I'm a bit confused on how the LastPass hack enabled the loss of passwords. I assume it works the way that I understand 1Password to work which should mean this would still be very difficult to impossible to do. Can anyone explain what I'm wrong about in terms of how the password managers work or how LastPass works differently?
So the way that I understand 1Password to work is that the decryption key is split in two: the user's single password + a secret key. You need both to decrypt the vault. The secret key is, again according to my understanding, generated randomly and is like 128bits? Once 1Password generates it and sends it to you (maybe they don't even send it and it is generated locally, I don't know), they never see it again. Thus, even if your vault were stolen, the thieves would need to crack your password (very likely not that secure) but also the 128 bit secret key so you would have a minimum of 128bit security which seems fine?
What's different about LastPass? Were the secret keys stolen somehow too? Were the targets of the stolen vaults then hit with further attacks to extract the secret keys? Does LastPass not use a similar structure as 1Password? Or am I actually not as safe as I thought using 1Password?
LastPass does not use the secret key concept that 1Password uses, it only uses a key derived from your password. After the breach they rushed to increase the hash iterations [1] and added features to let enterprise admins set minimum iterations [2] but of course it was too late at that point.
Adding on to what others have said, LastPass stored vault "metadata" unencrypted. Metadata included things the url. This allowed the attackers to prioritize cracking vaults of higher value.
See a vault with just a facebook.com and google.com login? Skip it. See a vault with coinbase and 10 other crypto sites in it? Spend a few thousand trying to crack it.
I was under the impression that basically lastpass knew your password, 1password does not. Lastpass owned the whole key. With enterprise organizations though we can still reset a users password if they forget so 1password might “know” your password too. Maybe older versions or individual versions are more secure.
It would probably be more accurate to say that LastPass has the information to decrypt your vault if they can guess your password. By contrast 1Password would need to both guess your password and guess your personal secret key. The latter is effectively impossible assuming the key generation was well-implemented. The trade-off is that users must keep track of their own secret keys.
You'd have to contact someone to get the secret key from your 1Pass emergency kit, wherever you stored it. That is, unless you can memorize long strings of numbers really well.
Not really. The biggest, most immediate and most threatening problem in this scenario, is inability to access your passwords, and therefore inability to use banking and means of electronics communication.
2FA does not increase the key strength. The key is solely derived from the password. 2FA limits access to somebody who already has the password to get in. The LastPass leak was of a backup, though, for which 2FA does nothing.
So the way that I understand 1Password to work is that the decryption key is split in two: the user's single password + a secret key. You need both to decrypt the vault. The secret key is, again according to my understanding, generated randomly and is like 128bits? Once 1Password generates it and sends it to you (maybe they don't even send it and it is generated locally, I don't know), they never see it again. Thus, even if your vault were stolen, the thieves would need to crack your password (very likely not that secure) but also the 128 bit secret key so you would have a minimum of 128bit security which seems fine?
What's different about LastPass? Were the secret keys stolen somehow too? Were the targets of the stolen vaults then hit with further attacks to extract the secret keys? Does LastPass not use a similar structure as 1Password? Or am I actually not as safe as I thought using 1Password?