If you consider all possible 12-character passwords, there are something around 2 72 The LastPass account password “best practices” advice linked to in their announcement says nothing about using a password generator, so it would be incorrect to assume that users are generating their LastPass passwords using a strong password generator. Here’s the bottom line: unless your password was created by a good password generator, it is crackable. Seemingly clever schemes to create passwords with a mix of letters, numbers, and symbols do more harm than good. Passwords created by humans come nowhere near meeting that requirement.Īs I have said for more than a decade, humans just can’t create high-entropy passwords. That “millions of years” claim appears to rely on the assumption that the LastPass user’s 12-character password was generated through a completely random process. The notice goes on to state that “if you use the default settings above it would take millions of years to guess your master password using generally-available password-cracking technology.” The default settings they refer to are 100,100 rounds ofįor processing passwords and a minimum password length of twelve characters. The update states that encrypted user data “remains secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.” On December 22nd, LastPass posted an update to their announcement around an August 2022 breach. If 1Password were to suffer a similar breach, the attacker would not be able to crack your combination of account password and Secret Key – even if they put every computer on Earth to work on the cracking and ran them for zillions of times the age of the universe. In this article, I’ll explore the LastPass claim and unique 1Password features that protect you - now and in the event of a similar breach. The company’s notice claimed that if users had followed default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology.” That claim is highly misleading. LastPass, a competitor, recently announced that password hashes were included in an August 2022 breach of their cloud storage.
0 kommentar(er)
