LastPass also failed to encrypt all data, a flaw that Bitwarden doesn’t seem to share. Mind you, LastPass isn’t only being criticized for using a default iterations count that is three time lower than the current OWASP recommendation. What remains are 100,000 iterations performed on the client side, essentially the same protection level as for LastPass. Except: as it turns out, the server-side iterations are designed in such a way that they don’t offer any security benefit. This being twice the default protection offered by LastPass, it doesn’t sound too bad. It cannot be decrypted even for weak master passwords.Īs to Bitwarden, the media mostly repeated their claim that the data is protected with 200,001 PBKDF2 iterations: 100,001 iterations on the client side and another 100,000 on the server. But the fact that this random value is required to decrypt the data means that the encrypted data on 1Password servers is almost useless to potential attackers. The secret key functionality decreases usability, requiring the secret key to be moved to each new device used with the account. But do these do a better job at protecting sensitive data?įor 1Password, this question could be answered fairly easily.
When people started looking for alternatives, two favorites emerged: 1Password and Bitwarden. In the aftermath of the LastPass breach it became increasingly clear that LastPass didn’t protect their users as well as they should have.
0 kommentar(er)
