LastPass has been breached, data has been stolen. I already pointed out that their official statement is misleading. I also explained that decrypting passwords in the stolen data is possible which doesn’t mean however that everybody is at risk now. For assessing whether you are at risk, a fairly hidden setting turned out critical: password iterations.
LastPass provides an instruction to check this setting. One would expect it to be 100,100 (the LastPass default) for almost everyone. But plenty of people report having 5,000 configured there, some 500 and occasionally it’s even 1 (in words: one) iteration.
Let’s say this up front: this isn’t the account holders’ fault. It rather is a massive failure by LastPass. They have been warned, yet they failed to act. And even now they are failing to warn the users who they know are at risk.
Contents
What is this setting about?
This setting is actually central to protecting your passwords if LastPass loses control of your data (like they did now). Your passwords are encrypted. In order to decrypt them, the perpetrators need to guess your master password. The more iterations you have configured, the slower this guessing will be. The current OWASP recommendation is 310,000 iterations. So the LastPass default is already factor three below the recommendation.
What’s the impact if you have an even lower iterations number configured? Let’s say you have a fairly strong master password, 50 bits of entropy. For example, it could be an eight character random password, with uppercase and lowercase letters, digits and even some special characters. Yes, such password is already rather hard to remember but you want your passwords to be secure.
Or maybe you went for a diceware password. You took a word list for four dices (1296 words) and you randomly selected five words for your master password.
Choosing a password with 50 bits entropy without it being randomized? No idea how one would do it. Humans are inherently bad at choosing strong passwords. You’d need a rather long password to get 50 bits, and you’d need to avoid obvious patterns like dictionary words.
Either way, if this is your password and someone got your LastPass vault, guessing your master password on a single graphics card would take on average 200 years. Not unrealistic (someone could get more graphics cards) but usually not worth the effort. But that’s the calculation for 100,100 iterations.
Let’s look at how time estimates and cost change depending on the number of iterations. I’ll be using the cost estimate by Jeffrey Goldberg who works at 1Password.
| Iterations | Guessing time on a single GPU | Cost |
|---|---|---|
| 100,100 | 200 years | $1,500,000 |
| 5,000 | 10 years | $75,000 |
| 500 | 1 year | $7,500 |
| 1 | 17 hours | $15 |
And that’s a rather strong password. According to this older study, the average password has merely 40 bits of entropy. So divide all numbers by 1,000 for that.
How did the low iteration numbers come about?
The default for LastPass accounts wasn’t always 100,100 iterations. Originally it was merely 1 iteration. At some point this was changed to 500 iterations, later to 5,000. And the final change adjusted this value to 100,100 iterations.
I don’t know exactly when and how these changes happened. Except for the last one: it happened in February 2018 as a result of my research.
Edit (2022-12-30): I now know more, thanks to @Sc00bz@infosec.exchange. The switch to 500 iterations happened in June 2012, the one to 5,000 iterations in February 2013. To quote Sc00bz: “I shamed the CEO into increasing this. «I think it is irresponsible to tell your users the recommended iteration count is 500. When 12 years ago, PBKDF2 had a recommended minimum iteration count of 1000.»”
LastPass was notified through their bug bounty program on Bugcrowd. When they reported fixing the issue I asked them about existing accounts. That was on February 24th, 2018.
They didn’t reply. So I prompted them again in an email on March 15th and got the reply that the migration should take until end of May.
I asked again about the state of the migration on May 23rd. This time the reply was that the migration is starting right now and is expected to complete by mid-June.
On June 25th I was once again contacted by LastPass, asking me to delay disclosure until they finish migrating existing accounts. I replied asking whether the migration actually started now and got the response: yes, it did last week.
My disclosure of the LastPass issues was finally published on July 9th, 2018. After all the delays requested by LastPass, their simultaneously published statement said:
we are in the process of automatically migrating all existing LastPass users to the new default.
We can now safely assume that the migration wasn’t actually underway even at this point. One user reported receiving an email about their account being upgraded to a higher password iterations count, and that was mid-2019.
Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration. My test account is still at 5,000 iterations, as are the accounts of many other users who checked their LastPass settings. LastPass would know how many users are affected, but they aren’t telling that.
In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.
So we now have people report finding their accounts to be configured with 500 iterations. And for some it’s even merely one iteration. For example here. And here. And here.
This is a massive failure on LastPass’ side, they failed to keep these users secure. They cannot claim ignorance. They had years to fix this. Yet they failed.
What could LastPass do about it now?
