from Hacker News

LastPass breach: The significance of these password iterations

by hjuutilainen on 12/28/22, 5:06 PM with 15 comments

• by AdmiralAsshat on 12/28/22, 11:58 PM

  As I feared, I changed the iterations myself at some point, and they never "migrated" it to the new value. So it's above the old default, but well below the recommended number of iterations.

  I don't suppose it being a non-obvious value makes it any more secure? Is an attacker brute forcing the thing likely to try obvious default values first and then give up if they don't work? Or will they simply +1 the iteration count until they hit paydirt?

• by postpawl on 12/28/22, 9:28 PM

  For anyone else having trouble finding the “show advanced settings” button: It’s at the bottom of the account settings pop up where ok/cancel buttons usually are.

• by foreverCarlos on 12/29/22, 12:35 AM

  Interesting. This is starting to look like gross negligence that might bite LogMeIn really hard.

• by stubish on 12/29/22, 12:25 AM

  Can attackers can easily tell the 1 and 500 iteration databases and focus their resources in breaching those ones?

• by Havoc on 12/29/22, 12:45 AM

  >GTX 1080 Ti graphics card (cost factor: less than $1000) can be used to test 346,000 guesses per second.

  >GeForce RTX 4090 graphics card could test more than 88,000 guesses per second!

  Guessing we're missing a zero there?

• by smoothgrammer on 12/29/22, 2:47 AM

  The article is missing key data. The password iterations that are set low are client side. The server side is different.

  The writer of the article needs to retract.

  https://support.lastpass.com/help/about-password-iterations-...