LastPass breach: The significance of these password iterations

LastPass has been breached, data has been stolen. I already pointed out that their official statement is misleading. I also explained that decrypting passwords in the stolen data is possible which doesn’t mean however that everybody is at risk now. For assessing whether you are at risk, a fairly hidden setting turned out critical: password iterations.

LastPass provides an instruction to check this setting. One would expect it to be 100,100 (the LastPass default) for almost everyone. But plenty of people report having 5,000 configured there, some 500 and occasionally it’s even 1 (in words: one) iteration.

Screenshot of LastPass preferences. The value in the Password Iterations field: 1

Let’s say this up front: this isn’t the account holders’ fault. It rather is a massive failure by LastPass. They have been warned, yet they failed to act. And even now they are failing to warn the users who they know are at risk.

What is this setting about?

This setting is actually central to protecting your passwords if LastPass loses control of your data (like they did now). Your passwords are encrypted. In order to decrypt them, the perpetrators need to guess your master password. The more iterations you have configured, the slower this guessing will be. The current OWASP recommendation is 310,000 iterations. So the LastPass default is already factor three below the recommendation.

What’s the impact if you have an even lower iterations number configured? Let’s say you have a fairly strong master password, 50 bits of entropy. For example, it could be an eight character random password, with uppercase and lowercase letters, digits and even some special characters. Yes, such password is already rather hard to remember but you want your passwords to be secure.

Or maybe you went for a diceware password. You took a word list for four dices (1296 words) and you randomly selected five words for your master password.

Choosing a password with 50 bits entropy without it being randomized? No idea how one would do it. Humans are inherently bad at choosing strong passwords. You’d need a rather long password to get 50 bits, and you’d need to avoid obvious patterns like dictionary words.

Either way, if this is your password and someone got your LastPass vault, guessing your master password on a single graphics card would take on average 200 years. Not unrealistic (someone could get more graphics cards) but usually not worth the effort. But that’s the calculation for 100,100 iterations.

Let’s look at how time estimates and cost change depending on the number of iterations. I’ll be using the cost estimate by Jeffrey Goldberg who works at 1Password.

Iterations Guessing time on a single GPU Cost
100,100  200 years $1,500,000
5,000  10 years $75,000
500  1 year $7,500
1  17 hours $15

And that’s a rather strong password. According to this older study, the average password has merely 40 bits of entropy. So divide all numbers by 1,000 for that.

How did the low iteration numbers come about?

The default for LastPass accounts wasn’t always 100,100 iterations. Originally it was merely 1 iteration. At some point this was changed to 500 iterations, later to 5,000. And the final change adjusted this value to 100,100 iterations.

I don’t know exactly when and how these changes happened. Except for the last one: it happened in February 2018 as a result of my research.

Edit (2022-12-30): I now know more, thanks to @Sc00bz@infosec.exchange. The switch to 500 iterations happened in June 2012, the one to 5,000 iterations in February 2013. To quote Sc00bz: “I shamed the CEO into increasing this. «I think it is irresponsible to tell your users the recommended iteration count is 500. When 12 years ago, PBKDF2 had a recommended minimum iteration count of 1000.»”

LastPass was notified through their bug bounty program on Bugcrowd. When they reported fixing the issue I asked them about existing accounts. That was on February 24th, 2018.

Screenshot from Bugcrowd. bobc sent a message (5 years ago): Ok thank you. Our default is now 100k rounds and artificial limits on number of rounds have been removed. palant sent a message (5 years ago) Yes, the default changed it seems. But what about existing accounts?

They didn’t reply. So I prompted them again in an email on March 15th and got the reply that the migration should take until end of May.

I asked again about the state of the migration on May 23rd. This time the reply was that the migration is starting right now and is expected to complete by mid-June.

On June 25th I was once again contacted by LastPass, asking me to delay disclosure until they finish migrating existing accounts. I replied asking whether the migration actually started now and got the response: yes, it did last week.

My disclosure of the LastPass issues was finally published on July 9th, 2018. After all the delays requested by LastPass, their simultaneously published statement said:

we are in the process of automatically migrating all existing LastPass users to the new default.

We can now safely assume that the migration wasn’t actually underway even at this point. One user reported receiving an email about their account being upgraded to a higher password iterations count, and that was mid-2019.

Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration. My test account is still at 5,000 iterations, as are the accounts of many other users who checked their LastPass settings. LastPass would know how many users are affected, but they aren’t telling that.

In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.

So we now have people report finding their accounts to be configured with 500 iterations. And for some it’s even merely one iteration. For example here. And here. And here.

This is a massive failure on LastPass’ side, they failed to keep these users secure. They cannot claim ignorance. They had years to fix this. Yet they failed.

What could LastPass do about it now?

There is one thing that LastPass could do easily: query their database for users who have less than 100,100 iterations configured and notify all of them. Obviously, these users are at heightened risk due to the LastPass breach. Some found out about it, most of them likely didn’t. So far, LastPass chose not to notify them.

Of course, LastPass could also deliver on their promise and fix the iterations count for the affected accounts. It won’t help with the current breach but at least it will better protect these accounts in future. So far this didn’t happen either.

Finally, LastPass could change the “Password Iterations” setting and make sure that nobody accidentally configures a value that is too low. It’s Security 101 that users shouldn’t be able to set settings to values that aren’t safe. But right now I changed the iterations count for my test account to 1 and I didn’t even get a warning about it.

Comments

  • kodos

    Unknown is the quality of the salt values.

    Wladimir Palant

    That’s known. They use the user names (meaning: email addresses) as salt. That’s actually fine.

  • SG

    I wouldn't say that using email addresses as salt is "fine". Better than nothing, but it kind of defeats the purpose of protecting against password re-use across sites... if everyone uses the same predictable salt, you might as well not have one.

    Wladimir Palant

    Well, it works. It’s rather unlikely that some other website will use the same password derivation parameters as LastPass.

  • Prymatt

    Hi -

    So, 'pretty good' password; 13 characters, no dictionary words (derived from mnemonic phrase), no 'common substitutions', mix of letters, numbers, and symbols. But, if LastPass never updated iterations above 5000, still pretty much hosed if someone wants to dedicate resources to an attack?

    What are your recommendations for extricating oneself from LastPass, given the horse has left the barn? Simply move elsewhere and ask them to delete your account? I'm seeing some folks suggesting that you keep a free account, but delete all the contents. Not sure this makes any sense...

    Really appreciate what you're doing here; wish I'd seen your articles a year or two ago!

    Wladimir Palant

    You could try https://lowe.github.io/tryzxcvbn/ to get a rough idea of how hard your password would be to crack. guesses_log10 is the important value: for the 50 bit password used as example here it would be 15. One less than that means “factor 10 easier to bruteforce,” one more means “factor 10 harder to bruteforce.” Result should be taken with a grain of salt but it will give you an idea of the risk.

    If you conclude being at risk, changing all your passwords would be the most important thing to do. Whether deleting the account or deleting contents makes more sense is unfortunately impossible to tell from the outside.

  • Kevin

    Hi Wladimir,

    Thanks for you blog posts. They have been very helpful.

    Do you know anything about the server side PBKDF2 iterations LastPass perform?

    Their support documentation states that there is some here: "LastPass also performs a large number of rounds of PBKDF2 server-side.".

    I have not been able to find any documentation on the number of rounds. The support article mentions 100,100 but it is not clear if that refers to client or server side. I think it is probably the client side as they say "By default" in relation to that number.

    I am assuming that the server side iterations had been applied to the stolen data as it was a backup. I think this could make a big difference to those that had a low number of iterations configured on their accounts if there are a high value of server side iterations.

    Interested to know what you think.

    Thanks,

    Kevin

    Wladimir Palant

    I do. LastPass should have deleted this article four years ago. The server-side rounds were misimplemented and provided no security value. I proved that four years ago, it was the reason why they increased the client side iterations from 5,000 to 100,100 in the first place. See https://palant.info/2018/07/09/is-your-lastpass-data-really-safe-in-the-encrypted-online-vault/#cracking-the-encryption

  • Cindy Beres

    Thank you so much. I’ve been a paid LP user for many years and never knew about this. Seeing 5000 in my setting was the last straw.

