[krebsonsecurity]

I thought about that also, and then one of the victims I talked to brought up a good point. An 8 character password with symbols and numbers doesn't sound like a great password today, but many of the accounts getting drained were tied to people who were very early LastPass users, and mostly longtime investors. Back then, affordable GPUs that can do 4 million hash cracking attempts per second weren't really a thing.

What I found was a lot of people made security assumptions and never revisited those assumptions. Or never fully did.

[vitus]

> What I found was a lot of people made security assumptions and never revisited those assumptions. Or never fully did.

I appreciate that KeePassXC has a feature to audit your passwords (Database -> Database Reports -> Health Check), which tells you which of your passwords are weak / should be changed.

https://keepassxc.org/blog/2020-08-15-keepassxc-password-hea... for more details (the threshold for "good" has since been bumped from 65 -> 75). The score corresponds to bits of entropy, with penalties for things like password reuse.

(It also has HIBP integration if you want to perform a one-off check that none of your important passwords have been compromised.)

[JohnTHaller]

Underrated feature, really. And most folks don't even know it's there. It also shows your health level on each password entry in the normal vault lists as a color square and when you open your entry as a colored line.

[therealdrag0]

Doesn’t LastPass have this as well?

[vitus]

Seems like it (the "Security Dashboard"). In fact, it looks like it uses the same standard library for calculating entropy (zxcvbn). I didn't know offhand, since I've never used LastPass.

My point is that if your password manager allows you to readily identify which of your passwords are insecure / have been compromised, that's a very useful tool to revisit any previous security assumptions you may have had.

[lxgr]

If that feature were to be implemented truthfully, it would have to report “go and change all of these; we were compromised and your master password was probably not secure enough” (i.e. based on the master password’s strength in addition to that of stored passwords).

[SV_BubbleTime]

That was the issue with LP never upping the number of PBKDF iterations.

BUT… this never mattered if you used a strong master pass phrase.

8 hasn’t been the recommendation in quite a long time.

I pushed Lastpass to my company in 2017, made everyone use 24 char.

The LP hack was bad, but I wasn’t worried for any of our people.

[lxgr]

> I pushed Lastpass to my company in 2017, made everyone use 24 char.

Do people actually memorize that?! If so, I strongly suspect that these pass phrases have much less entropy than 24 truly random characters would allow.

[SV_BubbleTime]

Incorrect.

I trained people for 5 word pass phrases with no BS.

They were free to spice them up if they like. In 6 years I have had zero password reset requests.

[lxgr]

Five English words have an entropy of about 55 bits [1] "Spicing them up" probably adds a handful more, but not much.

That's about as much as a 12-character truly random case-insensitive alphanumeric password without special characters (log2(36^12) = 62).

> In 6 years I have had zero password reset requests.

What do you mean by that? This can mean that either your scheme is secure, or that nobody has ever attacked it (or you haven't found out that it did happen).

[1] https://crypto.stackexchange.com/questions/62597/calculating...

[SV_BubbleTime]

Depends if you are counting correct and common English words. But yea it’s close to about 12 char anything you can hit on a keyboard entirely random. I figured 3e23 vs 4e23, you know “close” ;)

Now… get 80 people to remember a 12 char randoms.

No resets means no one has forgotten their pass phrase. I can not be just explaining passphrases to you now.

But also, spicing a pass phrase up is huge and not just a few bits more entropy. You go from 24 chars that are 5 word options to 24 char almost completely random again.

[gxs]

Honestly, if this is truly the case, LastPass is partially to blame here.

Sure, there's nothing in the TOS contractually obligating them to do this - but starting a low level awareness campaign to warn people with passwords that haven't changed in years about this risk seems like an easy thing to do that a (in keeping with the theme) "security minded" company should be enthusiastic about doing.

You can't nanny everyone, but surely if you're paying for a password manager you'd appreciate these kinds of notices.

[djfdat]

They did have something like that back when I used it. It would tell you repeated passwords, passwords that have appeared in leaks, weak passwords, etc

[diogenes4]

> but starting a low level awareness campaign to warn people with passwords that haven't changed in years about this risk seems like an easy thing to do that

Rate of change seems like a very poor signal compared to absolute password strength, which won't change over time. Isn't this already built into lastpass?

[gxs]

Ah, I was talking about OPs comment - it wasn't that passwords weren't changed often - it's that they were created a long time ago when that particular length/complexity was thought to be enough.

[diogenes4]

I see what you're saying, but 8 characters was also considered not enough 20 years ago. Naturally it takes a long time for good practices to propagate but

[diogenes4]

I seem to remember 8 character passwords was also considered weak back when bitcoin was first launched, but i could be wrong.

[oefrha]

LastPass was founded in 2008, and an 8 character master password was clearly inadvisable back then, as it was already in the nation-state-can-crack-it territory, and computing power was rising rapidly.

I started using 1Password in ~2010, not long after the founding of LassPass, and my first master password was 30+ characters, 90+ bits of entropy. After a few years I upgraded to 50+ characters, 140+ bits of entropy. Good luck cracking that even if only one round of PBKDF2 is used.

But I suppose you have a fairly loose definition of "security-minded".

[anonym29]

One malicious JS script being inserted on the page where you enter your master password.

One supply chain attack.

One upstream dependency.

One contractor clicking one wrong button in an office document.

Your entire digital life compromised, in that one click.

[weq]

I totally agree that Password managers lead to bad security practices. Yeh your a mhad dog for easily generating different complex passwords for every websites, but at the same time you paint a massive target on your head being part of the honey-hole.

Based on history, if you store a password in a obfuscated location on your computer, and you copy and paste it into every websites, its more secure then using a password manager in my opnion. Sure you wont be able to login to every secure websites from every device you have; but SHOULD you be? What is the price of that convience?

[oefrha]

I don't know how your comment is in any way related to mine, as I was responding to the claim that 8-character master passwords were considered safe <some time in or after 2008>. TFA also doesn't mention any evidence of keylogging.