There is one thing that LastPass could do easily: query their database for users who have less than 100,100 iterations configured and notify all of them. Obviously, these users are at heightened risk due to the LastPass breach. Some found out about it, most of them likely didn’t. So far, LastPass chose not to notify them.
Of course, LastPass could also deliver on their promise and fix the iterations count for the affected accounts. It won’t help with the current breach but at least it will better protect these accounts in future. So far this didn’t happen either.
Finally, LastPass could change the “Password Iterations” setting and make sure that nobody accidentally configures a value that is too low. It’s Security 101 that users shouldn’t be able to set settings to values that aren’t safe. But right now I changed the iterations count for my test account to 1 and I didn’t even get a warning about it.
Comments
Unknown is the quality of the salt values.
That’s known. They use the user names (meaning: email addresses) as salt. That’s actually fine.
I wouldn't say that using email addresses as salt is "fine". Better than nothing, but it kind of defeats the purpose of protecting against password re-use across sites... if everyone uses the same predictable salt, you might as well not have one.
Well, it works. It’s rather unlikely that some other website will use the same password derivation parameters as LastPass.
Hi -
So, 'pretty good' password; 13 characters, no dictionary words (derived from mnemonic phrase), no 'common substitutions', mix of letters, numbers, and symbols. But, if LastPass never updated iterations above 5000, still pretty much hosed if someone wants to dedicate resources to an attack?
What are your recommendations for extricating oneself from LastPass, given the horse has left the barn? Simply move elsewhere and ask them to delete your account? I'm seeing some folks suggesting that you keep a free account, but delete all the contents. Not sure this makes any sense...
Really appreciate what you're doing here; wish I'd seen your articles a year or two ago!
You could try https://lowe.github.io/tryzxcvbn/ to get a rough idea of how hard your password would be to crack. guesses_log10 is the important value: for the 50 bit password used as example here it would be 15. One less than that means “factor 10 easier to bruteforce,” one more means “factor 10 harder to bruteforce.” Result should be taken with a grain of salt but it will give you an idea of the risk.
If you conclude being at risk, changing all your passwords would be the most important thing to do. Whether deleting the account or deleting contents makes more sense is unfortunately impossible to tell from the outside.
Hi Wladimir,
Thanks for you blog posts. They have been very helpful.
Do you know anything about the server side PBKDF2 iterations LastPass perform?
Their support documentation states that there is some here: "LastPass also performs a large number of rounds of PBKDF2 server-side.".
I have not been able to find any documentation on the number of rounds. The support article mentions 100,100 but it is not clear if that refers to client or server side. I think it is probably the client side as they say "By default" in relation to that number.
I am assuming that the server side iterations had been applied to the stolen data as it was a backup. I think this could make a big difference to those that had a low number of iterations configured on their accounts if there are a high value of server side iterations.
Interested to know what you think.
Thanks,
Kevin
I do. LastPass should have deleted this article four years ago. The server-side rounds were misimplemented and provided no security value. I proved that four years ago, it was the reason why they increased the client side iterations from 5,000 to 100,100 in the first place. See https://palant.info/2018/07/09/is-your-lastpass-data-really-safe-in-the-encrypted-online-vault/#cracking-the-encryption
Thank you so much. I’ve been a paid LP user for many years and never knew about this. Seeing 5000 in my setting was the last straw.
Did LastPass ever detail how long they store vault archives via their third-party cloud provider? I would normally assume that old archives are purged regularly, but apparently nothing can be safely assumed with LastPass. I ask because even if LastPass updated iteration counts, encrypted additional fields, etc, older archives would not contain those security improvements, remaining vulnerable to the weaknesses of LastPass' older standards. And since users are notoriously terrible at updating passwords unless forced, an older vault may be as useful to a malicious actor as an updated version.
I doubt that they store backup data for years, it costs money and provides no real value. But: yes, that’s a really good question that still remains to be answered. Particularly for all the people who removed their LastPass accounts before the breach happened.
Thank you for your writing on this. Wish I had a better reason to find your site. I just logged into my Lastpass account and my iterations were set to 100,100 and I changed them to 310,000 based on what I read here.
If I may ask for your recommendation: I had changed my LastPass master password about 30 days ago, and have always used a master password that's 14+ characters, mix of caps, lowercase, numbers, and special chars. Would you still recommend changing my passwords saved in LP and the master PW again now? Ditching entirely?
It seems like no cloud PW managers are a good solution or much better than any other. Thanks again!
This is really hard to tell. If you had 100,100 iterations and a reasonably complicated password which wasn’t reused elsewhere – decrypting your passwords usually shouldn’t be worth the effort, and your biggest concern should be phishing emails.