  • Mark

    Did LastPass ever detail how long they store vault archives via their third-party cloud provider? I would normally assume that old archives are purged regularly, but apparently nothing can be safely assumed with LastPass. I ask because even if LastPass updated iteration counts, encrypted additional fields, etc, older archives would not contain those security improvements, remaining vulnerable to the weaknesses of LastPass' older standards. And since users are notoriously terrible at updating passwords unless forced, an older vault may be as useful to a malicious actor as an updated version.

    Wladimir Palant

    I doubt that they store backup data for years, it costs money and provides no real value. But: yes, that’s a really good question that still remains to be answered. Particularly for all the people who removed their LastPass accounts before the breach happened.

  • Adam WiFi

    Thank you for your writing on this. Wish I had a better reason to find your site. I just logged into my Lastpass account and my iterations were set to 100,100 and I changed them to 310,000 based on what I read here.

    If I may ask for your recommendation: I had changed my LastPass master password about 30 days ago, and have always used a master password that's 14+ characters, mix of caps, lowercase, numbers, and special chars. Would you still recommend changing my passwords saved in LP and the master PW again now? Ditching entirely?

    It seems like no cloud PW managers are a good solution or much better than any other. Thanks again!

    Wladimir Palant

    This is really hard to tell. If you had 100,100 iterations and a reasonably complicated password which wasn’t reused elsewhere – decrypting your passwords usually shouldn’t be worth the effort, and your biggest concern should be phishing emails.

    There is one complication however. Whoever has this data, they are going to keep it. And in say five years the calculation might look entirely differently. Better hardware, different priorities, and suddenly your account might no longer be safe. So it’s a good idea to eventually change the passwords at least for the important accounts (anything tied to your identity like email, banking and shopping websites etc.).

  • rs

    Thank you for your post (and the previous ones), as a long time lastpass user I was shocked to see that my vault was still configured with 5000 iterations.

    And perhaps more importantly, I didn't know about this setting and how critical it was before the breach.

    I think I should be somewhat safe for now (I use a 32 character password mixing dictionary and "original" words with some numbers and uncommon symbols), but still, what a mess! I'll have to update at least the most critical accounts.

  • John

    Thanks for your thorough and straightforward explanations of security. We use Shared Folders in LastPass Business. Are you aware how they are encrypted, i. e. are the passwords only encrypted with the super admin's master password? LastPass documentation states: "Users must generate sharing keys before being added to shared folders".

    I'm of course wondering whether, if any of our master passwords were broken, attackers would get access to the Shared Folder, or if it requires breaking the super admin's master password specifically.

    Thanks! :)

    Wladimir Palant

    No, I don’t know any specifics of the implementation here. However, you have to expect shared folders to be compromised if any of the accounts with access to them is compromised. That obviously includes super admins, but also regular users these folders have been shared with.

    Also, the vaults of super admins are clearly high-value targets in general, with them having access to passwords of all other users. While LastPass will normally only allow super admins to reset a user’s master password, in reality they of course hold the keys to the user’s vault. Otherwise resetting the master password without losing data wouldn’t have worked.

  • AR

    Business/enterprise accounts that use LastPass best practices are being mislead by the notion that they are not exposed to any risk if they're using Federated Login:

    The threat actor did not have access to the key fragments stored in customer Identity Provider’s or LastPass’ infrastructure and they were not included in the backups that were copied that contained customer vaults. Therefore, if you have implemented the Federated Login Services, you do not need to take any additional actions.

    However, any Super Admin user is immediately removed from federated login to avoid account lockout so these account(s) are vulnerable.

    Super Admins will often have the "Permit super admins to access shared folders" policy enabled (although this is not a default setting) which will also give their vaults access to every shared folder across the organization. Regardless, it's likely that Super Admins have access to critical infrastructure even without access to other shared folders.

  • SS

    Just checked and my account was set to 500 iterations (long time user). Despite a long passphrase that looks reasonable per the checker you linked, I guess it's time to move and then reset any important passwords - LastPass just lost another customer.

  • NewSchoolCritic

    Hi - My LastPass iteration is at the default of 100100. I was told by LastPass that if I increase the iterations then there's a risk that "some browsers may not be able to handle that and data within the vault could become corrupted." Does that sound correct to you? Also, have you heard about whether there's a good number to increase the iterations to and that won't actually cause corruption within the LastPass vault? I spoke with someone at LastPass about this just now and they wouldn't give me any info on this.

