Skip to content
Thoughtful, detailed coverage of everything Apple for 32 years
and the TidBITS Content Network for Apple professionals
45 comments

LastPass Shares Details of Security Breach

LastPass CEO Karim Toubba has announced that the password management company suffered a security breach last month, with attackers making off with unencrypted customer account data and customer vaults containing encrypted usernames and passwords.

This could be a nightmare situation for LastPass, but most users shouldn’t be at significant risk because the company’s Zero Knowledge security architecture prevents it from having access to or knowledge of a user’s master password—the stolen data doesn’t contain any master passwords. This safeguard should prevent the attackers from decrypting the stolen usernames and passwords.

LastPass has been fairly transparent about the breach, posting when it happened and following up this week with additional details. Although LastPass’s on-premises production environment was not breached, the attacker was able to leverage information captured in an earlier breach of a developer’s account in August 2022 to target another employee’s account in order to steal data from cloud-based storage that LastPass used for backup. (Arguably, these events are all part of a single breach.)

This incident highlights weaknesses in LastPass’s approach to security. The stolen data included unencrypted customer account information (names, addresses, and phone numbers, but not credit card details) and encrypted customer vault data. LastPass secures usernames, passwords, secure notes, and form-filled data using 256-bit AES encryption, and they can be decrypted only with a unique encryption key derived from each user’s master password. Within user vaults, however, website URLs associated with password entries weren’t encrypted. That’s problematic.

More seriously, LastPass relies entirely on that user-selected master password to secure encrypted data. Even though the company has hardened minimum requirements for setting passwords, users can set master passwords weak enough to be susceptible to cracking attempts. Apple’s iCloud Keychain, 1Password’s cloud-based storage, and some other solutions mix device-based keys with master passwords or account logins for far greater resistance—an attacker has to obtain and unlock a device in addition to compromising a vault or account password.

What Actions Should LastPass Users Take?

As long as you used your LastPass master password only at LastPass and retained the company’s default settings, LastPass does not recommend any actions at this time. (The defaults require a minimum of 12-character master passwords and specify a high number of iterations—100,100—in the PBKDF2 password-strengthening algorithm.)

A brute-force decryption might be successful against your master password if you reused it on another site that had been compromised, set one that’s fewer than 12 characters (never do that!), or lowered the default password-strengthening settings. (Some long-time users found that they had much lower settings of 500 or 5000 for the PBKDF2 algorithm—here’s how to check.) If any of those are true, change your master password immediately and turn on multifactor authentication. (Use the LastPass Authenticator app: for instructions, click Features & Tools and then Multifactor Authentication in the LastPass support portal.)

Because the vaults were stolen, nothing you do can protect the integrity of that data, which is already in the hands of the thieves. LastPass suggests people at risk of having their master password cracked consider changing passwords on stored websites. Start with the crucial accounts that could be used to impersonate you, like email, cell phone, and social media, plus those that contain financial data. If you’re worried, change passwords more broadly. (Typically, you never need to change unique, strong passwords, but here your core secrets were stolen, even if they remain encrypted.)

Those with weak master passwords should also change them and enable multifactor authentication for their LastPass accounts. Even though the horse is out of the barn, you can get a new horse and secure the door behind it: possible future breaches are less likely to affect you if you have updated the passwords stored in your vault and have secured them with a new strong, unique password.

Regardless of the strength of their master passwords, LastPass users must now be especially alert for targeted phishing attacks. Since LastPass vault backups did not encrypt website URLs, phishers can combine them with an email address associated with your unencrypted account information.

If you are at all uncertain that an email or text message that links to a login page isn’t legitimate, navigate to the website directly in your browser and log in using links on the site. Don’t trust URL previews—it’s too easy to fake domain names in ways that are nearly impossible to identify. Particularly watch out for credit-card warnings and package-tracking alerts—both are ready paths for phishers in the best of times and even more likely to fool users during the holiday season.

