Password manager LastPass has been embroiled in a data-leak scandal, with each update worsening the situation. In its most recent post, the company assured users their passwords were safe so long as they followed LastPass’s guidelines. Today, competitor 1Password released a scathing rebuttal.
To summarize the data-breach scandal, back in August, LastPass informed users that it suffered a data breach, but that customer data and accounts were safe. However, at the beginning of December, the company admitted that the hackers were “able to gain access to certain elements of customer information” but didn’t specify what kind of information that might be. And last week, the company revealed that the hackers obtained a “backup of customer vault data” but that the information contained in the backup would be inaccessible if customers had a strong master password.
Specifically, LastPass claimed that if users followed the best practices, it would take the hackers “millions of years” to guess a master password.
LastPass’s competitor (and our top pick for password managers), 1Password, took issue with that claim. In a blog post, the company’s Principal Security Architect, Jeffrey Goldberg, broke down why it’s misleading to claim that a user-generated master password would take millions of years to guess.
He points out that user-generated passwords are inherently more crackable than their machine-generated counterparts because humans don’t generate passwords randomly as computers do. And that sophisticated hackers wouldn’t try to decrypt computer-generated passwords first. As humans generally use mnemonic devices to remember passwords, hackers will try to guess those types of passwords first.
To make things more straightforward, Goldberg employed what he calls a “silly analogy” (which is actually quite apt to understanding the claim). Suppose you went to the movies and forgot where you parked your car. The first place you would look for your vehicle would be the theater parking lot, not the whole surface of the Earth. In the analogy, the theater parking lot represents the user-generated mnemonic master passwords, and the whole surface of the Earth represents computer-generated random master passwords.
If they’re smart (and probably are), the hackers will go after the weaker user-generated passwords first rather than trying to break the stronger randomly-generated passwords. And they have unlimited tries for every single user in the backup database.
Needless to say, things still don’t look good for LastPass. And unfortunately, if your information is part of that data breach and you used a non-random method to craft your master password, you should look into ways to protect yourself from potential cybercrime.