Article Hero Image
AppleInsider may earn an affiliate commission on purchases made through links on our site.
LastPass has claimed that it would take millions of years to crack a user's master password, but a rival company claims that the process won't take nearly that long, and could be done for a mere $100.
LastPass, a popular password management company, recently came under fire when customer data vaults were obtained via an attack in August.
Now, the company's rival, 1Password, claims that LastPass isn't protecting customers' data enough.
A blog post by 1Password's principle security architect, Jeffrey Goldberg, explains the importance of using machine-generated passwords rather than user-generated passwords.
"If you consider all possible 12-character passwords, there are something around 272 possibilities. It would take many millions of years to try them all. Indeed, it would take much longer," he writes. "But the people who crack human-created passwords don't do it that way. They set up their systems to try the most likely passwords first."
Goldberg notes that most user-created passwords can be cracked in fewer than 10 billion guesses through a process costing just about $100.
This is bad news for the average user, who typically creates a shorter and less complex password than something generated by a machine.
He points out that 1Password adds an additional layer of protection — the Secret Key. A customer's Secret Key is created on-device, never sent to 1Password, and is required to decrypt user data.
So while a hacker may theoretically be able to obtain a 1Password user's master password, it's useless without the Secret Key.
The blog ends by reassuring users that 1Password has gone above and beyond to protect their data, even if users aren't following best practices and using machine-generated passwords.
"We have not been breached, and we do not plan to be breached. But we understand that we have to plan for being breached," Goldberg writes. "The 1Password Secret Key may not be the most user-friendly aspect of our human-centered design, but it means that we can say with full confidence that your secrets will remain safe in the event of a breach."
LastPass has come under fire for questionable security practices in the past.
In December 2021, LastPass members reported multiple attempted logins using correct master passwords from various locations. The company assured customers that attacks were a result of passwords leaked in third-party breaches.
In February 2021, a security researcher uncovered seven trackers within the LastPass Android app.