LastPass hack is 200 times worse than they care to admit

From LastPass’ “Notice of Recent Security Incident”:

To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password.

Speed

When in fact many of their users have old accounts and use only 500 iterations of PBKDF2. Let’s test how that affects the cracking speed.

on a 6-core processor
100,100 rounds =      656 H/s
    500 rounds =   116800 H/s

As you can see the cracking speed is inversely proportional to the number of hashing rounds.

On-demand cost

If you rent cloud resources to crack a password with 100,100 rounds of PBKDF2-HMAC-SHA256 it would cost:

                         Price  Performance  Hashes/$
RTX 4090               $7.500/h   88000 H/s       42M
t2.medium shared       $0.046/h     149 H/s       11M
c3.small.x86 Equinix   $0.750/h    1134 H/s        5M
dedicated 4 GB Linode  $0.045/h      43 H/s        4M

1-year contract cost

The monthly cost of a RTX 4090 is twice as much as actually acquiring the hardware, and it’s still much more cost-effective than other cloud resources:

                         Price  Performance  Hashes/$
RTX 4090              $4320/mn    88000 H/s       52M
t2.medium shared      $  22/mn      149 H/s       18M
c3.small.x86 Equinix  $ 438/mn     1134 H/s        7M
dedicated 4 GB Linode $  30/mn       43 H/s        4M

Time

They say

Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing.

There's a famous list of passwords that leaked from a service called rockyou. The list is named rockyou.txt and contains around 14 million unique passwords. Even if hashed with 100,100 rounds, an RTX 4090 could test all of them in 3 minutes, costing a mere 20 cents.

If the password isn't in the list, it's still possible that crackers will find it by combining rockyou.txt with one of the rules files that explore strengthened versions of those passwords.

                 Candidates  Success  RTX 4090 time
best64                   1B      32%        3 hours
rockyou-30000          430B      59%       56 days
OneRuleToRuleThemAll   745B      68%        3 months
dive                  1400B      65%        6 months

The times above are for 100,100 rounds of PBKDF2-HMAC-SHA256. You can do the math and see how much easier it would be with only 500 rounds instead. The success rates are relative to cracking the leaked password hashes from a Minecraft community.

But if a password uses the XKCD method, 4 common English words concatenated, it has about 44 bits of entropy. With 100,100 rounds of key derivation, an RTX 4090 would take 6 years to crack it. With 500 rounds, it would take only 12 days.

If you think nobody would spend that amount of time an money to crack your master password, remind yourself that the hacker might know which targets are the most valuable in the database. They may look for accounts with crypto wallet recovery codes or even political marks.

All the hashing power doesn't need to be dedicated to a single account. It can be spread across multiple accounts and find the easiest ones to crack.

This article was inspired by many posts from people who understand the subject better than me:

One Rule to Rule Them All

Sc00bz (@sc00bz@infosec.exchange)

Jeremi M Gosney :verified: (@epixoip@infosec.exchange)

Jeremi M Gosney :verified: (@epixoip@infosec.exchange)

What We Do in the /etc/shadow - Cryptography with Passwords - Dhole Moments