We would like to be able to require that users have a certain number of password iterations set. Currently, admins on a Business Plan cannot require users to have a minimum number of password iterations configured in their LastPass client. One method could be by configuring a policy in the admin console.
After the August 2022 LastPass breach, one of the LastPass recommendations was for users to set their password iterations to at least 100100. However, we have found users with significantly lower numbers set.
As we found out rather painfully the impact of low iterations is very substantial for your security. We really need a way not only to force our users to set it (or configure it for our users) but also to view the values configured for individual users.
We found you can check this via an open endpoint, so we're manually running through our users:
Would still be nice to be able to see this info aggregated in the management portal.
Per what JanSteenbeek wrote, while that sounds excellent it's horrible... someone can now run that against email addresses for vault accounts to figure out who had weak iterations....
Agreed that is a massive security hole on LastPass’s side! How can they possibly feel it is OK to leak such sensitive information about customers! This needs to be closed immediately. (And to note, this is live data and requires no authentication.)
JayMeIn NO Kidding!
I suppose this is in line with when we could use the exposed API for authenticated SuperAdmins and reset the locked account on *ANY* Enterprise account (even ones you didn't control)...
Additional elements I requested as part of an internal FR:
Let users view Password Iterations but not change them.
Let users edit Password Iterations but require minimum value set by policy.
Get updates on Password Iteration values, not just that they were changed.
I understand why this information needs to be available externally (without login). You need it during login, to determine how often to hash the password before sending it to the server. By definition you need to have this number before you log in.
Also, after running this for 10 or so accounts it will freeze you out for a bit. You don't get errors, but always the current default of 100100.
The problem is (imo) that insecure values for level of iterations were allowed, and users not prompted/forced to update.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.