1Password Slams LastPass Over Misleading Security Claims

In an official blog post, 1Password has slammed LastPass over its misleading claim that “it would take millions of years to guess a master password” if users generate one using the default LastPass settings.


Last week, LastPass confirmed that encrypted vaults containing customers’ website usernames and passwords, secure notes, and form-filled data were stolen in a recent security breach.

The company, however, added that if users had followed default settings, it would not have been possible to crack them “using generally-available password-cracking technology.”

The “claim is highly misleading,” notes 1Password’s Jeffrey Goldberg. “Not in a million years: It can take far less to crack a LastPass password,” he writes.

“If 1Password were to suffer a similar breach, the attacker would not be able to crack your combination of account password and Secret Key even if they put every computer on Earth to work on the cracking and ran them for zillions of times the age of the universe.”

Goldberg explains that the default settings LastPass is referring to are 100,100 rounds of PBKDF2 for processing LastPass and a minimum password length of twelve characters.

“That “millions of years” claim appears to rely on the assumption that the LastPass user’s 12-character password was generated through a completely random process. Passwords created by humans come nowhere near meeting that requirement.

Unless your password was created by a good password generator, it is crackable.”

He goes on to explain how it would cost only $100 to guess a LastPass-generated password at a cracking competition.

“Given that the attacker is starting with the most likely human-created passwords first, that $100 worth of effort is likely to get results unless the password was machine-generated,” notes Goldberg.

You can visit the source page to read the lengthy article in its entirety.

Following the incident, LastPass claims it has eliminated any potential for access to its development environment by decommissioning the affected environment in its entirety and rebuilding a new environment from scratch to prevent any further breaches.

P.S. Help support us and independent media here: Buy us a beer, Buy us a coffee, or use our Amazon link to shop.