guess a human-created password.

Cracking costs

Perhaps the “millions of years” claim is based on poor assumptions about guessing speed. As it happens, we have estimated through a cracking competition that the cost of cracking passwords hashed with 100,000 rounds of PBKDF2-H256 is around $6 for every “2 to the power of 32” guesses. (The difference between our 100,000 rounds of PBKDF2 and LastPass’s 100,100 rounds is so small that we can ignore it.) Because of how powers of 2 work, the cost of making “2 to the power of 33” guesses would be $12, while the cost of making “2 to the power of 34” guesses would be $24. Ten billion guesses would cost less than $100.

Diminishing marginal gains of PBKDF2 rounds

The security improvement between 100,000 rounds of PBKDF2 and 100,100 rounds is an improvement of 1/1000th. Something that takes $100.00 to crack with 100,000 rounds would take $100.10 to crack with 100,100 rounds. To better understand this see the second, techie, portion of something I wrote about bcrypt in 2015.

Bcrypt is great, but ...

Given the attacker is starting with the most likely human-created passwords first, that $100 worth of effort is likely to get results unless the password was machine generated.

But what about 1Password account passwords?

You may be asking whether a typical 1Password account password is crackable, particularly given we use 100,000 rounds of PBKDF2 in our key derivation.

One of the things that sets 1Password apart is the Secret Key. A year ago I explained how your Secret Key protects you in the event the data we hold is captured by an attacker.

The most relevant facts about your Secret Key are that:

1. It’s created on your device when you first sign up.
2. It’s never passed to or through 1Password servers.¹
3. It’s woven into your account password when deriving the keys needed to decrypt your data.
4. It’s high-entropy (128-bits).

The consequence of 1 and 2 is we (and therefore anyone who breaches us) have no access to your Secret Key whatsoever.

The consequence of 3 is that an attacker would need to have or guess your Secret Key to decrypt your data.

And the consequence of 4 is that it is not going to be guessed.

Success requires designing for failure

We have not been breached, and we do not plan to be breached. But we understand that we have to plan for being breached. We also understand many 1Password users will not follow our advice to use randomly generated account passwords. It can be hard advice to follow.

As a result, we have a responsibility to find ways to protect 1Password users in the event of a breach that would expose their encrypted data.

The 1Password Secret Key is the solution we settled on seven years ago when we first launched the 1Password.com service.

The 1Password Secret Key may not be the most user-friendly aspect of our human-centered design, but it means that we can say with full confidence that your secrets will remain safe in the event of a breach.

Jeffrey Goldberg

Principal Security Architect