Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I was quite surprised to see your extension, it is very similar to my Easy Passwords extension in both concept and design. I've had a brief look at the source code and I guess that it was a completely unrelated development after all?

Please increase the number of iterations, PBKDF2 with 8192 iterations is a very bad idea in year 2016. I would consider 100k iteration the lower limit, my Easy Passwords extension uses 256k. For reference, I described the threat scenario here:

https://palant.de/2016/04/20/security-considerations-for-pas...

Note that LastPass isn't a good example when it comes to security-relevant decisions. If you are interested, I published a lengthy writeup under https://security.stackexchange.com/a/137307/4778.



Hi Palant, I found your app in the comment today. So yes, LessPass was developed it independently.

And yes we are working in a way to change the number of rounds of PBKDF2. https://github.com/lesspass/lesspass/issues/38

API already evolve (https://github.com/lesspass/core/commit/70bebd5e5bcd0c9a32ac...), we are updating the user interface.


I don't think that this is sufficient as long as 8192 is still the default. Personally, I don't think that exposing the number of iteration is a good idea at all - users have no way of knowing how much is enough. Frankly, it took me quite a while to find out what contemporary hardware (especially GPUs) is capable of and how many iterations should be considered safe today.


LessPass starts with 8192 iterations. I prepare the code to increase this number, I will not let users change it. We are creating an interface to change master password and then we will plan a LessPass version change (with a number of iterations changes)




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: