How long to guess your LastPass master password?
Last modified on Friday, September 1, 2023
2 minute read
LastPass has been breached, and many master passwords are in the process of being cracked.
Before reading this article, update your LastPass password immediately, and definitely update the passwords in your vaults, then come back and read the rest of the article. Be aware that if you store 2FA backup codes in your LastPass account, then these may have been compromised alongside passwords, thus creating the potential for the hackers to bypass your 2FA for your linked accounts.
There are a huge number of ways to crack passwords with varying speeds.
- Very quickly: If your password is one of over 550 Million passwords breached from other sites or a slight variant of them then you're at the most risk, hackers can break these passwords by cracking them using a dictionary attack. Typically hackers will try the most common passwords first, meaning the more insecure your password, the faster your password will be cracked. Hackers may also prioritize cracking lucrative accounts such as firstname.lastname@example.org, which often have much higher privileges, and thus offer "the keys to the kingdom" to the hackers, or prioritising CEOs. A $2,000 GPU can crack the PBKDF2-SHA256 hashing reportedly used by LastPass at a rate of nearly 1 million hashes (guesses) per second. In an offline password cracking attack, account lockout mechanisms will not stop the attacker, and thus they are limited only by the limits of computation. By using a GPU cluster that far exceeds a value of $2,000, hackers will be able to crack passwords much faster than 1 million per second.
- Slowly: The good news is that if you've chosen a unique password you've not used before, and used a highly random password or passphrase, especially when comprised of several random words, provided that the hashing was done correctly by LastPass, hackers could take a very, very long time to crack your password, meaning even if you take a long time to find out about the breach and update your password, that you'll still be secure. By a long time, we mean billions of years to crack even for a cluster of super computers. To see how to create a password stronger than the hackers, be sure to follow us on Linkedin to see the articles we have planned.