From what I understand the security of our passwords are determined by how strong our master passwords were at the time the back up was taken.
But If we have SSO set up, how secure are our passwords then?
If you mean your account is federated, it will be very hard to crack, 32 characters are generated and stored with LP and 32 characters are generated and stored with your federation provider, whichever company you "SSO" on. (Azure AD for example)
I believe they did mention that the LP half of the master key was not obtained during this incident. Even having half of a 64 character password is not going to help anyone trying to brute force the vault.
While you are right, that 2x 32 characters are generated to build the master password, the master password itself is not password 1 concatenated with password 2, but (according to the technical whitepaper) a base64 encoded representation of the SHA256 hash of password 1 XOR password 2.
A potential master password of this type would be:
As you can see: it's NOT 64 characters, but 44 - still a lot of characters, but not as many as expected.
Additional restrictions to this master password:
- the last characters is a padding character for base64 encoding - it's always a "="
- base64 encoding only uses A–Z, a–z, 0–9, + and /, so it does not include many special characters like ! , @ , ! , ...
- the 44 characters represent 256 Bit of data - that's great security and the XOR does mean, that one of the two sets of 32 characters does not give you any information at all, because the other value might change each bit of the value.
- looking at the Azure AD stored values, it seems to be a base64-encoded value (44 characters of the charset used in base64)
You should be aware that you MUST NOT grant Azure AD users the "User.Read.All" privilege, because with that privilege, you would be able to read the Azure AD part of the master password.