clawd/drafts/vault1984-math-vs-keys.md

# Math vs. Keys — The Numbers
*Supporting research for vault1984 copy, HN articles, and /security page*

---

## The breach that keeps taking

In August 2022, attackers exfiltrated the encrypted vault database of a leading password manager — over 25 million users' encrypted vaults. The company's response: "your vault is protected by your master password, which we never know."

What they didn't say: if the master password is weak enough, attackers don't need to know it. They just have to guess it. Offline. Forever. Without any rate limiting. Without any lockout. The vault is on their servers now.

**March 2025 — US federal court filing:** The FBI and Secret Service confirmed that a $150M cryptocurrency heist on January 30, 2024 — 17 months after the breach — was executed using credentials cracked from vaults stolen in 2022. The victim was the co-founder of a major cryptocurrency platform.

**December 2025 — TRM Labs:** Cracking and draining continued through late 2025. Three years after the breach. Still ongoing.

The encryption "worked." The problem was never the encryption. It was who held the key.

---

## The cracking math

The vault was encrypted with PBKDF2-SHA256. PBKDF2 is a "key stretching" function: it takes your master password and runs it through SHA-256 thousands of times, making brute-force attacks slower.

The company set the default iteration count to **5,000** for browser extension users. Most users never changed it.

**A single RTX 4090 GPU tests ~17,000 master password guesses per second** at 5,000 iterations.

| Password type | Guesses needed | Time to crack (1× RTX 4090) | Time to crack (12× RTX 4090) |
|--------------|---------------|----------------------------|-----------------------------|
| 6 chars, lowercase | 309 million | 5 hours | 25 minutes |
| 8 chars, lowercase | 208 billion | 142 days | 12 days |
| 8 chars, mixed + numbers | 218 trillion | 408 years | 34 years |
| 8 chars, all printable | 7.2 quadrillion | 13,500 years | 1,100 years |
| Common word + numbers (e.g. "summer2019") | ~100 billion | 68 days | 6 days |
| 4 random words (Diceware) | ~7 trillion | 13 years | 1 year |
| 12+ random characters | ~10^22 | 18 billion years | 1.5 billion years |

At 600,000 iterations (the recommended setting in 2022): multiply all times by ~120. A single RTX 4090 tests only ~140 guesses/second.

**The key numbers:**
- Most users: 5,000 iterations, human-chosen password. Weak passwords cracked in days. Typical passwords (word+year+symbol pattern): weeks to months.
- A GPU farm of 100 cards costing ~$200,000: multiply all times by 100.
- Attackers can buy this capacity. They have 3 years of time and $150M reasons to keep buying it.
- Every vault stolen in 2022 is still being worked on. They never stop.

---

## Why "more iterations" doesn't solve it

The company eventually set the iteration count to 600,000 for new users. The security industry often cites this as "fixing" the problem.

It doesn't. It buys time. The vault is still stolen. The master password is still the only thing protecting it. If the password is:
- In any breach database (billions of passwords are): seconds.
- A dictionary word with substitutions (p@ssw0rd, etc.): hours.
- A short human-chosen phrase: weeks to months, even at 600k iterations.
- A strong, unique, 16+ character random password: safe (for now — quantum computing is a separate conversation).

The fundamental problem: **the vault is held hostage forever.** Attackers have it. They'll crack whatever they can crack, whenever hardware gets cheaper or techniques improve. Every vault that isn't protected by a genuinely random, unique, 16+ character master password is at ongoing risk.

And the average person's master password is not that.

---

## vault1984: why math makes it different

vault1984's Credential and Identity fields don't use a master password as the key. The key derives from your **WebAuthn hardware authenticator's PRF output** — a 32-byte value generated by cryptographic hardware in response to a challenge, using a key that never leaves the authenticator.

**What this means in practice:**

The key is not a password. It has no dictionary structure. It's 256 bits of hardware-derived entropy — equivalent to a truly random 39-character password using the full printable character set.

**The brute-force math at 256-bit key entropy:**

| Hardware | Guesses/second | Time to crack |
|----------|---------------|---------------|
| RTX 4090 | 10^12 | 3.7 × 10^57 years |
| All GPUs on Earth (~10^9 devices) | 10^21 | 3.7 × 10^48 years |
| Hypothetical exascale cracker (10^18/sec) | 10^18 | 3.7 × 10^51 years |

**For reference: the universe is 1.38 × 10^10 years old.**

The time to brute-force a 256-bit key is approximately **10^41 times the age of the universe** even with every GPU on Earth working simultaneously. This isn't "very hard." This is "computationally impossible for any conceivable hardware."

**The critical difference from the master password model:**

With the master password model: the math buys time. Weak passwords fall quickly. Strong passwords take longer. The attacker waits.

With vault1984's PRF-derived key: there is no password to guess. The key doesn't come from a dictionary, a brain, or a pattern. It comes from hardware. The only way to derive it is to physically possess and authenticate with the hardware authenticator.

**Steal vault1984's database. You get:**
- Vault-layer data (titles, URLs, usernames) — encrypted with VAULT_KEY, readable with the server key
- Credential fields — 256-bit encrypted blobs. Computationally impossible to decrypt without the hardware key.
- Identity fields — same. Hardware tap required.

There is no "crack it in 3 years." There is no "wait for better hardware." The math is categorical, not probabilistic.

---

## The "cannot vs. will not" proof

This is why vault1984 can say "cannot, not will not."

Other password managers: "we will not read your passwords." This is a policy. It depends on the company's honesty, its employees' integrity, a court order not arriving, a breach not occurring. It's "will not" — a choice, revocable under pressure.

vault1984: "we cannot read your Credential and Identity fields." This is math. The key was derived from your hardware and delivered to your agent tokens. Our servers held the ciphertext. We never received the key. Even if we wanted to read your passwords, even if we were compelled by court order, even if we were fully breached — we have ciphertext and no key. The math makes it impossible.

**The five-year-old version:**
- Other managers: *"I know your secret, but I pinky-promise I won't tell."*
- vault1984: *"Your secret is in a box. I don't have the key. I can't open it even if I tried."*

---

## Sources

- Krebs on Security, March 2025: "Feds Link $150M Cyberheist to 2022 LastPass Hacks" — FBI/Secret Service court filing confirmation
  https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/
- The Hacker News, December 2025: "LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds"
  https://thehackernews.com/2025/12/lastpass-2022-breach-led-to-years-long.html
- Hive Systems, 2024: "Examining the LastPass Breach Through our Password Table" — PBKDF2 cracking rate analysis
  https://www.hivesystems.com/blog/examining-the-lastpass-breach-through-our-password-table
- palant.info, December 2022: "LastPass has been breached: What now?" — Technical analysis of PBKDF2 iteration vulnerability
  https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/
- Krebs on Security, September 2023: "Experts Fear Crooks Are Cracking Keys Stolen in LastPass Breach"
  https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/

---

*Research draft — George for Johan. For use in HN articles, /security page, and supporting copy. Not for direct publication.*