[palant]

Disclaimer: I’m the author of this article.

No, the iteration count is no secret. It’s even exposed via a public API, anyone can query it if they know the email address.

[AdmiralAsshat]

Well, balls. Thanks for confirming.

[robin_reala]

…why would you even do that?

[palant]

The number of iterations is needed for login. The user enters their email address and password, and the app needs to know (before they actually log in) how many iterations to apply. There are approaches like the OPAQUE protocol which avoid having the iterations count in the open, but LastPass didn’t implement that. To their defense, OPAQUE is relatively new.