Questions and Concerns

Obviously, LastPass made mistakes here, but at least the company is being transparent about what happened. It doesn’t seem as though LastPass was cavalier about security—this sounds like a sophisticated, multi-prong attack that took months to carry out. It’s a worthwhile lesson for all organizations to realize that targeted attacks on one employee and then another ultimately allowed the breach of massive amounts of data. Nonetheless, the outcome raises questions and concerns.

Should LastPass users consider switching to another password management solution? 

Yes, for two reasons. First, it’s troubling that LastPass isn’t using a secret key entangled with the master password to protect against thefts like this. Second, the attackers might be able to exploit the stolen information to compromise LastPass’s systems again. LastPass hardened its systems in response to the August breach of one developer’s account, but that wasn’t sufficient to stymie the November attack on the second employee.

Conversely, as far as we know, LastPass’s Zero Knowledge architecture remains secure, so if you’re comfortable with the strength of your master password and you trust LastPass’s overall architecture, you should be able to continue using it with no additional worry.

As someone who has used LastPass for many years as my primary solution—Tonya uses 1Password, and we share a family vault with Tristan—I’m not planning to switch based on this breach alone. However, I have been suffering from other irritations with LastPass—its multifactor authentication failing on the Apple Watch, its inability to remember that I want generated passwords to include symbols and be 20 characters long, and its Chrome extension frequently becoming corrupted (see “Chrome Extensions Disappearing? Click Repair,” 24 August 2021)—so I’ve decided to switch to 1Password when I find the time.

Is this breach an indictment of the entire concept of cloud-based password management services? 

While some would undoubtedly say yes, arguing that locally managed passwords are not susceptible to attacks on a company, the issue has more to do with how cloud-based data is secured. While LastPass doesn’t hold the encryption keys to your data, its encryption method isn’t as strong as it could be because all the encryption power is locked in a single master password that can be entered anywhere, rather than requiring multiple components, some or all of which are held separately.

Swearing off cloud-based storage in favor of locally managed passwords also presumes you wouldn’t fall prey to phishing or other attacks that target you randomly instead of specifically. The LastPass breach required direct attacks on specific employees, but scattershot attacks can be automated or distributed broadly via malware—the attackers don’t know or care who their victims are.

Plus, cloud-based systems provide two compelling features: syncing among multiple devices and platforms and sharing particular passwords with other users of the same system. Syncing is fairly easy to replicate using iCloud, Dropbox, or the like, but sharing passwords with other people requires a shared account.

Are other password managers vulnerable to similar attacks?

I wouldn’t think so. The LastPass breach relied on previously stolen information that provided access to secondary backup storage thanks to credentials and information stolen in attacks targeting individual employees. It was a custom attack and couldn’t be used against other firms. And LastPass’s reliance on a single master password also puts its users’ data at unique risk.

That said, I have to assume that all password management services are under near-constant attack because, to paraphrase bank robber Willie Sutton, that’s where the passwords are. These companies may consider such attacks business as usual, or they may be using LastPass’s incident as an excuse to reexamine their security practices to make sure they haven’t missed anything. LastPass presumably didn’t think it had missed anything before August 2022.

When will passkeys eliminate problems like this? 

I don’t know for sure, but the transition can’t happen soon enough. See “Why Passkeys Will Be Simpler and More Secure Than Passwords” (27 June 2022).

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 32 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About LastPass Shares Details of Security Breach

Notable Replies

  1. [Bringing these two posts in from another thread to centralize discussion. -Adam]

    More bad news for LastPass users:

    Ars Technica: Password manager says breach it disclosed in August was much worse than thought.

    The gist of the article (if I’m reading it correctly): the breach last August that LastPass said was limited to source code of the app, wasn’t. The hackers also got a backup of customer vault data; some of it encrypted, some of it not.

    I’d recommend anyone using LastPass take a look at this article.

