I'm trying to get a reasonable understanding of the possibility that our vaults could be brute forced in a viable timeframe.
We have LastPass federated to Azure AD. Skimming through https://assets.cdngetgo.com/09/da/6e248fb44990aee6acf130146d60/lastpass-technical-whitepaper-march-2021-final.pdf, I see that half the key is stored with LastPass, which I assume was exfiltrated as part of the hack.
So how long would it take roughly to brute force a federated master password when it was generated with 100,100 iterations of PBKDF2, with half the key potentially compromised?
