Eek. It is quite incredible they didn't have any kind of KDF upgrade system built into the login process, under the guise of "log in again please". And presumably no prominent permanent notification of your 500 rounds of KDF (!!)

Edit:

https://web.archive.org/web/20120320015133/https://helpdesk.... confirms that the default was indeed 500.

According to https://www.infosecblog.org/2012/06/lastpass-and-pbkdf2/, there are even some old accounts with a single round of sha256 (!)

It took rather a long time - a couple of minutes - to re-encrypt all my passwords, which presumably is why they didn't do it on login. But yeah, a notification sure would have been nice!

Interesting - I did the same on a bitwarden install just to test it, and it was instantaneous. From memory, BW has a single account key (encrypted by password) to facilitate this process, as well as a method to re-key the account (which would need to re-encrypt everything).

Wonder if Lastpass encrypted everything with the password-derived key directly, necessitating a full re-keying.