cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
New Contributor

username as salt

i was reading that a system should not use a username as salt, because it allows an attacker the ability to prebuild a lookup table because they know your username.
6 REPLIES 6
Highlighted
Regular Contributor

Re: username as salt

Okay, and???
Highlighted
New Contributor

Re: username as salt

So, should lastpass not use the username as the salt?

is there a reason they chose this?
Highlighted
Regular Contributor

Re: username as salt

The salt for what?
Highlighted
New Contributor

Re: username as salt

https://lastpass.com/support.php?cmd=showfaq&id=6926

We enter the Username and Master Password into one way functions to create a salted hash. Since the function is one-way, even if someone were to get a hold of the salted hash, they would not obtain the Master Password.



What are PBKDF2-SHA256 rounds?



This is used to make the salted hash (result from above) even more complicated for an attacker. It increases the number of iterations it takes in order for someone to guess the password. Put this together with the one-way salted hash and we get an equation that looks something like:



hash(master password + username)^iterations = password hash
Highlighted
Regular Contributor

Re: username as salt

The email and master password hash used to generate the encryption key is local. It is never transmitted. Key stretching is used to slow down brute force attacks if someone were to get a copy of an encrypted vault. It's not practical to use random salts at the local level.

There are additional hashing and key stretching operations performed locally to generate an authentication key.
Highlighted
New Contributor

Re: username as salt

Thanks