Following a security breach not too long ago, LastPass recently updated its users where they revealed that hackers had managed to get their hands on a backup of the password vault belonging to its users.
This is probably one of the worst things that could happen, but according to LastPass, the encryption and security protocols they employed mean that the hackers would have an incredibly tough time breaking in, or could they? That’s not what security researcher Wladimir Palant thinks in his blog post on his website where he claims that it could be much worse than we thought.
In his post, he points at specific points in LastPass’ statement, such as how the company claims it would take “millions of years” to guess your master password, but in reality, it could only take as little as two months, and that it would only take the hacker a single GPU to crack it. Assuming the hacker had access to more powerful hardware, presumably this would reduce the amount of time.
“I’ll translate: “If you’ve done everything right, nothing can happen to you.” This again prepares the ground for blaming the customers. One would assume that people who “test the latest password cracking technologies” would know better than that. As I’ve calculated, even guessing a truly random password meeting their complexity criteria would take less than a million years on average using a single graphics card.
But human-chosen passwords are far from being random. Most people have trouble even remembering a truly random twelve-character password. An older survey found the average password to have 40 bits of entropy. Such passwords could be guessed in slightly more than two months on the same graphics card. Even an unusually strong password with 50 bits of entropy would take 200 years on average – not unrealistic for a high value target that somebody would throw more hardware on.”
So what does this mean for users? Basically you should go and change all the passwords in your vault, especially for more important accounts like that of your bank, emails, and so on. Depending on how many passwords you’ve stored, it could take a while, but it’s better to be safe than sorry!