Passwords RIP!!!

With the recent spike in data breaches, your personal data and your password vault were compromised if you were a LastPass user.?Typically, hackers will have access to the encrypted password only for that site, along with other data, if a company is a victim of a data breach. But what if that company is the one that stores all our passwords and hackers exfiltrated the password vaults - secure storage of data? They need a master password to unlock the password vault to reveal the passwords of all the sites you stored. At this point, Two-factor authentication(2FA) like SMS or Time-based OTP is useless as it's only used by the software accessing the vault.?LastPass?claimed that "it would take millions of years to guess your master password using generally-available password-cracking technology". However, its competitor - 1Password took the opportunity to?counter?LastPass's statement, saying that "the claim is based on poor assumptions about guessing speed". 1Password estimated from their cracking?competition?that the cost of cracking passwords hashed with 100,000 rounds of?PBKDF2-H256 is around $6 for every 2^32 guesses, and Ten Billion guesses would cost less than $100. Regardless, even with this estimate, it would cost $200 Million to crack 2 Million LastPass vaults. But do you need to worry? Most likely not, if you have a 2FA setup for the most critical accounts, such as financial and healthcare sites.

Based on those calculations, it would cost $422T (Trillions!!!), assuming hackers try to solve using 2^78 password guesses, which is the?worst-case scenario. However, hackers could reduce the number of guesses using the most frequently used alphabets, numbers, and special characters or even getting?pawned?passwords from the dark web and cracking the master password much faster, but that's not going to solve everyone's master password. Excluding the extreme or edge cases, hackers could decrypt most passwords. Even if the hackers get the majority of the LastPass user's passwords, they may not be able to use them to log in to those accounts if 2FA is already set up.?If you still need to set up 2FA, now is the time to set up before your account details with passwords are sold on the dark web and someone tries it.

Lastpass has a master?password?requirement of at least 12 characters long, including upper case A-Z(26), lower case a-z(26), numbers from 0-9(10), and 32 special?characters?excluding space character. This requirement makes the symbol pool 94. For a password of 12 characters, entropy is approximately 78[1]. The total number of password guesses required is 2^78 = 302Sextillion (302,231,454,903,657,293,676,544). Using CoalFire's?hashing?platform on AWS - NPK with 1x P3.16xlarge and 8x Tesla V100 GPU costing $7.34/hr hashing at a rate of 632GH/s (Giga Hashes per Second), it costs $975 Million[2] and 15 Millennia (Thousand) years[3] to crack a master password.

From the above, hackers will not use a brute-force attack to recover your LastPass master password, spending close to $975 Million (worst case) or even $200 Million with the 1Password approach. Instead, they could use social engineering or phishing to access your LastPass master password, camouflaging or trojan horsing as LastPass prompting for your master password. If you are not using LastPass, you might not respond to phishing attacks. But you could become a victim if you are still using LastPass and were unaware of the LastPass breach or respond to Phishing attacks.

Anyways, passwords have survived for a long time, starting with the simplest passwords to the most complicated passwords in the present, which most of us can't even remember if we don't use them regularly or without password management software. Shouldn't the systems be simple to use for legitimate users and hard for hackers to guess or break in? It is time for the mass adoption of passwordless or device-based authentication, such as?FIDO.

Disclosure:?I used to be a LastPass user. But not anymore. However, I am still trying to figure out a way to reset passwords to the accounts that didn't support Two-Factor Authentication (2FA). Let me know if you have figured out a way to solve it rather than changing one at a time.

Assumptions and calculations are below.

Password length = 12 characters

Symbol pool = 94 (upper case A-Z(26), lower case a-z(26), numbers from 0-9(10), and 32 special?characters?excluding space character)

Hashrate = 632GH/s

[1] Entropy = Log2(94^12) = 78

Cost = $7.34/hr

Seconds to crack =(2^entropy) / (hash rate or guesses per second)

Seconds to crack = (2^78) / 632,000,000,000?= 478,214,327,379

Time to crack in Hours = (seconds to crack / (60(seconds) x 60 (mins)))

Time to crack in Hours = 478,214,327,379 / 60 x 60 = 132,837,313 Hrs

Total cost to crack = time to crack in hours x cost per hr.

[2]?Total cost to crack = 132,837,313 Hrs x 7.34 = $975,025,878

Total time to crack = time to crack in hours / (24 x 365)

[3]?Total Time to crack = 132,837,313 Hrs / (24 x 365)