    Thank you.

    Wladimir Palant

    A high iterations setting is mostly an issue with smartphones. Back in 2018 I had to convince LastPass that smartphones don’t have any trouble dealing with 100k iterations. Now it’s almost five years later, the hardware improved. So my guess is that logging in on your smartphone won’t take too long even with 300k iterations. But you can test it, changing it back is always possible.

  • lastpassbyebye

    Been a lastpass user for over a decade, started using it after Steve Gibson recommended it on his podcast years ago. I have lots of data for me and my customers, much of it stored in Secure Notes. Anyway, I went to check my Iterations. It's set to 1 !! Apparently it was never updated. Maybe I'm reading it wrong.

    My master password consist of 16 characters of random lower case letters and numbers, so I think that means 52 bits of entropy.

    How long do you think it would take to brute force it?

    I guess that only matters if my vault is selected.

    Wladimir Palant

    If your password is truly random (computer-generated), you have 82 bits of entropy. So if you take the numbers in the table for 50 bit passwords, you need to multiply them with 2³² (roughly 4 billion). That would be safe enough.

    If on the other hand this password only looks random but hasn’t been generated in a random fashion, guessing it should be pretty easy.

  • lastpassbyebye

    It's a combination of a couple of passwords that were sent to me when I was registering for a site. Both of them looked pretty random to me, but I don't know how they were generated. I plugged it in on two different entropy calculators and came up with the same 82 bits of entropy you mentioned. Based on this information does that help you determine if my password is safe enough, or pretty easy to guess?

    Thanks!

    Wladimir Palant

    If you didn’t choose your passwords yourself, they will be computer generated. So you got lucky.

  • Bill

    Hello Wladimir,

    Long time LastPass user, but I’ve had enough of the vague responses from them and want to move on. Can you recommend a few password managers I should look into?

    Thank you, Bill

    Wladimir Palant

    As I said before, I’m the wrong person for recommendations, sorry.

  • whatnowlp?

    My password had 59.54 bits of entropy (10 characters long, upper, lower case letters and numbers) and I had (from the very beginning) set the iteration number to over 150000. Should I still be concerned? Also how does the salt affect the brute force speed? Does the fact that it is known what the salt is for each user make it irrelevant?

    Wladimir Palant

    Is that password randomly generated? Then you should be safe, at least for now. You should probably keep in mind changing at least the important passwords in the next few years. Hardware advancements might make decrypting your vault lucrative enough in the future.

    If that password isn’t randomly generated, don’t trust what some online tool tells you about entropy – the real value is far lower. It should be a good idea to change these important passwords right now.

    The salt doesn’t need to be a secret, it needs to be unique for each user. Its purpose is increasing the bruteforcing effort. Without it bruteforcing all vaults simultaneously would have been possible, so the situation would have been considerably worse.

  • Geely

    There is one thing that I can't figure out from reading the LastPass blog statements... Did the hacker get access to the "Password Hint" client field data? If so, things are much worse for those affected because the hint would hugely simplify the brute-force task in most situations. Do you know anything about it? Thanks!

    Wladimir Palant

    The password hint is unencrypted data from the database. While they don’t say so explicitly, it should be expected that it leaked as well.

  • Harry

    Great work, thank you. Read all comments and replies so will only ask one unanswered question.. Have Lastpass now updated everyone's number of iterations?

    I checked mine today and saw its 100,100 but am worried (as a long time user) that it was previously lower and they updated everyone in the last few days.

    If not, it might be relevant that I upgraded to Premium in Oct 2022 (was free for 10 years prior) and that upgrade triggerred the iteration upgrade? If so, do we know when the user vaults were stolen - was this the August attack?

    Lastly - if the account details (unencrypted) were stolen won't that make it easier to reverse engineer the master password. Eg John Doe is likely to have johndoe@gmail.com as username and hackers can see how that was encrypted to then find matches in the passwords.

    Really last, do we know if the notes field in each password entry was encrypted. Presume many use this to store things like hints, recovery codes, old passwords etc

    Thanks

    Wladimir Palant

    I don’t think they’ve done anything. Changing iteration count isn’t trivial, it requires re-encrypting the vault and takes some time. So you should get some visible feedback after logging in. Also, someone reported receiving an email confirmation in 2019 about an automatic iterations upgrade. This part is optional of course, but presumably their system will clearly notify you about the change.

