I wouldn't trust any password service that uploads my data anywhere, with or without the key (though especially with the key like here). I wouldn't trust it if it uploaded the password data to Dropbox or any similar service under an account I own. Even if the data is encrypted, someone can get access to it and work on decrypting it offline. That's simply too big of a risk considering the power of state actors, although I assume state actors would just get the data directly from each website and not need my passwords. Still, can't assume anything about any adversary. Others could certainly be capable of cracking an encrypted file offline.
> Even if the data is encrypted, someone can get access to it and work on decrypting it offline.
That fear is irrational. While you go on to describe one reason for that, another is that cracking a solid encryption isn't something people can just do.
The vast computer power necessary to maybe crack something like a humble RSA1024 in 8 years can more easily make enough BitCoin to buy a small nation.
This is not an irrational fear given how Last Pass and many other password managers are designed. Last Pass (and others) derive encryption keys from their users passwords (via PBKDF-2).
Thus a (smart) attacker needn't guess the user's encryption key directly. They just need guess the user's password, "hash" it via PBDKF-2 with the proper params and see if it decrypts the data.
Using a sub $1,000 GPU and a table of common passwords obtained from popular website database leaks it's not that hard to crack the average joe's vault.
You are assuming Joe would use a "common" password to encrypt their highly sensitive password vault. Joe only has to remember one password since moving to a password manager. Even my mother uses a decent password for that. I'm not saying your situation isn't feasible but Joe has failed to use the product properly.
I think i saw that some of these managers have integrations with https://haveibeenpwned.com/ and that could extend to the vault password too. Maybe it already does.
Yes. Given how mass data leaks have shown just how bad people are at choosing passwords - I think it's a very safe assumption that a large proportion of Last Pass users have weak, easily guessable master passwords.
The ironic thing here is randomly generated passwords produced by a password manager are highly likely to be more secure than the password that protects the password vault itself.
> Yes. Given how mass data leaks have shown just how bad people are at choosing passwords - I think it's a very safe assumption that a large proportion of Last Pass users have weak, easily guessable master passwords.
Indeed. Which is in part why we developed the Secret Key. Even if someone chooses a relatively weak Master Password and all of the data were stolen from our servers cracking even just a single password of a single user via brute force would be implausible. The effort to reward ratio is very high (perhaps insurmountably so) on the effort side.
The entire point of PBKDF2 is that a sub-$1,000 GPU isn't helpful.
It's certainly straightforward to use PBKDF2 in a way that is resistant to common / leaked passwords: add a per-database salt, then you can't go through the table in advance. For each individual user you want to target, you have to start trying passwords.
But even if you don't, the whole point of a password manager is to allow the single master password/passphrase to be something complicated. The average breached password should not be relevant here, and a good password manager's UX should encourage/force you to use something more complicated.
1Password, for instance, requires that you provide a 25-character random string in addition to your passphrase; it's not enough to just have the passphrase. I believe they're both used as inputs to key derivation.
Your arguments are sound in theory. But not in practice (for LastPass, 1Password has a better design). For example LastPass was deriving their encryption key with only 5k rounds of PBKDF-2 iteration (but used ~100k rounds to create their authentication hash)[1].
In LastPass's case, assuming the attacker has obtained a copy of the encrypted data, a smart attacker can ignore the authentication hash and just try encryption keys directly.
5k rounds of PBDKF-2 on a sub-$1,000 GPU is quite tractable to crack.
Was it a trivial thing for LastPass to fix? Of course. But that's not the point - if an attacker got a copy of the data before you fixed it - it's too late.
With a salt and enough iterations of PBKDF-2, even easy passwords should be reasonably difficult to crack.
The problem of course is deciding what a reasonable number of iterations is, but given the time it takes to decrypt my password I'd say they use quite a lot.
"Should" is the key word there. When Last Pass was breached in 2015, they were using only 5k iterations of PBKDF-2 to create the encryption key (but it was changed to ~100k in Feb 2018) [1].
To the same effect that means you shouldn't trust anything going over any network ever. They can just as well decrypt your TLS connection offline as they can an encrypted data store. In which case, why do you not trust when you send your encrypted password over an encrypted connection, but not when your plaintext password gets sent over an encrypted connection?
