Join Log in
Score:2
Gunna avatar Crypto

Lastpass PBKDF2 and salt

mt flag
Gunna

In light of the LastPass hack their use of PBKDF2 had me wondering a few things.

  1. If PBKDF2 with a salt and the Master password is used to generate a vault password every time you type in your master password to access the vault wouldn't that salt need to always be the same?

  2. If so then where is that salt stored and wouldn't that also be in clear text?

  3. Wouldn't the Pseudorandom function also always need to be the same so the right password comes out at the end?

579
1 + 0
Score:5
Maarten Bodewes avatar Crypto
in flag
Maarten Bodewes
  1. If PBKDF2 with a salt and the Master password is used to generate a vault password every time you type in your master password to access the vault wouldn't that salt need to always be the same?

Yes.

  1. If so then where is that salt stored and wouldn't that also be in clear text?

Usually yes. A secret salt is called a "pepper", it could be mixed in with the salt. But as far as I understood, Lastpass simply uses a random salt. Those are usually stored together with the ciphertext (in this case the encrypted user's database of passwords).

See for instance this answer for more details.

  1. Wouldn't the Pseudorandom function also always need to be the same so the right password comes out at the end?

Yes, it needs to be a deterministic function with identical inputs.

+ 1
Maarten Bodewes avatar
in flag
Maarten Bodewes
You can argue if there even are non-deterministic functions if you assume that the randomized values such as a salt are considered input. Human language, eh? In this case though, a salt just needs to be unique and like an IV for decryption needs to be repeated to allow the same result. In this case you could also use some kind of identification of the password vault it is trying to protect.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.