After a recent update to LastPass 2.0, I noticed that Preferences had a setting for PBKDF2 and it was set to 1.
What is PBKDF2? The short version is it is a way to make it harder for an attacker to brute-force your password. If you have a password hash, you can attempt to guess the password very quickly. But if the hash is hashed 1000x times, each guess is now that much slower. For technojargon, check out Wikipedia.
According to the LastPass manual, the default PDKDF2 iteration is 500. Older account holders like me still have a default of 1.
According to Elcomsoft, your LastPass account password could be broken in under a day with this setting. It has been reported that if you change your LastPass account password, you will be prompted to change this setting to the default of 500. So I guess those of us publicly commenting on our setting of “1″ are admitting we haven’t changed the LastPass account password in a while. (doh!) In my defense, I’ll point out I do use multifactor authentication to LastPass. It would have been nice if account holders were warned to update that setting.
hat tip to NoVa Infosec Portal whose post reminded me to change that setting, and also to blog about it.