Wladimir PalantDec 26, 2022

Writing more about #LastPassBreach feels like beating a dead horse. But I had a look at the official statement again and it is highly misleading. I felt the need to provide some context that #LastPass is willingly omitting.

“Again, it seems that LastPass attempts to minimize the risk of litigation (hence alerting businesses) while also trying to prevent a public outcry (so not notifying the general public). Priorities…”

https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

What’s in a PR statement: LastPass breach explained

The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.

Almost Secure
Show threadbrmc9Dec 29, 2022
@WPalant I found a family member who was a long time LP user with only 500 PBKDF2 iterations, how easy might that be to crack? They did have a > 20 character master password.
Show threadWladimir Palant

@brm The length of the password in itself unfortunately isn’t meaningful. You can get a rough idea of password complexity on https://lowe.github.io/tryzxcvbn/. Mind you, it isn’t perfect: it won’t recognize many patterns and thus overestimate the complexity.

At 500 iterations, we are talking about 17,500,000 guesses per second on a single graphics card. So for a rough estimate take the “10B / second” result and multiply it with thousand.

zxcvbn tests

Dec 29, 2022 at 8:35amWeb