Viewing a single comment thread. View all comments

Fit-Anything8352 t1_j1gn6fd wrote

I mean that's what I meant when I said "master password isn't something absolutely stupid."

That said, hopefully LastPass wasn't dumb enough to not use a key derivation function to derive the master key. The whole point of key derivation function is to make brute forcing passwords impractical by using an deliberately slow, computationally expensive hashing algorithm to derive the key from the password(say it takes like 100ms to compute on a very powerful computer). This effectively thwarts dictionary attacks, forcing the attacker back to "side step the key derivation function and just brute force the 256-bit key directly, without the database" which is again, impossible, even on future computers that don't exist.

Unless somebody discovers an effective, practical attack on full-round AES-256, which would be very impressive. But then you would have much bigger problems than your stupid passwords :)