  2. As a long time LastPass user, this is definitely startling. LP did send a link to their blog post on the matter (quoted in the Ars article above) in an email to (presumably) all its customers. On the downside, the unencrypted data included a lot of personally identifying information, including “…company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

    On the upside (if there is one), the sensitive information stolen was encrypted, including “…website usernames and passwords, secure notes, and form-filled data.” They also added “There is no evidence that any unencrypted credit card data was accessed.”

    So since I have a strong master password, I’m not too concerned about the bad actors force-decrypting my data (I’m not worth the considerable effort and cost to do so). But this isn’t the first breach LP has suffered, and as that sage Gomer Pyle used to say, “Fool me once, shame on you; fool me twice, shame on me.”

    I have canceled auto-renewal on my subscription, and will certainly be looking at alternatives before it’s time to renew.

  3. I don’t follow this topic closely, but it’s my impression that LastPass has suffered several security breaches now while other password managers haven’t. Have I simply run across more articles about LastPass and missed mentions about other password managers, or has LastPass’s systems been compromised more often than its competitors’? If it’s the latter case, is that because LastPass is a tempting target due to its size or popularity, or is it because LastPass isn’t doing a great job at securing its systems (compared to its competitors)? Or is it because of some other reason?

    I commend LastPass for being transparent about the breaches, but I’m sure the company and its users would prefer not having any incidents that needed reporting in the first place.

  4. As I understand, LastPass has reported three breeches this year, but all three seem to be routed in the first breach.

    Perhaps they could have taken steps after the first one to have avoided the second two; I don’t know.

  5. There was only one breach this year, but LastPass has provided two updates since the initial report.

    Wikipedia has a list of security issues LastPass has experienced over the last twelve years.

  6. I’d count it as two breaches. One in August 2022 that captured some developer information and credentials and a second one in November 2022 that leveraged the previously stolen information to access the backup vault.

    If you read down in what you linked, you’ll see that each time, they announced the incident and then followed up later with details on how they responded—there are four separate updates in that post.

  7. Unfortunately, they say that website URLs were not encrypted in the stolen data. This means it will be easy for bad guys to find high-value targets.

    Otoh, how do we know for sure that other password managers have not kept quiet about similar breaches?

  8. Also it means that the thief has a reliable list of email addresses (which may as well be identities these days) and a list of businesses and organizations with which that identity has an account. Even without the passwords this is a privacy nightmare. I can’t imagine what legitimate reason LastPass had to not encrypt the entire login, the only reason the thief could steal it is because LastPass was holding it (how do you not wonder if they were planning to sell this enormously valuable marketing data), and I would be leaving them immediately for that reason alone if I was a customer.

  9. Not encrypting the URLs is another black mark on LPs framework, for sure. But using them to identify high-value targets? Maybe, if there was some particularly enticing site known to attract only high-rollers. But in my case, that’s not an issue. :slight_smile:

  10. Just finding banking URLs with their user IDs (email addresses) and the phone number - often used for password recovery text messages, perhaps by some banks or financial institutions - some thievery might not require the password being decrypted at all.

  11. If you work for the spam/scam/malware industry in some third world country, any “rich American“ is a high value target.

  12. My guess would be only those who receive spam.

  13. I often put confidential stuff in the LastPass Notes field. Is that also not encrypted? Shudder.

    What I would like to know is whether other password managers have this same flaw or not. There’s a lot of technical info. on the website for 1Password, but I did not find a clear statement of exactly which data is encrypted.

  14. Oh, good question! That is not addressed specifically in the LP blog article on the incident. They reference “Secure Notes,” but that’s a different feature altogether from the “Notes” section of a web site password card, which is what I’m assuming you’re referring to.