There is one complication however. Whoever has this data, they are going to keep it. And in say five years the calculation might look entirely differently. Better hardware, different priorities, and suddenly your account might no longer be safe. So it’s a good idea to eventually change the passwords at least for the important accounts (anything tied to your identity like email, banking and shopping websites etc.).
Thank you for your post (and the previous ones), as a long time lastpass user I was shocked to see that my vault was still configured with 5000 iterations.
And perhaps more importantly, I didn't know about this setting and how critical it was before the breach.
I think I should be somewhat safe for now (I use a 32 character password mixing dictionary and "original" words with some numbers and uncommon symbols), but still, what a mess! I'll have to update at least the most critical accounts.
Thanks for your thorough and straightforward explanations of security. We use Shared Folders in LastPass Business. Are you aware how they are encrypted, i. e. are the passwords only encrypted with the super admin's master password? LastPass documentation states: "Users must generate sharing keys before being added to shared folders".
I'm of course wondering whether, if any of our master passwords were broken, attackers would get access to the Shared Folder, or if it requires breaking the super admin's master password specifically.
Thanks! :)
No, I don’t know any specifics of the implementation here. However, you have to expect shared folders to be compromised if any of the accounts with access to them is compromised. That obviously includes super admins, but also regular users these folders have been shared with.
Also, the vaults of super admins are clearly high-value targets in general, with them having access to passwords of all other users. While LastPass will normally only allow super admins to reset a user’s master password, in reality they of course hold the keys to the user’s vault. Otherwise resetting the master password without losing data wouldn’t have worked.
Business/enterprise accounts that use LastPass best practices are being mislead by the notion that they are not exposed to any risk if they're using Federated Login:
However, any Super Admin user is immediately removed from federated login to avoid account lockout so these account(s) are vulnerable.
Super Admins will often have the "Permit super admins to access shared folders" policy enabled (although this is not a default setting) which will also give their vaults access to every shared folder across the organization. Regardless, it's likely that Super Admins have access to critical infrastructure even without access to other shared folders.
Just checked and my account was set to 500 iterations (long time user). Despite a long passphrase that looks reasonable per the checker you linked, I guess it's time to move and then reset any important passwords - LastPass just lost another customer.
Hi - My LastPass iteration is at the default of 100100. I was told by LastPass that if I increase the iterations then there's a risk that "some browsers may not be able to handle that and data within the vault could become corrupted." Does that sound correct to you? Also, have you heard about whether there's a good number to increase the iterations to and that won't actually cause corruption within the LastPass vault? I spoke with someone at LastPass about this just now and they wouldn't give me any info on this.
Thank you.
A high iterations setting is mostly an issue with smartphones. Back in 2018 I had to convince LastPass that smartphones don’t have any trouble dealing with 100k iterations. Now it’s almost five years later, the hardware improved. So my guess is that logging in on your smartphone won’t take too long even with 300k iterations. But you can test it, changing it back is always possible.
Been a lastpass user for over a decade, started using it after Steve Gibson recommended it on his podcast years ago. I have lots of data for me and my customers, much of it stored in Secure Notes. Anyway, I went to check my Iterations. It's set to 1 !! Apparently it was never updated. Maybe I'm reading it wrong.
My master password consist of 16 characters of random lower case letters and numbers, so I think that means 52 bits of entropy.
How long do you think it would take to brute force it?
I guess that only matters if my vault is selected.
If your password is truly random (computer-generated), you have 82 bits of entropy. So if you take the numbers in the table for 50 bit passwords, you need to multiply them with 2³² (roughly 4 billion). That would be safe enough.
If on the other hand this password only looks random but hasn’t been generated in a random fashion, guessing it should be pretty easy.
It's a combination of a couple of passwords that were sent to me when I was registering for a site. Both of them looked pretty random to me, but I don't know how they were generated. I plugged it in on two different entropy calculators and came up with the same 82 bits of entropy you mentioned. Based on this information does that help you determine if my password is safe enough, or pretty easy to guess?
Thanks!
If you didn’t choose your passwords yourself, they will be computer generated. So you got lucky.
Hello Wladimir,
Long time LastPass user, but I’ve had enough of the vague responses from them and want to move on. Can you recommend a few password managers I should look into?
Thank you, Bill
As I said before, I’m the wrong person for recommendations, sorry.
My password had 59.54 bits of entropy (10 characters long, upper, lower case letters and numbers) and I had (from the very beginning) set the iteration number to over 150000. Should I still be concerned? Also how does the salt affect the brute force speed? Does the fact that it is known what the salt is for each user make it irrelevant?
