@0x56 Sure thing. Another note for those not technically-inclined... if you look at your LastPass advanced configuration (under Account Settings/Show Advanced Settings) and see that your Password Iterations setting is one of the legacy defaults (e.g.1, or 500, or anything less than 100,100) then YOU are the low hanging fruit. Not only do you need to bump up iterations to a minimum of 300,000 (or better yet, 600,000 as @0x56 suggests), but you REALLY SHOULD change all passwords that matter ASAP.
@codeWhisperer @0x56
So I would recommend adding "Change your vault password to something longer" to the recommended steps for LastPass users. It's also much easier for non-nerds to do than the access restrictions (though I think those are excellent recommendations).
@voltronic @0x56 This is a very good recommendation. Increasing iterations adds time needed to crack linearly, whereas increasing password length (generally) adds time to crack exponentially.
BTW, I said 'generally' because common sense still applies for password choice. Use at least 12 characters (15+ is better) and a mix of upper, lower and symbol characters. If you pick a password like letmein123 or col123456789 or qwertyuiop or a phrase containing only words you are already screwed.
@codeWhisperer @0x56
Yuck. I just logged into my web vault to check this setting, and my iterations were only 5,000. #infosecfail
I increased to 800,000. That should keep the skids busy.
BTW, CodeWhisperer - are you aware that none of your replies threaded?
@voltronic @0x56 Sorry to hear about the iterations, but glad you found it. As for the threading, hmmm... no I was not aware. Maybe I am encountering a pebcak error. 🙂
I've just been hitting the reply icon, is that not correct?
@codeWhisperer
Hmm, your replies were not threaded yesterday but now they are. Maybe it was on my end.
@voltronic @codeWhisperer - increasing the iterations makes it that much more expensive to brute force. Current OWASP recommendations is 600,000 or more. Increasing the length of the password makes it harder to crack (assuming no hashing collisions)
The reason (this is my theory) it takes so long is that it had to reencrypt everything, most likely individually.
@0x56 @voltronic My sources were all showing the OWASP recommendation to be 310,000, but I can see now that they have ~doubled it to 600,000 in the last few weeks, so thanks for posting this number.
As for the time cost, I agree with you. After hashing your master password (now hopefully 600,000 times or more) your local data will be re-encrypted with that result. This is a scary proposition. If something interrupts the process (crash, etc.) you will likely be well and truly screwed. (cont'd)
@0x56 @voltronic For that reason, I like to back up my vault first. Which can also be scary! Here's why: the only way to backup your vault (on your own) is to export it. Exporting it means you have a decrypted copy sitting in a CSV file. Which means that all of your passwords and other data are now exposed. So after I export, I immediately encrypt that file (I use 7Z but YMMV) and securely erase the original file. THEN I change my master password (or PBKDF2 iterations) as needed. (cont'd)
@0x56 @voltronic If you change your iterations count, be aware that it will take roughly 'x' times longer to open your vault (that's when you type in your master password for LastPass to use it). So if you go from 100,100 iterations to 600,000 iterations, it will take approximately 6 times longer to open your vault. But to be fair, on a modern computer this should still be reasonable, and AFAIK only needs to occur when opening the vault.
Isn't modern life fun?
@codeWhisperer @0x56
Never having used LastPass, I'm curious why increasing iterations would take any significant time.
On #Bitwarden you just log into the web vault, and change the setting. All logged-in devices are deauthed until you manually log into them again
But see the 'solution' post here that explains why increasing the *length* of your master password is much more effective than increasing iterations in resisting cracking:
https://community.bitwarden.com/t/where-to-check-how-many-kdf-iterations-currently-being-used/48559/6