  15. This kind of justifies my hesitancy to use a password manager, or something like LifeLock. Why let someone else know your passwords and other personal information? What is preventing the password manager uploading all your passwords to their own servers? I do use Safari’s password vault, but only for meaningless webpages that have nothing important on them anyway. I kind of came up with my own encryption algorithm to generate passwords, and I store only the keys in a Notes folder. Never stored CC numbers on websites. When the federal OPM (office of Personal Management) had a hack, everybody got something like LifeLock for free. The only thing I have learned from that is how many registered sex offenders are within couple of miles from me and when a new one moves in, and that my common e-mail address is on the dark web (who’s isn’t?). I also stopped using Grammatic, not knowing how they treated text in password boxes.

    I worked for the AF as a civilian, never used MySpace, but was shocked (well not really) when an official memo came down the pike telling AF members not to discuss anything related to their service stuff, like none of it, on their MySpace page. I thought DUH! Some of these guys and gals probably had more security training than I was forced to take. Evidently there were some fighter pilots that had posted photos of cockpits, them with their bird, etc, but we all know fighter pilots often have HUGE egos.

  16. Here’s another interpretation of the event(s):

    “LastPass is trying to present the August 2022 incident and the data leak now as two separate events. But using information gained in the initial access in order to access more assets is actually a typical technique used by threat actors. It is called lateral movement.

    “So the more correct interpretation of events is: we do not have a new breach now, LastPass rather failed to contain the August 2022 breach. And because of that failure people’s data is now gone. Yes, this interpretation is far less favorable of LastPass, which is why they likely try to avoid it.”

    Source:

  17. Not sure if it still applies, but here is what 1Password said in 2013:

    "@speedsonic Yes, notes (memos) are encrypted.

    If you are using the old Agile Keychain format (syncing with Dropbox or Folder Sync), the only fields not encrypted are the title and the URL.

    If you are using the new Cloud Keychain format (syncing with iCloud), all fields are encrypted."
    https://1password.community/discussion/18509/memo-note-fields-are-encrypted

  18. Since it costs nothing to send out 350M e-mails (especially if you’re sending it through a hacked/insecure/compromised mail server that somebody else is paying for), yes.

    Those recipients using mail services with good spam filters won’t see it, but the senders don’t care.

  19. No argument there. I was replying (somewhat tongue-in-cheek) to what I perceived as a claim that all Americans were high-enough value targets to justify the time and expense required to force-decrypt their stolen LastPass data. Clearly, all the unencrypted data will likely be put to nefarious ends, including spamming the email addresses.

  20. Yes, no need to brute force anything to entice a bank or other organization to change your password (“I forgot it, thank you.”) and access your account without your knowledge.

    My favorite story about hacking a bank account is an anecdote I read online. The commenter said:

    My wife did not trust online banking to be secure, so she did not set up online access to her account. Unfortunately someone at the bank noticed and set it up for her. That person then emptied her account. (This is a failure of banking process controls.)
    When the bank investigated the event, they discovered what had happened and made good on the loss. (No guarantee that they would do that without litigation!)

    The point is that when someone knows something about you, for example, your email address, your phone number, etc., your identity may be compromised in some way, and your password security may be insufficient. (There aren’t that many banks to try with your identity!)
    You might want to use separate and not your best-known email addresses for important sites, and so forth. Phone numbers are often used for 2FA, which makes them a target, too.

    Passkeys will be much better than passwords.

  21. gib

    Yup, for most folks, their email address is 50% of their log-in credentials. No need to make it easy for crooks. That is why I have a unique address for every account via IronVest (formerly Abine Blur). Now Apple is offering them too. But some short-sighted websites, like National Geographic and id.me (even from their client, Apple), won’t accept obscured addresses. Just as some banks (PNC) don’t implement time-based one-time passcodes (ToTPs); they’re begging for trouble!

