LastPass' password meter is broken

Password strength meters are notoriously unreliable and LastPass is unfortunately no exception. Depending on what options are configured, the password strength meter both in the Chrome browser plugin, and at <a href=https://lastpass.com/generatepassword.php>lastpass.com</a> will give completely ridiculous estimates, providing a false sense of security and putting users at risk.

Example 1
Generating a purely numeric 14-digit password results in a green strength bar, although such a password is in fact extremely weak: at just 46 bits of entropy, it would be bruteforced in minutes by even a modest cracking rig.

<img src=https://i.imgur.com/Ctx0Ry9.png>

dict size: 10   length: 14  ->  46.50 bits of entropy  ->  bruteforce difficulty: trivial (minutes)


Example 2

This password is shorter (10 characters) but results in an even longer and greener strength meter.

<img src=https://i.imgur.com/wPoEsha.png>

dict size: 18   length: 10  ->  41.69 bits of entropy  ->  bruteforce difficulty: trivial (seconds)



Bottom line is, don’t use LastPass to generate your passwords. At least not until their fix (or remove) their password meter. Don’t get burned. Just use a proper, native password manager.

PS. I had a rather bad experience reporting a previous (more serious) vulnerability to LastPass, so I’m not sure I want to go through that again.

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium