LastPass password vaults crackable for $100, alleges 1Password

LastPass, a popular password management company, recently came under fire when customer data vaults were obtained via an attack in August.

Now, the company's rival, 1Password, claims that LastPass isn't protecting customers' data enough.

A blog post by 1Password's principle security architect, Jeffrey Goldberg, explains the importance of using machine-generated passwords rather than user-generated passwords.

"If you consider all possible 12-character passwords, there are something around 2⁷² possibilities. It would take many millions of years to try them all. Indeed, it would take much longer," he writes. "But the people who crack human-created passwords don't do it that way. They set up their systems to try the most likely passwords first."

Goldberg notes that most user-created passwords can be cracked in fewer than 10 billion guesses through a process costing just about $100.

This is bad news for the average user, who typically creates a shorter and less complex password than something generated by a machine.

He points out that 1Password adds an additional layer of protection — the Secret Key. A customer's Secret Key is created on-device, never sent to 1Password, and is required to decrypt user data.

So while a hacker may theoretically be able to obtain a 1Password user's master password, it's useless without the Secret Key.

The blog ends by reassuring users that 1Password has gone above and beyond to protect their data, even if users aren't following best practices and using machine-generated passwords.

"We have not been breached, and we do not plan to be breached. But we understand that we have to plan for being breached," Goldberg writes. "The 1Password Secret Key may not be the most user-friendly aspect of our human-centered design, but it means that we can say with full confidence that your secrets will remain safe in the event of a breach."

LastPass has come under fire for questionable security practices in the past.

In December 2021, LastPass members reported multiple attempted logins using correct master passwords from various locations. The company assured customers that attacks were a result of passwords leaked in third-party breaches.

In February 2021, a security researcher uncovered seven trackers within the LastPass Android app.

AppleInsider will be covering the 2023 Consumer Electronics Show in person on January 2 through January 8 where we're expecting Wi-Fi 6e devices, HomeKit, Apple accessories, 8K monitors and more. Keep up with our coverage by downloading the AppleInsider app, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos throughout the event.