Elcomsoft reviews iOS password managers, LastPass dinged

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantie, robyn, JoeSiegrist

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby jonat » Fri Mar 30, 2012 7:14 pm

Yep - just got the update and it fixes the problem.
jonat
 
Posts: 1184
Joined: Thu Dec 09, 2010 8:42 pm

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby evilthought » Sat Mar 31, 2012 2:51 am

JoeSiegrist wrote:
jonat wrote:I asked because you seemed to assume that you'd get to 100% using the higher iterations through normal password turnover. That seems contradictory to the LP motto.


No we don't assume that, we are planning to have everyone migrated over to the higher rounds on a login in the future. We'll be increasing the percentage over time..

We just got approved by Apple so update away.


Well, even the crappy cell phones can handle 4096 rounds of WPA2 .. so I don't think 500 would be a problem on anything.
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby JoeSiegrist » Mon Apr 02, 2012 1:17 am

evilthought wrote:Well, even the crappy cell phones can handle 4096 rounds of WPA2 .. so I don't think 500 would be a problem on anything.


Hardware accelerated encryption is an apples to oranges comparison to software based encryption on these devices, further non-compiled (mostly JavaScript) based encryption is orders of magnitude slower still.

IE6 without a LastPass extension is very slow as it uses JavaScript only to generate your hashes. If you're a mobile phone user that hasn't paid for LastPass and uses m.lastpass.com you use JavaScript on your phone's web browser to generate your hashes, This is very slow.

If you want 100,000 rounds right now you can do it easily and we're not going to stop you, we just are picking a default we know works everywhere without a major (>4 second) login penalty anywhere. If you know you're not going to use any slow platforms or methods to login, and are using a relatively short password it might make sense for your to increase it. We will be increasing the recommended minimum over time as well.
JoeSiegrist
 
Posts: 4144
Joined: Wed Aug 20, 2008 10:40 am

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby MxxCon » Wed Apr 04, 2012 9:39 pm

Just want to point out something. I brought this issue up all the way back in 2008. As a matter of fact this was thread 7 from the very beginning viewtopic.php?f=7&t=7
It's hard to believe that in 4 years smart phones' javascript haven't become any faster.. :?
MxxCon
 
Posts: 89
Joined: Fri Aug 22, 2008 5:27 pm

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby JoeSiegrist » Wed Apr 04, 2012 10:00 pm

MxxCon wrote:It's hard to believe that in 4 years smart phones' javascript haven't become any faster.. :?

They have, that's why the default is 500 times as computationally intense as it was before, and if you don't utilize slower platforms you can choose to go as high 100,000 times more computationally intense.
JoeSiegrist
 
Posts: 4144
Joined: Wed Aug 20, 2008 10:40 am

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby XIII » Thu Apr 05, 2012 2:04 pm

What are slower platforms?

I think Steve Gibson mentioned in his Security Now podcast (#347 "iOS Password Mis-Managers") that iOS itself does 10.000 iterations.

Does that mean I could use that on my 2.5 years old iPhone 3GS?
XIII
 
Posts: 360
Joined: Fri Oct 16, 2009 6:18 pm

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby JoeSiegrist » Thu Apr 05, 2012 2:49 pm

XIII wrote:What are slower platforms?


Any platform doing the computation in an interpreter (JavaScript) so m.lastpass.com is slow on a phone or in IE8 w/ a plugin. WebOS (as it's all web based), etc.

The apps themselves are compiled and run at a decent speed -- yes if you only used your 2.5 year old 3GS and extensions on the desktop 10,000 rounds is probably not noticeably slower today -- it's slower than Apples 10,000 rounds as they have hardware accelerated crypto operations that they're using.

Do you need this? I doubt it. If your password is even remotely strong it's well outside the realm of brute forcing it.
JoeSiegrist
 
Posts: 4144
Joined: Wed Aug 20, 2008 10:40 am

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby Israel » Thu Apr 05, 2012 5:11 pm

XIII wrote:What are slower platforms?

I think Steve Gibson mentioned in his Security Now podcast (#347 "iOS Password Mis-Managers") that iOS itself does 10.000 iterations.

Does that mean I could use that on my 2.5 years old iPhone 3GS?


iOS does 10,000 iterations on the backup, which is encrypted through itunes on your desktop - which uses your much faster computer's processor.
Israel
Site Admin
 
Posts: 1475
Joined: Tue May 04, 2010 9:40 am

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby XIII » Mon Apr 09, 2012 4:32 pm

Israel wrote:iOS does 10,000 iterations on the backup, which is encrypted through itunes on your desktop - which uses your much faster computer's processor.

According to the article (and Steve in the podcast, probably just citing the article) the encryption of the backup is done on the device itself.
Furthermore, one of your competitors is apparently going to 10,000 iterations on iOS: http://blog.agilebits.com/2012/04/09/1p ... -goodness/

Can I give this number a try and revert to a smaller number if it turns out to make things too slow? (on my 3GS)

PS1: I'm also using the Safari extension with no binary features on an old (2009?) iMac. Is this a factor? Or is such a machine fast enough? (I think so)
PS2: According to your Security Challenge the strength of my master password is 100%, so I guess I'm indeed already fine with 500 iterations?
XIII
 
Posts: 360
Joined: Fri Oct 16, 2009 6:18 pm

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby JoeSiegrist » Mon Apr 09, 2012 4:48 pm

XIII wrote:Can I give this number a try and revert to a smaller number if it turns out to make things too slow? (on my 3GS)

Yes of course, you can always back it down.


XIII wrote:PS: I'm also using the Safari extension with no binary features on an old (2009?) iMac. Is this a factor? Or is such a machine fast enough? (I think so)


That should be doable. We do support Binary on Safari x86 macs.
JoeSiegrist
 
Posts: 4144
Joined: Wed Aug 20, 2008 10:40 am

PreviousNext

Return to Feedback

Who is online

Users browsing this forum: No registered users and 4 guests