    LastPass still didn’t communicate when the data was stolen. Somewhere between August and November, so far we don’t know any better. I just hope that their silence doesn’t mean that the attackers might still be in the system.

    Username is known to the attackers, but this isn’t an issue. However, as the previous comment points out: master password hint is also unencrypted. And this one might make guessing the master password a lot easier.

    Yes, the notes field is encrypted.

  • Harry

    Thanks Wladimir - appreciate your answers. Just unbelievable how bad this is. Hope I have a few weeks to update all my passwords and various keys.

    My instinct is to side with companies and blame hackers but their failures are glaring. They fully deserve to lose customers. They won't even tell us when the data was stolen. I've seen there's a class action case starting in the US. I wonder if European users will start GDPR claims. Lastpass is probably finished.

    I'm staggered they didn't hire you in 2018 to make LP the most secure system following your simple ideas. They're completely at fault and I have no sympathy at all.

  • Harry

    Hi Wladimir - one more question which relates to me trying to think of a new master passwork which i would like to create using a 4-word (14 chars) random dictionary passphrase + 10 chars from my old master password which are pretty random and have letter, numbers, symbols. I want to keep that bit of the old one as its muscle memory and would create a lot of entropy on top of the passphrase.

    Embarrassing newbie question - Assume my LP master password is cracked and my vault is opened - how does the hacker actually know they have cracked it? I mean they will just see the random passwordsput there in the first place. What is the sign to them that they have opened the door so to speak.

    Thanks

    Wladimir Palant

    Part of the answer here is padding.

    AES encrypts data as fixed-length 16 byte blocks. The input data has no fixed length however. So it is divided into pieces of 16 bytes, and the last piece gets padding added to it. If the last piece is already 16 bytes, there is a complete padding block added.

    When decrypting, the attackers will be able to recognize correct padding signalling successful decryption. In the unlikely event of accidentally correct padding, a real password is ASCII-only – so no binary noise. This also is a highly unlikely pattern.

  • JT

    I can verify that as of yesterday and on my account Lastpass has done nothing. Mine was still set to 5000. I have moved on from them and begun the pain in the butt process of changing every password using computer generated passwords for everything.

  • Juan

    Congrats for your blog, is really full of great stuff. It's a shame I discovered it under unfortunate circumstances.

    I've been following the LastPass incident as I'm a former user, now I'm migrated to 1Password. It's so much better, sadly I did not migrate 1 year ago. I'm really interested in security and would like to learn more and test stuff.

    Where can I find tools to test my security? I don't want to input my password in a website, so, is there an offline tool to test password strenght? How can I check how in risk I am, considering LP had my vault configured for 5000 iterations.

    Now I have a better strategy, passwords in 1Password, OTPs in Yubico Authenticator only for those sites where a Yubikey is not supported and has top security priority, and for the rest of sites Aegis OTP.

    Wladimir Palant

    You could test your password on https://lowe.github.io/tryzxcvbn/ – this is using the zxcvbn library on the client side, nothing is sent to the server. Alternatively you could download zxcvbn yourself and use it locally, assuming that you know a bit of JavaScript.

    Note that zxcvbn only gives you a rough idea of password complexity. It will recognize some common patterns but not all of them.

  • Jack

    Here are a couple more user data: 2010-01: I created my LastPass account. Presumably had 1 iteration. 2013ish maybe?: I remember manually updating the iteration setting once, when LP changed the default and published some recommendation for users to upgrade. I assume I changed it to 5000 because ... 2023-01: I checked today and the setting was 5000. (I am considering my passwords public knowledge, I guess.)

  • Charlie

    Hi Wladimir, How does an attacker choose the number of iterations to try? Presumably, if I use 100,005 iterations the outcome will be different from 100,000. Does the attacker need to try every number of iterations from 1 upwards? Thanks

    Wladimir Palant

    No, the number of iterations isn’t a secret. It’s necessarily stored in the LastPass database, and there is even a public API that allows anyone to check your number of iterations, assuming that they know the email address of your account.