Is that password randomly generated? Then you should be safe, at least for now. You should probably keep in mind changing at least the important passwords in the next few years. Hardware advancements might make decrypting your vault lucrative enough in the future.
If that password isn’t randomly generated, don’t trust what some online tool tells you about entropy – the real value is far lower. It should be a good idea to change these important passwords right now.
The salt doesn’t need to be a secret, it needs to be unique for each user. Its purpose is increasing the bruteforcing effort. Without it bruteforcing all vaults simultaneously would have been possible, so the situation would have been considerably worse.
There is one thing that I can't figure out from reading the LastPass blog statements... Did the hacker get access to the "Password Hint" client field data? If so, things are much worse for those affected because the hint would hugely simplify the brute-force task in most situations. Do you know anything about it? Thanks!
The password hint is unencrypted data from the database. While they don’t say so explicitly, it should be expected that it leaked as well.
Great work, thank you. Read all comments and replies so will only ask one unanswered question.. Have Lastpass now updated everyone's number of iterations?
I checked mine today and saw its 100,100 but am worried (as a long time user) that it was previously lower and they updated everyone in the last few days.
If not, it might be relevant that I upgraded to Premium in Oct 2022 (was free for 10 years prior) and that upgrade triggerred the iteration upgrade? If so, do we know when the user vaults were stolen - was this the August attack?
Lastly - if the account details (unencrypted) were stolen won't that make it easier to reverse engineer the master password. Eg John Doe is likely to have johndoe@gmail.com as username and hackers can see how that was encrypted to then find matches in the passwords.
Really last, do we know if the notes field in each password entry was encrypted. Presume many use this to store things like hints, recovery codes, old passwords etc
Thanks
I don’t think they’ve done anything. Changing iteration count isn’t trivial, it requires re-encrypting the vault and takes some time. So you should get some visible feedback after logging in. Also, someone reported receiving an email confirmation in 2019 about an automatic iterations upgrade. This part is optional of course, but presumably their system will clearly notify you about the change.
LastPass still didn’t communicate when the data was stolen. Somewhere between August and November, so far we don’t know any better. I just hope that their silence doesn’t mean that the attackers might still be in the system.
Username is known to the attackers, but this isn’t an issue. However, as the previous comment points out: master password hint is also unencrypted. And this one might make guessing the master password a lot easier.
Yes, the notes field is encrypted.
Thanks Wladimir - appreciate your answers. Just unbelievable how bad this is. Hope I have a few weeks to update all my passwords and various keys.
My instinct is to side with companies and blame hackers but their failures are glaring. They fully deserve to lose customers. They won't even tell us when the data was stolen. I've seen there's a class action case starting in the US. I wonder if European users will start GDPR claims. Lastpass is probably finished.
I'm staggered they didn't hire you in 2018 to make LP the most secure system following your simple ideas. They're completely at fault and I have no sympathy at all.
Hi Wladimir - one more question which relates to me trying to think of a new master passwork which i would like to create using a 4-word (14 chars) random dictionary passphrase + 10 chars from my old master password which are pretty random and have letter, numbers, symbols. I want to keep that bit of the old one as its muscle memory and would create a lot of entropy on top of the passphrase.
Embarrassing newbie question - Assume my LP master password is cracked and my vault is opened - how does the hacker actually know they have cracked it? I mean they will just see the random passwordsput there in the first place. What is the sign to them that they have opened the door so to speak.
Thanks
Part of the answer here is padding.
AES encrypts data as fixed-length 16 byte blocks. The input data has no fixed length however. So it is divided into pieces of 16 bytes, and the last piece gets padding added to it. If the last piece is already 16 bytes, there is a complete padding block added.
When decrypting, the attackers will be able to recognize correct padding signalling successful decryption. In the unlikely event of accidentally correct padding, a real password is ASCII-only – so no binary noise. This also is a highly unlikely pattern.
I can verify that as of yesterday and on my account Lastpass has done nothing. Mine was still set to 5000. I have moved on from them and begun the pain in the butt process of changing every password using computer generated passwords for everything.
Congrats for your blog, is really full of great stuff. It's a shame I discovered it under unfortunate circumstances.
I've been following the LastPass incident as I'm a former user, now I'm migrated to 1Password. It's so much better, sadly I did not migrate 1 year ago. I'm really interested in security and would like to learn more and test stuff.
Where can I find tools to test my security? I don't want to input my password in a website, so, is there an offline tool to test password strenght? How can I check how in risk I am, considering LP had my vault configured for 5000 iterations.
