1Password denies LastPass: “100 dollars to hack the vault”

LastPass continues to face criticism after the latest security incident was revealed last week. After the condemnation of security researchers on the superficiality with which the matter was handled, now comes the stinging of a competitor, 1Password, which dwells in particular on the aspect of password security.

LastPass said they would be needed millions of years to crack a user’s master passwordbut in reality according to 1Password the process would take much less time and with a relatively negligible cost.

Jeffrey Goldberglead security architect of 1Password, explains the concept: “If you consider all possible 12-character passwords there are about 2⁷² possibilities, and it would take several million years to prove them all. But those who try to crack man-made passwords don’t do it this way. Cracking systems will try things like “Fido8my2Sox!” and “2b||!2b.titq” well before attempting machine-generated passwords such as zm-@MvY7*7eL. Passwords created by humans can also be cracked if they meet various complexity requirements“.

Goldberg therefore assumes that most passwords are created by users can be cracked in less than 10 billion attempts (we are talking about an order of magnitude of about 2³³) via a low-cost process. In case the password is shorter and of low complexity, it is even easier to crack. For Goldberg it makes no sense to mention the time needed to try all 2⁷²possibility, as man-made passwords, while complex, easily fit into a much smaller subdomain.

Goldberg then explains that through a hacking competition it was estimated that the cost of cracking passwords encoded in a very similar way to what LastPass did amounts to 6 dollars every 2³²attempts. $100 would then support 2³⁶attempts, or about 68 billion different passwordsthus allowing a password created by a user to be guessed with a high probability.

The post concludes, as you might expect, with an explanation of how the master password – secret key system used by 1Password is far more secure than the approach used by LastPass.