Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

LastPass password vaults crackable for $100, alleges 1Password

Last updated

LastPass has claimed that it would take millions of years to crack a user's master password, but a rival company claims that the process won't take nearly that long, and could be done for a mere $100.

LastPass, a popular password management company, recently came under fire when customer data vaults were obtained via an attack in August.

Now, the company's rival, 1Password, claims that LastPass isn't protecting customers' data enough.

A blog post by 1Password's principle security architect, Jeffrey Goldberg, explains the importance of using machine-generated passwords rather than user-generated passwords.

"If you consider all possible 12-character passwords, there are something around 272 possibilities. It would take many millions of years to try them all. Indeed, it would take much longer," he writes. "But the people who crack human-created passwords don't do it that way. They set up their systems to try the most likely passwords first."

Goldberg notes that most user-created passwords can be cracked in fewer than 10 billion guesses through a process costing just about $100.

This is bad news for the average user, who typically creates a shorter and less complex password than something generated by a machine.

He points out that 1Password adds an additional layer of protection — the Secret Key. A customer's Secret Key is created on-device, never sent to 1Password, and is required to decrypt user data.

So while a hacker may theoretically be able to obtain a 1Password user's master password, it's useless without the Secret Key.

The blog ends by reassuring users that 1Password has gone above and beyond to protect their data, even if users aren't following best practices and using machine-generated passwords.

"We have not been breached, and we do not plan to be breached. But we understand that we have to plan for being breached," Goldberg writes. "The 1Password Secret Key may not be the most user-friendly aspect of our human-centered design, but it means that we can say with full confidence that your secrets will remain safe in the event of a breach."

LastPass has come under fire for questionable security practices in the past.

In December 2021, LastPass members reported multiple attempted logins using correct master passwords from various locations. The company assured customers that attacks were a result of passwords leaked in third-party breaches.

In February 2021, a security researcher uncovered seven trackers within the LastPass Android app.

AppleInsider will be covering the 2023 Consumer Electronics Show in person on January 2 through January 8 where we're expecting Wi-Fi 6e devices, HomeKit, Apple accessories, 8K monitors and more. Keep up with our coverage by downloading the AppleInsider app, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos throughout the event.



21 Comments

robin huber 22 Years · 4026 comments

Whenever a need for a new password comes up I default to Keychain. I wish Apple would provide a tool to convert my old 1Password legacy vault to Keychain once and for all. They lost me when they switched to a subscription model. Hate all these vampire subscriptions! Also, wish Apple would hurry along conversion to biometrics or that other solution that promises to rid us of passwords forever. 

charlesatlas 9 Years · 401 comments

They lost me when they switched to a subscription model. Hate all these vampire subscriptions!

Ditto. I paid for the 1Password app and then all of a sudden I would have to pay every year? No, thanks.

jib 23 Years · 65 comments

I don't mind the subscription fee (less than $3 a month) for 1Password.  For that small fee, I get security, they get ongoing funds for updates, maintaining their servers and security infrastructure, etc. I view 1Password as an ongoing service, not just a one-time software package.

Obviously, your opinion may vary.

mSak 5 Years · 24 comments

jib said:
I don't mind the subscription fee (less than $3 a month) for 1Password.  For that small fee, I get security, they get ongoing funds for updates, maintaining their servers and security infrastructure, etc. I view 1Password as an ongoing service, not just a one-time software package.

Obviously, your opinion may vary.

Many of us don't like ongoing subscription fees because it is very hard to keep track of these recurring expenses. An increasing number of software providers are using the subscription model and put together, it can make it very difficult for a user to keep track of these expenses and having to re-evaluate them from time to time whether a subscription is warranted. One of the lessons of Finance 101 is basically to GET RID OF subscriptions as much as possible.

I much rather pay a one-time license fee and then if I want to upgrade the software (for whatever reason) use that moment to re-evaluate whether I should upgrade (want, need, etc.) I started using 1Password when it was in version 3 long time ago and paid for practically every upgrade until the subscription model came about. I'm on 1Password 7 and do not intend to subscribe.

It's interesting that every time an article about subscription based software comes up that displeasure with 1Password is mentioned (lol, including this post!). I hope AgileBits reverses course at some point and offer BOTH subscription and one-time license fee. For a while on 1Password 7, that was the model available.

webweasel 16 Years · 138 comments

They lost me when they switched to a subscription model. Hate all these vampire subscriptions!
Ditto. I paid for the 1Password app and then all of a sudden I would have to pay every year? No, thanks.

The subscription model sucks but I probably would have paid it. It’s the loss of the local vault support that was the dealbreaker for me. The non-native Mac app was just rubbing salt into the wound.