top | item 14979560

(no title)

kip_ | 8 years ago

So they're brute forcing the master password for these databases. Why should I be worried if I'm using a non-dictionary multi-word passphrase as my master password?

"Different password managers employ different approaches to security. As an example, LastPass generates the encryption key by hashing the username and master password with 5,000 rounds of PBKDF2-SHA256, while 1Password employs even more rounds of hashing. This is designed to slow down brute-force attacks, and it almost works. Granted, these are still nearly an order of magnitude less secure than, say, Microsoft Office 2016 documents, but even this level of security is much better than nothing." I'm guessing they meant more secure then Office 2016.

discuss

lostcolony|8 years ago

No, per the included graph, brute forcing Office 2016 allowed them fewer guesses per second. Whatever its hashing algorithm, it's stronger than that being used by the password managers.