About Password Iterations

To increase the security of your master password, LastPass utilizes a stronger-than-typical version of Password-Based Key Derivation Function (PBKDF2). At its most basic, PBKDF2 is a “password-strengthening algorithm” that makes it difficult for a computer to check that any 1 password is the correct Master Password during a compromising attack.

The standard implementation of PBKDF2 uses SHA-1, a secure hashing algorithm. SHA-1 is fast, but its speed is a weakness in those attacks that can be performed faster.

LastPass has opted to use SHA-256, a slower hashing algorithm that provides more protection against brute-force attacks. LastPass utilizes the PBKDF2 function implemented with SHA-256 to turn your Master Password into your encryption key. LastPass performs a customizable number of rounds of the function to create the encryption key, before a single additional round of PBKDF2 is done to create your login hash.

The entire process is conducted client-side. The resulting login hash is what is communicated with LastPass. LastPass uses the hash to verify that you are entering the correct master password when logging in to your account.

LastPass also performs a large number of rounds of PBKDF2 server-side. This implementation of PBKDF2 client-side and server-side ensures that the two pieces of your data- the part that’s stored offline locally and the part that’s stored online on LastPass servers- are thoroughly protected:

By default, the number of password iterations that LastPass uses is 5,000 rounds. Using the default amount of rounds provides a good balance between increased security and the inconvenience of longer pauses when logging in to your account. It is difficult to compare the number of rounds for implementations of PBKDF2 across services, as other services may be using SHA-1, which is less computationally intense than SHA-256. In other words, SHA-256 is a more intensive process than SHA-1, so a lower number of rounds can still be a higher level of security against brute-force attacks.

LastPass allows you to customize the number of rounds performed during the client-side encryption process in your Account Settings. Although 5,000 is currently the default number of rounds, it is recommended that you increase the amount of iterations to 10,000 rounds. However, exceeding 10,000 rounds can affect performance for some platforms.

In terms of usability, the number of rounds used only affects the process of logging in to your LastPass account. Once you gain access to your account, the implementation of these changes will not affect your browsing experience.