[geofft]

The entire point of PBKDF2 is that a sub-$1,000 GPU isn't helpful.

It's certainly straightforward to use PBKDF2 in a way that is resistant to common / leaked passwords: add a per-database salt, then you can't go through the table in advance. For each individual user you want to target, you have to start trying passwords.

But even if you don't, the whole point of a password manager is to allow the single master password/passphrase to be something complicated. The average breached password should not be relevant here, and a good password manager's UX should encourage/force you to use something more complicated.

1Password, for instance, requires that you provide a 25-character random string in addition to your passphrase; it's not enough to just have the passphrase. I believe they're both used as inputs to key derivation.

[maibus2]

Your arguments are sound in theory. But not in practice (for LastPass, 1Password has a better design). For example LastPass was deriving their encryption key with only 5k rounds of PBKDF-2 iteration (but used ~100k rounds to create their authentication hash)[1].

In LastPass's case, assuming the attacker has obtained a copy of the encrypted data, a smart attacker can ignore the authentication hash and just try encryption keys directly.

5k rounds of PBDKF-2 on a sub-$1,000 GPU is quite tractable to crack.

Was it a trivial thing for LastPass to fix? Of course. But that's not the point - if an attacker got a copy of the data before you fixed it - it's too late.

[1]https://palant.de/2018/07/09/is-your-lastpass-data-really-sa...