I was curious about where the password iteration count was stored. Not in the vault apparently. So I tried watching the network connections as I logged into LastPass in an incognito window.
On my first attempt, I entered what I thought was the correct master password but the login failed. Before going any further, I looked at the list of network transactions and noticed a single POST to 'iterations.php' with my email address in the payload, and sure enough the response contained the correct iteration count for my vault (>500,000) - even though I had not authenticated.
I tried to replicate the transaction using POSTMAN, but could not make it work; the returned value was always 100,100.
I repeated the test several more times in fresh incognito windows and using bogus passwords; each time the POST to 'iterations.php' returned the correct iteration count for my vault.
So, even if by some miracle the iteration count was not in the metadata lost in the breach, it seems to be freely available from LastPass.
(Chrome on Windows 10)
EDIT: On reflection, the iteration count is probably essential to be able to correctly hash the master password for purposes of authentication, so it's probably no surprise that this is the case !!
On my first attempt, I entered what I thought was the correct master password but the login failed. Before going any further, I looked at the list of network transactions and noticed a single POST to 'iterations.php' with my email address in the payload, and sure enough the response contained the correct iteration count for my vault (>500,000) - even though I had not authenticated.
I tried to replicate the transaction using POSTMAN, but could not make it work; the returned value was always 100,100.
I repeated the test several more times in fresh incognito windows and using bogus passwords; each time the POST to 'iterations.php' returned the correct iteration count for my vault.
So, even if by some miracle the iteration count was not in the metadata lost in the breach, it seems to be freely available from LastPass.
(Chrome on Windows 10)
EDIT: On reflection, the iteration count is probably essential to be able to correctly hash the master password for purposes of authentication, so it's probably no surprise that this is the case !!
Last edited: