Popular password manager LastPass confirmed last week that it was the victim of a data breach. In the press release, LastPass said that users’ password vaults were stolen and personal information like website usernames, passwords, secure notes, and form-filled data was exposed.
However, LastPass attempted to ease users’ fears by stating that their master password secured their information. LastPass said that as long as customers were following the company’s best practices for generating a strong master password, it would take hackers millions of years to guess your master password.
LastPass competitor 1Password challenged that claim in a recent blog post. 1Password countered that it would likely take much less time.
“That ‘millions of years’ claim appears to rely on the assumption that the LastPass user’s 12-character password was generated through a completely random process,” 1Password Principle Security Architect Jeffrey Goldberg said in the blog post. “Passwords created by humans come nowhere near meeting that requirement. As I have been saying for more than a decade, humans just can’t create high-entropy passwords.
“Seemingly clever schemes to create passwords with a mix of letters, digits, and symbols do more harm than good. Unless your password was created by a good password generator, it is crackable.
“The LastPass account password ‘best practices,’ advice linked to in their announcement says nothing about using a password generator, so it would be incorrect to assume that users are generating their LastPass passwords using a strong password generator.”
Goldberg added that a 12-character password created without a password generator is extremely vulnerable no matter what method the user employed.
1Password conducted a password-cracking competition, and after studying the results of the competition, the password manager figures it would cost a hacker about $100 to crack a non-password generated 12-character password — and definitely less than a million years.
Goldberg also pointed out how 1Password takes the extra step to ensure users’ vaults are inaccessible.
“We have not been breached, and we do not plan to be breached,” Goldberg said. “But we understand that we have to plan for being breached. We also understand many 1Password users will not follow our advice to use randomly generated account passwords. It can be hard advice to follow.
“As a result, we have a responsibility to find ways to protect 1Password users in the event of a breach that would expose their encrypted data. The 1Password Secret Key is the solution we settled on seven years ago when we first launched the 1Password.com service.
“The 1Password Secret Key may not be the most user-friendly aspect of our human-centered design, but it means that we can say with full confidence that your secrets will remain safe in the event of a breach.”