  22. My employer gave us LastPass because the cost to license (Edu license) 1Password was double. It was recommended “we”, the IT of departments, put our admin pwds on LP so that if “we” left our positions, it could be migrated, etc. Rationally, I feel, if one of “we” left a position, that a drawn out but compensation assignment would be to reset each machine admin password “anyway” as policy. So, I used LP for just any testing, certification or other related sites that wouldn’t compromise my use. Personally, I use 1Password but not on latest since Agilebits went subscription-only model.
    One thing, I never receive an email or notice from LastPass or my employer on this latest issue.
    I’ll just get some “here’s 6 months of ID protections” emails though…blah blah

  23. Today a post from PeterG_1P of 1Password confirms that they encrypt everything:
    https://1password.community/discussion/136336/is-1password-preparing-a-report-on-lessons-from-the-lastpass-breach#latest

    [Edit: Just for the record, the post was actually yesterday, Dec. 29, 2022.]

  24. There is a ton of talk in many forums about people switching away from LassPass. What are they switching to? The top 2 that I have heard are 1Password and Bitwarden. I’m going to mention Enpass.

    I have used 1Password for over 10 years. It’s been really wonderful and (until recently) I’ve recommended it thousands of times. OTOH I’m still using 1P v6 because I use & need some of the secure features that 1P has eliminated in v8. Such as using multiple cloud services to share multiple secure vaults with multiple people. To each their own. I am strongly opposed to any password manager that requires you to store your data on their cloud server as 1P now does.

    BitWarden is open source and there is a free version that can sync and has Mac, Windows, Linux, iOS & Android apps. Many people will do better with the paid version though. But BitWarden requires your data to be hosted in their cloud. Well, almost. Bitwarden offers a self-hosting, self-installed server for Linux & Windows, but it is very non-trivial to set that up. Definitely not a drag & drop Mac-style install. So realistically, if you’re using BitWarden then your data will be in their cloud server.

    For those of us who are squeemish about trusting any password manager which requires a built-in cloud storage - then I have only seen one viable password manager since 1Password v6. (1P v8 & up does not allow you to not use their 1P cloud).

    EnPass.io is a password manager that does not require a cloud server. You can very securely do WiFi sync that never leaves your local area. It does however also support (but not require) your choice of cloud service, including DropBox, iCloud, Google, etc. I’m not an expert on this app, but in a few days of trying it out, it looks pretty good. Clearly they have seen and used other password managers & learned from that. If you’ve been using 1Password, you’ll feel mostly at home, sort of like moving to a different apartment in the same neighborhood.

    Of note EnPass has a “pay once” model, as well as a subscription, Your choice. Your secret data is never on their servers. Enpass also has browser plugins, mobile iOS & Android app, etc.

    BTW: I’m not a paid shill and & barely have used Enpass, but ever since AgileBits ended the option of locally stored 1Password data, I have been looking for another secure home for my private data.
    As an IT professional, I have responsibility for several thousand passwords, and I never ever want to be responsible for a data breach. Perhaps my criteria for security is different.

  25. I’ve used LastPass since sometime in the early 'aughts, and currently have it installed on multiple macs/devices.The TidBits article was much clearer about practical implications of the breach(es), and what to do first. I now have 3 questions–does anyone have more input?

    1. My PW iterations were set to 5000, so I tried updating to 100100 as per LP’s instructions. BUT the update process failed after about 5 minutes, just saying it “couldn’t complete; try again later”. Suggestions, anyone? Are their servers overloaded? Or is this something trickier?

    2. Assuming the iterations-updating process works for the machine I’m on, do I then need to quit and restart LP on the machines I didn’t use to update the iterations? Or, maybe, do I need to do that first, before doing the update process?

    3. Does anyone have additional info on whether the “Notes” section of the password entries (NOT the “Secure Notes” entries) is encrypted?

    Thanks…

  26. LastPass has not responded to my questions asking what is encrypted.

    Nevertheless, this post lends credence to the belief that the notes portion of a Password Item is encrypted; scroll down to the section titled “Structures of some types of composite data blocks.”

