Password manager LastPass has been embroiled in a data leakage scandal, with each update worsening the situation. In its latest post, the company assured users that their passwords were safe as long as they followed LastPass’ guidelines. Today, competitor 1Password issued a sharp rebuttal.
To sum up the data breach scandal, LastPass informed users back in August that they suffered a data breach, but that customer data and accounts were safe. However, the company admitted in early December that the hackers were “able to access certain elements of customer information”, but did not specify what kind of information that might be. And last week, the company revealed that the hackers obtained a “backup of customer vault data” but that the information in the backup would be inaccessible if customers had a strong master password.
Specifically, LastPass claimed that if users followed best practices, it would take hackers “millions of years” to guess a master password.
LastPass’s competitor (and our top pick for password managers), 1Password, took issue with that claim. In a blog post, the company’s chief security architect, Jeffrey Goldberg, broke down why it’s misleading to claim that it will take millions of years to guess a user-generated master password.
He points out that user-generated passwords are inherently more crackable than their machine-generated counterparts because humans don’t randomly generate passwords the way computers do. And that sophisticated hackers wouldn’t try to decrypt computer-generated passwords first. As people usually use mnemonic devices to remember passwords, hackers will try to guess these types of passwords first.
To make things simpler, Goldberg used what he calls a “nonsense analogy” (which is actually quite suitable for understanding the claim). Imagine you went to the cinema and forgot where you parked your car. The first place you would look for your vehicle would be the theater parking lot, not the entire face of the earth. In the analogy, the theater parking lot represents the user-generated mnemonic master passwords, and the entire surface of the earth represents computer-generated random master passwords.
If they’re smart (and they probably are), the hackers will go after the weaker user-generated passwords first instead of trying to crack the stronger randomly generated passwords. And they have unlimited attempts for each user in the backup database.
Needless to say, things are still not looking good for LastPass. And unfortunately, if your information is part of this data breach and you used a non-random method to create your master password, you should look for ways to protect yourself from potential cybercrime.