[maibus2]

This is not an irrational fear given how Last Pass and many other password managers are designed. Last Pass (and others) derive encryption keys from their users passwords (via PBKDF-2).

Thus a (smart) attacker needn't guess the user's encryption key directly. They just need guess the user's password, "hash" it via PBDKF-2 with the proper params and see if it decrypts the data.

Using a sub $1,000 GPU and a table of common passwords obtained from popular website database leaks it's not that hard to crack the average joe's vault.

[kingosticks]

You are assuming Joe would use a "common" password to encrypt their highly sensitive password vault. Joe only has to remember one password since moving to a password manager. Even my mother uses a decent password for that. I'm not saying your situation isn't feasible but Joe has failed to use the product properly.

I think i saw that some of these managers have integrations with https://haveibeenpwned.com/ and that could extend to the vault password too. Maybe it already does.

[maibus2]

Yes. Given how mass data leaks have shown just how bad people are at choosing passwords - I think it's a very safe assumption that a large proportion of Last Pass users have weak, easily guessable master passwords.

The ironic thing here is randomly generated passwords produced by a password manager are highly likely to be more secure than the password that protects the password vault itself.

[bwoodruff]

> Yes. Given how mass data leaks have shown just how bad people are at choosing passwords - I think it's a very safe assumption that a large proportion of Last Pass users have weak, easily guessable master passwords.

Indeed. Which is in part why we developed the Secret Key. Even if someone chooses a relatively weak Master Password and all of the data were stolen from our servers cracking even just a single password of a single user via brute force would be implausible. The effort to reward ratio is very high (perhaps insurmountably so) on the effort side.

Full disclosure: I work for 1Password.

[geofft]

The entire point of PBKDF2 is that a sub-$1,000 GPU isn't helpful.

It's certainly straightforward to use PBKDF2 in a way that is resistant to common / leaked passwords: add a per-database salt, then you can't go through the table in advance. For each individual user you want to target, you have to start trying passwords.

But even if you don't, the whole point of a password manager is to allow the single master password/passphrase to be something complicated. The average breached password should not be relevant here, and a good password manager's UX should encourage/force you to use something more complicated.

1Password, for instance, requires that you provide a 25-character random string in addition to your passphrase; it's not enough to just have the passphrase. I believe they're both used as inputs to key derivation.

[maibus2]

Your arguments are sound in theory. But not in practice (for LastPass, 1Password has a better design). For example LastPass was deriving their encryption key with only 5k rounds of PBKDF-2 iteration (but used ~100k rounds to create their authentication hash)[1].

In LastPass's case, assuming the attacker has obtained a copy of the encrypted data, a smart attacker can ignore the authentication hash and just try encryption keys directly.

5k rounds of PBDKF-2 on a sub-$1,000 GPU is quite tractable to crack.

Was it a trivial thing for LastPass to fix? Of course. But that's not the point - if an attacker got a copy of the data before you fixed it - it's too late.

[1]https://palant.de/2018/07/09/is-your-lastpass-data-really-sa...

[lokedhs]

With a salt and enough iterations of PBKDF-2, even easy passwords should be reasonably difficult to crack.

The problem of course is deciding what a reasonable number of iterations is, but given the time it takes to decrypt my password I'd say they use quite a lot.

[maibus2]

"Should" is the key word there. When Last Pass was breached in 2015, they were using only 5k iterations of PBKDF-2 to create the encryption key (but it was changed to ~100k in Feb 2018) [1].

[1] https://palant.de/2018/07/09/is-your-lastpass-data-really-sa...