  27. Dave…Enpass is currently the leader for me if when 1Password v7 quits working. I like the DropBox sync and dislike the subscription requirement…plus I want the ability to my own backups. The security with Bitwarden is probably a little better with the fingerprint phrase and the reencryption on their servers of the already encrypted on your device vault…but with 100,000 rounds of encryption then as long as one has a long password on both Enpass and Dropbox it’s really good enough…as Enpass only uses the cloud for sync and decryption is only on device.

  28. My wider family say this to me: “they are not interested in little old me and won’t spend the time”. While the value of your data may not be great, I know some of theirs is.

    One response is that they (the thieves or the people they sold your data to) don’t spend the time, they just throw your data at bots and get on and do other stuff. If the bots turn up something interesting, even mildly profitable…woohoo!

    Rob

  29. This is why I have never used a password manager.

  30. Absolutely correct. Which is why it’s important to know how they’ve encrypted your data and who holds the key.

    If the service provider doesn’t have the key and it is known to be strong (long bit-length and either randomly-generated or generated from a strong passphrase), then any attack will require brute-force, which will take too much time for them to bother with.

    Bots or not, they won’t want to spend a long time (probably not even on the order of hours) trying to crack a strong key when they could instead spend that time attacking hundreds of other accounts, some of which will have a weak key that they can quickly crack.

    It’s like the old joke. I don’t need to be faster than the lion. I only need to be faster than you.

  31. Granted. But I was specifically referring to the effort/cost to force-decrypt my data. Of course the bad guys have “bots” to do this, but my point is that a big enough “bot” to do the job would cost many orders of magnitude more money than the perps could reasonably expect to recoup from me, and it would still take more time to complete than they could reasonably expect to live.

  32. As mentioned on another thread, I’ve been trialing Enpass for about a week now. So far, I like it. I’m using the iCloud sync option, and once I got the vault locking interval down to something that works for me, it’s only slightly annoying (but much more so than LastPass) when you need to unlock. To their credit (and another differentiator from LP), they default to locking the vault very quickly, and you need to dial that back to the level that makes sense for you. So far, +1 for Enpass.

  33. That’s troubling. Just try again, perhaps from another device, and see what happens. I was set to 100,100, but for giggles, I tried changing it to 333,000. That succeeded but a day later when I went in, I was dismayed to see it was set to 333 instead. I changed it again to 200,000, and confirmed after the fact that that stuck

    I think you will need log in again on each device, which will do the update. I can’t quite say for sure because I’ve been doing a bunch of things, but I definitely had to fuss with LastPass on multiple devices.

    LastPass PR hasn’t replied to me about that either.

  34. LastPass says nothing about having to change the PBKDF2 iterations on each device.

    As I understand it, every encrypted portion of the Vault must be re-encrypted when the number of iterations is changed. And obviously, the resulting Vault is then incompatible with every copy of the previous Vault. So, those old copies of the Vault must be replaced with the new one.

    I’d guess—but have not verified—that simply logging out of a device and then logging back in would replace the old Vault with the new one (downloaded from LastPass’ server). If so, then there is no reason to change the number of iterations on each device. You just have to log out of each device and log back in to synchronize the Vaults on all your devices (with one re-encrypted with the new number of iterations).

  35. As I understand how LastPass uses PBKDF2, increasing the number of iterations has no effect on the stolen Vault.

  36. Yes, but if you are going to continue using LastPass, it’s an important thing to change ASAP.

  37. Yep, that’s my understanding as well. I don’t think there was any suggestion that you’d need to change the setting on every device—it’s an account setting, not a device setting.

  38. I use the older, less common, but functional PasswordWallet app. My only frustration with it is that syncing between devices doesn’t stay up-to-date automatically. So sometimes on my my iPhone and need to manually do a sync to get the latest password. But it works, and it’s not subscription based. Aren’t the others subscription based now?

