“For example, another important default setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines”
If you are complaining about the idea of iterating a hash multiple times, this is actually a fairly standard construction to increase the cpu cost of brute forcing hashes.
Ok I googled. I guess it makes sense as it helps to protect against pre-hashed rainbow tables or dictionary attacks by making them more computationally expensive.
Usually people use salt to protect against rainbow tables.
Iterating a hash function (e.g . PBKDF2) is most just a way to make hashing take longer. Since attackers have to make very many gueses (while legit users only have to hash the password once), increasing each guess by a few seconds can really slow things down.
However in modern apps they usually try to use more complex constructions like argon2 to make it so you cant use GPUs to do lots of guesses at once.
bawolff|2 years ago
spiderice|2 years ago
aklein|2 years ago
bawolff|2 years ago
Iterating a hash function (e.g . PBKDF2) is most just a way to make hashing take longer. Since attackers have to make very many gueses (while legit users only have to hash the password once), increasing each guess by a few seconds can really slow things down.
However in modern apps they usually try to use more complex constructions like argon2 to make it so you cant use GPUs to do lots of guesses at once.