LastPass Password Manager - Time to move on?

md458

Just for the original post, I'm a Laspass user and have been for a long while. I think my Master Password although long and with a number of symbols etc. was before they increased the iterations.
I'm now looking at 1password and they look to have the features of Lastpass that I use including Android App and Yubikey authentication. Bitwarden though seems to be one of the highly recommended.
Spent yesterday (happy christmas!) changing mission critical passwords that I have, others I will change as I go, I still have hope my masterpassword is in the green from the post above but my days with Lastpass are now at a end.

Olinda99

Miser1964 said:

>despite being a 34 character password is instantly crackable<

I don't believe that is correct - The logic behind three random words - NCSC.GOV.UK

it is entirely correct for an offline attack if the attacker has the file or vault (which they do here). There are no 'three tries and you are locked out' limitations. They load the file onto their (fast) pc, which is equipped with an even faster gpu. They then throw every word plus combination of words at the file to see what decrypts it. Thus a three-word password in a dictionary attack is equivalent to a three letter password in a brute force attack.

https://nordpass.com/blog/what-is-a-dictionary-attack/

razord

Olinda99 said:

Miser1964 said:

>despite being a 34 character password is instantly crackable<

I don't believe that is correct - The logic behind three random words - NCSC.GOV.UK

it is entirely correct for an offline attack if the attacker has the file or vault (which they do here). There are no 'three tries and you are locked out' limitations. They load the file onto their (fast) pc, which is equipped with an even faster gpu. They then throw every word plus combination of words at the file to see what decrypts it. Thus a three-word password in a dictionary attack is equivalent to a three letter password in a brute force attack.

https://nordpass.com/blog/what-is-a-dictionary-attack/

But it isn't, because there are 26 letters.

And there are more than 26 words.

Olinda99

razord said:

Olinda99 said:

Miser1964 said:

>despite being a 34 character password is instantly crackable<

I don't believe that is correct - The logic behind three random words - NCSC.GOV.UK

it is entirely correct for an offline attack if the attacker has the file or vault (which they do here). There are no 'three tries and you are locked out' limitations. They load the file onto their (fast) pc, which is equipped with an even faster gpu. They then throw every word plus combination of words at the file to see what decrypts it. Thus a three-word password in a dictionary attack is equivalent to a three letter password in a brute force attack.

https://nordpass.com/blog/what-is-a-dictionary-attack/

But it isn't, because there are 26 letters.

And there are more than 26 words.

my point was referring to password LENGTH

thus 'abc' and 'catdogmouse' are both three-character passwords when it comes to an offline attack ie the attacker has the master vault in their posession

So the table above showing cracking time v password length is only valid for random, brute force attacks and not dictionary attacks

Don't use words or combination of words as your master password. Use completely random letters, numbers etc

https://www.google.com/amp/s/www.techrepublic.com/article/brute-force-and-dictionary-attacks-a-cheat-sheet/amp/

k_man

Dictionary attacks very rarely use multiple words (due to the extra processing required).
So while you are correct, in that a single word, even if very long, is not a good password

E.g.
supercalifragilisticexpialidocious

While long, is a single word, and will be found in a dictionary attack.

word1word2word3word4

Is very unlikely to be found in an automated attack, unless

It has been used before, been leaked, and is now in one of the dictionaries used.
The attacker knows the password is 4 words, and the source word list, and the source word list is small.

ETA: for most passwords, this is moot anyway, as long random unique multi character non memorable passwords should be used, and stored in a password manager.

Long, multi word or phrase based (including nonsense words, and non consistent joining characters for extra strength) should only be for the 3 or 4 passwords that need to be remembered 

Miser1964

>They then throw every word plus combination of words at the file to see what decrypts it.<

Which is where you're assertion that passphrases can be solved 'instantly' falls down. The number of possible combinations of words means trying every combination is computationally infeasible.

For example, let's say you were limited to choosing three, five letter lowercase words for your passphrase, further restricted to a list of 1,000 five letter English words, e.g. 'abbey' to 'zooms'. A valid passphrase would be "abbeymeatyzooms"

The combination formula is: C(n, r) = n! / (r! * (n - r)!)

Where C(n, r) is the number of combinations of r items from a set of n items, n! is the factorial of n, and r! is the factorial of r.

In this case, n is 1000 (the number of 5-letter words you can select from) and r is 3 (the number of words you are selecting each time).

This gives 166,167,000 ways to select 3 words from a group of 1000 5-letter lowercase words.

Extending the selection set to say the 50,000 English words most people know, plus Mixed Case sends the number of combinations sky rocketing. 

Olinda99

@Miser1964 thanks for the post I know it took a while to compose. As long as you"re happy, I'm happy

B0bbyEwing

flaneurs_lobster said:

dogmaryxx said:

Am I being over-reactive? What are the current options for password managers? Am I daft using a paid-for service and free Bitwarden would do the job just as well?

Why not have a look at any of the usual technical  sites or try Google search.?

Because I value the experience and expertise of the participants on this forum (well, most of them). 

Not to forget the main reason being - you're well within your rights to ask on the forum & you're hurting nobody by doing so and if people don't like your question there's different ways of leaving the thread

Doesn't answer your question but I have dabbled with LastPass, didn't like it & I've ended up with Bitwarden and do like it. It even made me move from being years & years with KeePass. I like how I can update something on my [phone/PC] and it then changes it for my [PC/phone].

goodValue

I don't understand what an offline attack is, so I did a search on "master vault offline attack".
All the results seemed to be for password managers.
Does that mean an offline attack can only be done on password managers, or could it be done on any company or organisation that I have an account with?

k_man

goodValue said:

I don't understand what an offline attack is, so I did a search on "master vault offline attack".
All the results seemed to be for password managers.
Does that mean an offline attack can only be done on password managers, or could it be done on any company or organisation that I have an account with?

It could be done against any system, once an offline copy of the data has been obtained.
This bypasses any 2FA, auto lockout protection etc.

Most data breaches involve a degree of offline attack, as most companies hold data with some level of encryption/hashing:
System is compromised.
Data is reviewed/exported.
Encrypted or hashed data is taken away for attack

Offline attacks are not specific to password managers, but your use of the term "master vault" in the search would have limited the results (master vault is quite specific to password managers)