Now I have a better strategy, passwords in 1Password, OTPs in Yubico Authenticator only for those sites where a Yubikey is not supported and has top security priority, and for the rest of sites Aegis OTP.
You could test your password on https://lowe.github.io/tryzxcvbn/ – this is using the zxcvbn library on the client side, nothing is sent to the server. Alternatively you could download zxcvbn yourself and use it locally, assuming that you know a bit of JavaScript.
Note that zxcvbn only gives you a rough idea of password complexity. It will recognize some common patterns but not all of them.
Here are a couple more user data: 2010-01: I created my LastPass account. Presumably had 1 iteration. 2013ish maybe?: I remember manually updating the iteration setting once, when LP changed the default and published some recommendation for users to upgrade. I assume I changed it to 5000 because ... 2023-01: I checked today and the setting was 5000. (I am considering my passwords public knowledge, I guess.)
Hi Wladimir, How does an attacker choose the number of iterations to try? Presumably, if I use 100,005 iterations the outcome will be different from 100,000. Does the attacker need to try every number of iterations from 1 upwards? Thanks
No, the number of iterations isn’t a secret. It’s necessarily stored in the LastPass database, and there is even a public API that allows anyone to check your number of iterations, assuming that they know the email address of your account.
Holy Moly, I have a headache just reading this stuff!
Wladimir, are you saying that our login password is weak if it is not computer generated? If so, how are we supposed to remember a long, random password? I use a long password that can be remembered but is combined with special characters and the like. Is that sufficient? If not, I guess I need to go back to writing my passwords on a pad of paper and keeping it in my safe. :-(
Great stuff here, Wladimir! Really great stuff. Thanks!
I have a detailed blog post on this topic, in particular explaining how to generate a rememberable password: https://palant.info/2023/01/30/password-strength-explained/
Wondering if there is any way to know how many iterations are in use from the exposed backups?
Can the hackers see which ones have low iteration counts, or does it all look the same from the outside?
If not then thats a small saving grace for those on low iteration. Thankfully I was on the 100k version and have now bumped it up higher.
LastPass published an update yesterday where they explicitly confirmed what everyone suspected already – iteration counts were part of the leaked data of course.
According to their latest breach update they have, yet again, changed their position on iterations. Conveniently the KB article on their website, that recommended setting 100100 as the iterations has very recently been replaced with a new article that recommends a setting of 600000.
the latest breach update is here: https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/
The KB article regarding iterations is here (conveniently without a published date): https://support.lastpass.com/help/about-password-iterations-lp030027
Yet another example of how LastPass are throwing dust over their litany of negligence and incompetence that led them and us to all be burnt.
Now I have to ensure all my clients are checking and increasing what their previous default was of 5000 (that they still hadn't pushed out to their older clients - something I discovered over the last month when contacting some of my older cliets to find them still set with 5000 iterations), to ensure they were on their newer and still inadequate setting of 100100, to ensure they're all now on 60000!
Yes, they upped the default once again and are recommending people to change it manually for existing accounts. They also promise to implement an automatic update mechanism for the iterations count at some point – but they already promised that back in 2018 and didn’t do it, so we’ll see whether they can be trusted this time. Meanwhile, it would have been easy for them to send out an email to everyone who has the iterations count set dangerously low, but they still didn’t warn these users. And their recommended actions still don’t include “Change all your passwords” for anyone, regardless of risk factor.
I found mine set to just 5000 also. Free tier user, then Business level for years. I noticed the new recommended 600,000 on the LastPass Iteration page (its April 6, 2023). Honestly, people should move away from this platform. Don't mix personal and work accounts, ever. Thanks for the blog bringing this to everyone's attention.
Password strength for normal users
Besides the text-based https://lowe.github.io/tryzxcvbn/ there is another page, which has zxcvbn, Stutz, and 3 more typical password meters implemented: https://www.cryptool.org/en/cto/password-meter
CTO's password meter also runs purely locally in the browser.
For zxcvbn and Stutz the details (like in https://lowe.github.io/tryzxcvbn/) can be unfold; all five password-meter algorithms are visually compared by indicators. So this is helpful for normal users and incorporates different password meters.
CTO's password meter is the result of a bachelor thesis. It is open-source and free, and it is used as awareness tool in some companies to give employees hints before they select their password.
That’s not really helpful, merely more confusing. I enter “password1” and zxcvbn is the only bar staying at 0%. All other “measurements” put it somewhere in the middle – meaning that they are really not good for anything. We are back with zxcvbn as the only solution to measure password strength: far from perfect, but at least it’s trying.