guatemaleco

guatemaleco t1_j89nwz6 wrote

I wasn't basing that on statements from Lastpass. I just presented on this at work and as part of preparing the presentation, we analyzed Lastpass Bitwarden and 1Password vaults as they are synced to their respective services. Palent's blog was certainly one of the sources we used in putting together the analysis.

Some interesting takeaways are that Shared Folders and Federated authentication offered some additional security. 2FA is completely meaningless in this situation as nothing from 2FA is used as part of the encryption key derivation.

As you also mentioned, age of the account made some differences (though not in username encrypted or not). Default iterations being a big one, and AES-CBC vs AES-ECB, which would certainly make usernames more easily determined.

1