  39. Thanks to everyone for all the feedback. After logging out of LP on all but one mac, I changed the iterations successfully to 100100; this only took about a minute, and did populate to my other macs/phone when I logged back in on them. I’ll report back tomorrow if the change doesn’t stick (as happened to Adam earlier). Many thanks to all.

  40. The Washington Post help desk column was actually quite good. So often the big media papers get these somewhat wrong. (This should not be behind the paywall.)

    https://wapo.st/3CBgmsc

  41. While the general drift of that article is excellent, I’m not sure I’d take much security advice from a columnist who stores their password manager password on a piece of paper in their wallet! Yikes.

  42. But what is the marginal value of increasing the number of iterations beyond a thousand?

    My understanding is that there are only two benefits of PBKDF2:

    1. The salting and hashing of the Master Password make the resulting key more random (and possibly longer depending on the implementation); and
    2. Each guess takes longer.

    For online attacks, wouldn’t LastPass notice even just 100 consecutive failed attempts to access a Vault and then prevent additional guesses. Does making each guess take longer make any difference for good passwords if LastPass limits the number of guesses?

    For offline attacks of Vaults with good passwords, I don’t understand why PBKDF2 has any value at all. If the password is good enough to force a brute force attack in a huge search space, why is there any need to salt and hash each guess of the Master Password? Why wouldn’t the attacker just guess the the key itself as opposed to guessing the Password and then iteratively salting and hashing it?

    Perhaps someone can explain why a large number of PBKDF2 iterations is anything other than a distraction from what really matters, namely, creating a Password that is vulnerable to nothing other than a very lucky guess among a vast number of possibilities.

    UPDATE January 11, 2023 12:53 PM

    See @ddmiller‘s response. I stand corrected regarding off-line attacks.

  43. Lastpass uses SHA-256 bit hashing, so it would take on average 2 to the 255th guesses to get the resulting key (half of 2 to the 256th number of possible keys). That’s a lot more bits of entropy than what is likely a memorable master password, and even with key stretching iterations to slow down guesses with something like PBKDF2, brute force guessing of the password will be faster. (It should also be noted that there could be a hash collision between different passwords so it’s possible to guess the wrong password and still be right, but it’s a very remote chance.)

  44. Funny you should ask. This was a discussion in the Firefox Bugzilla: 1320222 - Review FxA client-side key stretching parameters

    A quick summary is that there’s a request to review the number of iterations (currently 1000), and considers increasing it to hundreds of thousands of iterations.

    The argument is that 1000 was originally chosen in order to run reasonably fast on the hardware of the time and now we have much faster hardware that can handle more iterations without imposing a significant delay on the user.

    The counter-argument is that it won’t really help. An attacker who can get by the TLS encryption (of the HTTPS connection) shouldn’t be able to extract the plaintext password from what he sees. For this purpose one iteration of PBKDF2 will be sufficient - more iterations may add a slight delay, but won’t have any significant impact on the attacker.

    For other purposes (beyond intercepting the TLS stream), it all comes down to thwarting the brute-force attack. More iterations means each try takes longer. If you require so many iterations that it requires 1/2 second to generate a key from a password, then even a short password (e.g. 6 same-case characters) will take a long time to crack (about 5 years for 6 characters at 2 per second).

    But chasing that goal is ultimately going to be futile. As the attacker’s computer gets more powerful (and leasing time on cloud services is no big deal these days - so he potentially has a lot of available power), the number of iterations is going to need to constantly be increasing in order to keep pace. And every time it does, the data needs to be re-encrypted (not trivial overhead if it happens a lot, and very inconvenient for users).

    But if the master password used to generate the various other keys and tokens is already secure (long and complex), then it no longer matters that much. As one commenter wrote:

    So just keep your passwords long and complex and don’t worry much about how much hashing and re-hashing is being performed against it. Even a small amount of hashing should be sufficient if it is, and extreme amounts won’t help very much if it isn’t.

Join the discussion in the TidBITS Discourse forum

Participants