With the recent LastPass cybersecurity breach, it might be time to reassess your password hygiene.
The table below from Hive Systems (linked from Reddit) estimates the time it would take to brute-force a password in 2022. It should be noted, the time will reduce as computational power increases and/or new techniques are developed.
In short, the minimum acceptable “standard” for a password in 2022 is 16 characters, including numbers, upper and lowercase letters, and symbols. In theory, assuming the password has not been stolen, it would take up to 92 billion years to brute-force.
The table assumes the lowest common denominator for password hashing, specifically MD5. Security-conscious services likely use a stronger hashing algorithm, such as PBKDF2. However, knowing that MD5 is still prevalent, it is good to understand the worst-case scenario. More details regarding the analysis can be found at Hive Systems.
Whilst password strength is important, usability is also critical. Therefore, even with the LastPass cybersecurity breach, I still recommend the use of a password manager. Specificlly, 1Password or Bitwarden.
A password manager enables you to create a unique username/password for every online account that meets or exceeds the previously outlined password guidance (16+ characters, etc.)
As a result, only the username and password of the secure vault used by the password manager are known to the user (master credentials), which are used to unlock (decrypt) the secure vault.
Secure vaults can be hosted privately or via a third party (cloud-hosted). In theory, a third-party hosted secure vault is more vulnerable, as it relies upon the host (e.g. 1Password, Bitwarden) to maintain appropriate security policies, standards, controls, processes, etc.
With that said, a privately hosted secure vault requires more effort to set up and maintain, ultimately making it less convenient/viable for most people.
Therefore, I recommend hosting with a trusted third party (1Password or Bitwarden), whilst ensuring your master credentials (used to encrypt your secure vault) are unique and thoroughly protected.
For example, I recommend the following criteria for your master credentials:
- Unique username connected to a personally owned/managed email domain (not @gmail.com)
- Unique password
- 16 characters minimum password length
- Password to include numbers, upper and lowercase letters, and symbols
- Multi-Factor Authentication (MFA) enabled, ideally a physical key or an authenticator app
- Secure vault only accessed via trusted (personally owned/managed) devices
The use of a physical key (e.g. Yubikey) for Multi-Factor Authentication (MFA) is certainly preferred, but not always feasible. Therefore, I would recommend an authenticator app (e.g. Authy), which removes the risk of SIM-jacking attacks and/or common email exploits.
Finally, it is worth checking the type of encryption used by the password manager. If PBKDF2 is used, confirm the default iteration count, which helps protect the master credentials from being brute forced. I recommend a minimum of 600,000 iterations.
Will these recommendations ensure your secure vault remains secure? No, nothing can ever be guaranteed. However, for most people, I feel the approach outlined in this article achieves an appropriate balance between security and usability.