Yes, those with pure random passwords are safe. What percent of LastPass users do you think use a very hard to remember completely random 12+ character password?
Personally I use either VaultWardens random password generator, or some variation of the XKCD like 4-6 words out of 100,000 which give me somewhere north of 64-96 bits of entropy. Cracking that @ 300k/sec takes a quite long time. I like the XKCD approach, because it's particularly voice/phone friendly.
However much more common in the real world is to pick an easy to remember password with low entropy, something like PinkFloydRocks, which fail because of lack of a number and change it to P1nkFloydRocks. Or maybe PinkFloydRocks<2 digit birth year>.
Quite a few plaintext passwords have been leaked, some even with helpful popularity tables. I'd place bets that a decent percent of LastPass's vaults would fall to a top 10,000 12 character or longer popular passwords. I suspect someone is testing this right now.
I had a feeling you were speaking from experience with that 300k number. Does that include the cost of password stretching? As others have pointed out in this thread LastPass uses PBKDF2 with 100,000 rounds. Even if you have a supercharged PC with 6x ATI Radeon HD 5870 you're only going to be able to derive 25k AES keys per second tops to even try, since that doesn't include the cost of deciphering. So how do you do it?
No experience, just saw a post on someone attacking LastPass Vaults. It looked to include everything. Apparently they wrote a tool specifically attempting password recovery on LastPass vaults and with a RTX 2070 (2 generation old) managed 309,000 against the 5000 iteration flavor and 15,500 against the 100,100 flavor.
Personally I use either VaultWardens random password generator, or some variation of the XKCD like 4-6 words out of 100,000 which give me somewhere north of 64-96 bits of entropy. Cracking that @ 300k/sec takes a quite long time. I like the XKCD approach, because it's particularly voice/phone friendly.
However much more common in the real world is to pick an easy to remember password with low entropy, something like PinkFloydRocks, which fail because of lack of a number and change it to P1nkFloydRocks. Or maybe PinkFloydRocks<2 digit birth year>.
Quite a few plaintext passwords have been leaked, some even with helpful popularity tables. I'd place bets that a decent percent of LastPass's vaults would fall to a top 10,000 12 character or longer popular passwords. I suspect someone is testing this right now.