LastPass Iteration Failures: Can you verify the PBKDF2 Iterations used on your 1Password Vault?

As we know LastPass have suffered a pretty horrific failure that can only be attributed to negligence on their part (although they are going to great lengths to prepare the ground to blame their customers if any passwords/vaults do get cracked). In LP users had access to the iteration settings (and IIRC Bitwarden has similar), does 1Password have anywhere a user can verify the stated 100,000 iterations of the salted password are happening?

I understand there is no functionality to customise this for users but can we validate it? I'm interested in this because LastPass have committed a horrific failure (separate from repeated breaches and the recent theft of users vaults) that I'll detail below, and while I have faith in 1Password (and Bitwarden for that matter) to not have failed in this way I am interested in if there is anyway to validate the iterations being used on your account? e.g. In the white paper it refers on page 39 to the comms between server and client and shows example of code for a server authentication response - but I can't see anything about how a user can validate that 100,000 iterations is being used? Is there a way?

Back to LastPass - they made great noise how they use 100,100 iterations and it's strongest in the PWM industry (actually the difference between 100,000 and 100,001 and 100,100 does seem negligible and makes minimal difference to someone trying to crack an encrypted vault/password from what I understand); however the truth is now coming out that many (possibly the majority) of LastPass's customers never had the 100,100 iterations applied - mostly only new customers from 2019 onwards and a random amount of older customers (how many is unconfirmed although LastPass will know this but are unlikely to ever make it public). Back when LastPass first started (mid-2000's?) they used 1 iteration, and some point later they changed to 500; but they never ensured this change applied retrospectively to every existing customer (so many were left using 1 while new customers had 500). In the early 2010's sometime they upgraded to 5,000 iterations - once again this was not retrospectively applied consistently to every customer nor were notifications sent out to customers advising them to 'manually' change the setting to the highest one now available, etc). So now there were assorted customers using 1, or 500 or 5,000 iterations. In 2018 they announced their "100,100" iterations (woohoo) but again the same error seems to have been repeated, and it also looks like it was never actually implemented until 2019 sometime - so new customers from say 2019 onwards and a totally random smattering of all the other existing customers since the company began have 100,100 iterations, but many were still on 1 or 500 or 5,000 iterations. Incredibly poor and incompetent effort by LastPass (and it looks like they were well aware of this for a long time and just chose to ignore it), and as mentioned they are putting a lot of effort into laying ground work to blame the customers themselves for this if and when mass vaults start getting cracked, etc.

There are reports of thousands (if not more) LastPass customers on the 5,000 setting and confirmed reports of many on only 500 and at least 3 I've seen verified they were on only "1" PBKDF2 iteration (basically their vaults might as well be in plain text).

It is likely true that a small number of customers may have caused this issue for themselves by having access to this functionality and not understanding it - and choosing the lower number setting thinking it made something easier for them (like password length or speed of vault opening); but by and large 99%+ will have just been on the defaults LastPass set them and will have never looked at it. I am not convinced having the ability to change this by a user is necessarily that advantageous - it would be far better to just have it always forced to the highest value the Password Manager can support that doesn't significantly impact device performance (an advanced option might allow a user to push it to a higher level - but definitely not a lower one like LastPass allows).

To see more on the true impact of LastPass's failure particularly in regard to the iterations failure, here's a good series of posts from an 'expert' who's been haranguing LastPass for years to fix some of their well known issues:

1. LastPass has been breached: What now? (from Almost Secure)
2. What’s in a PR statement: LastPass breach explained (from Almost Secure)
3. Follow-Up Post on Iterations (on Mastodon)
4. One person's confirmation they had only 1 iteration (on Mastodon)
5. Another person confirming the same thing (as they migrate to 1Password) (on Mastodon)

And lastly a couple of other related posts on the LastPass incident in case anyone hasn't seen them (I think some have been posted elsewhere on this forum) that reinforce the failures (should I use 'incompetence') at LastPass:

• Jeremi Gosney @infosec.exchange 1st Post on LastPass (on Mastodon)
• Jeremi Gosney @infosec.exchange 2nd Post on LastPass (Excellent Points Here) (on Mastodon)
• The LastPass disclosure of leaked password vaults is being torn apart by security experts (on The Verge)

P.S this also is related to the "1P PBKDF2 iterations are less than recommended by OWASP. Please do better." discussion in this forum.

1Password Version: n/a
Extension Version: n/a
OS Version: iOS, macOS, Windows 10
Browser: Brave, Tor, Firefox, Safari