Lars wrote:evilthought wrote:Makes you wonder what else is screwed up with their software that is not yet known. This was inexcusably bad.evilthought wrote:Unless some fundamental weakness in AES algorithm is discovered, there is no way brute force will ever break AES if natural laws of physics are valid.
Those two statements completely contradicts each other in this context.. yet they are given about the same product.!!!
Unfortunately, you don' understand the two sentences. In the first case, they are brute forcing the *user* password (not AES key). Your password is hashed into AES key (256 bit AES password). These user passwords are not 256 bit and can be brute forced. If they are weak passwords., they could be brute-forced even in less than a second. In this case, adding hashing iterations (the process that makes user password into AES key) will slow down the brute force attack. This is so well known and basic. That's why I said how Lastpass could have missed something this elementary?
In the second case, they are brute forcing AES 256-bit key itself. That is impossible, and I am sure it will stay impossible forever. AES might (or might not) get broken, but for sure it won't be broken by bruteforce. Adding a random number (like "70" years) is pretty meaningless here.