Just how secure is LastPass???

Have questions about LastPass, or having problems using it? Ask for help here!

Moderators: admin, Israel, anatoly_LP, chantie, robyn, JoeSiegrist

Just how secure is LastPass???

Postby leushino » Sat Jul 25, 2009 12:21 pm

Recently I told some others in another forum about LP and received this response: "I would not feel at all comfortable having my passwords stored on a remote server - encrypted or not, Anything can be hacked one way or another and you are trusting people that you do not know, have never met and indeed are unlikely to do so. I have the same view of remote data storage."

How does LastPass respond to statements like these?
leushino
 
Posts: 14
Joined: Fri Jul 24, 2009 4:20 pm

Re: Just how secure is LastPass???

Postby DarkDestiny » Sun Jul 26, 2009 1:20 am

Not to thread jack, but to piggy back on Leushino's post, I have a question of my own with regards to security. When we log in to lastpass.com to access our vault, we are using our master password to log in to it. Doesn't that mean our master password does go through your server which means it can technically be logged and used to decrypt the encrypted passwords on the server?
DarkDestiny
 
Posts: 1
Joined: Fri Jul 03, 2009 3:54 am

Re: Just how secure is LastPass???

Postby h0pc » Sun Jul 26, 2009 1:54 am

There are a ton of posts talking about how the password is never sent to the LP servers, but instead used within your own computer to encrypt/decrypt your data. What the LP servers get is always encrypted and they never get the key to decrypt. You should see a more elegant explanation of this in lots of places in these forums and probably also in the FAQ.

-E
h0pc
 
Posts: 224
Joined: Wed Aug 27, 2008 5:27 pm

Re: Just how secure is LastPass???

Postby h0pc » Sun Jul 26, 2009 1:56 am

Many people have used various programmer tools to analyze the data being sent back and forth and through their skepticism have helped to verify that the LP team does what they say they do.

Also, there have been occasions throughout LP's short life that the members of the LP team have over and over again proven themselves to be very upstanding characters.

-E
h0pc
 
Posts: 224
Joined: Wed Aug 27, 2008 5:27 pm

Re: Just how secure is LastPass???

Postby leushino » Sun Jul 26, 2009 2:17 am

I'm certainly not suggesting anything of the kind in terms of LastPass' above-board intentions. I'm new to the program and new to the forum community. I'm not a very knowledgeable person when it comes to computers, although I've been using one for many years. It just doesn't interest me that much. BUT I do recognize that security is vitally important and that sooner or later even the most carefully laid plans can go awry. The quote in my first post (before it was high-jacked...why oh why will these other posters not start their own threads???) was from a Microsoft MVP who questioned the LP program. It wasn't, from what I could gather, a sarcastic remark. In all probability he was unfamiliar with the program. I referred him to the quotes from the LP site relating to Why LP is Secure. But I wanted to see how the community here would respond to his remarks.

Thanks.
leushino
 
Posts: 14
Joined: Fri Jul 24, 2009 4:20 pm

Re: Just how secure is LastPass???

Postby Julian » Sun Jul 26, 2009 6:07 am

leushino wrote:Recently I told some others in another forum about LP and received this response: "I would not feel at all comfortable having my passwords stored on a remote server - encrypted or not, Anything can be hacked one way or another and you are trusting people that you do not know, have never met and indeed are unlikely to do so. I have the same view of remote data storage."

How does LastPass respond to statements like these?

Ultimately LastPass can never address these statements in a way that can 100% satisfy absolutely everybody. There are probably four increasingly satisfactory levels of assurance as follows:

1) The technology is solid. The encryption is military grade to an extent that even the NSA would need to expend significant resources to crack it and anyone who doesn't have a computer on the top500 list (http://www.top500.org) would need to tie up their resources for months or years to decrypt the data. The password for your account is indeed never sent to LastPass.

2) The above has a weakness because we are taking LastPass's word for this so the next level would be to have all of the above independently verified by a trusted third party such as one of the big accountancy firms or even a government body of some sort.

3) Even the above has a weakness. What if LastPass staff are really devious so they do (2) above but, immediately after whoever the trusted body is issues the "we believe them" certificate, LastPass go and slip a change into the system that steals all your data. To protect against this you probably need to be a personal friend of all the LastPass staff that are in a position to do this and have made an accurate assessment of their character such that you don't believe they would ever do this. This level of assurance is available to almost noone.

And guess what, taking this to the logical extreme, even (3) isn't the end of the story and isn't good enough, there's a (4)!

4) What if something happens to one of the key LastPass members of staff such that their character changes (drug adiction, brain tumor, psychotic illness, taken over by aliens).

If you take the trust (or lack of it) scenario far enough then you will never be satisfied. As has already been stated, this question does come up a lot and right now all LastPass can really do is re-iterate their explanations of the level 1 assurances although there has been talk of moving to level 2 (trusted third party audit) at some point and I for one would be interested in hearing any update on that front. I think the issue was that they were waiting for the product to get more mature before doing this. It's also going to cost money so maybe they don't have the revenue cover for this yet.

Also, although DarkDestiny got flamed for this, I thought his(?) question was very interesting and moved the thread forward because it added and reinforced the general security concerns of the original poster by citing a specific case where it could look to some people (including me) that the security is compromised:

DarkDestiny wrote:When we log in to lastpass.com to access our vault, we are using our master password to log in to it. Doesn't that mean our master password does go through your server which means it can technically be logged and used to decrypt the encrypted passwords on the server?


I understand that lastPass uses lots of JavaScript to encrypt stuff locally in the browser so that only encrypted data is sent to the LastPass servers but how does this help with the password logon? Surely even if the password is locally encrypted, the website is still doing a pattern match at the server end with a token that will allow access to the user's data. Why is it not possible for LastPass staff to take a copy of that encrypted password token and use that to log onto the user's vault and copy all their passwords?

- Julian
Julian
 
Posts: 186
Joined: Thu Nov 27, 2008 5:48 pm

Re: Just how secure is LastPass???

Postby leushino » Sun Jul 26, 2009 11:27 am

Again, thanks for the responses although I must say, Julian, that I did not completely follow all of your possible scenarios. What I think you were trying to say is that we all must exercise some level of trust short of unplugging our computers, cutting up our credit cards, asking our doctors to destroy our personal files, begging the department of motor vehicles to destroy our data and on and on (where all of our data is stored is anyone's guess). We must recognize that we all live to some degree or another in an insecure world.

So... I've no reason to mistrust the claims of LastPass at this point. Thank you all.
leushino
 
Posts: 14
Joined: Fri Jul 24, 2009 4:20 pm

Re: Just how secure is LastPass???

Postby JoeSiegrist » Sun Jul 26, 2009 8:09 pm

leushino wrote:Recently I told some others in another forum about LP and received this response: "I would not feel at all comfortable having my passwords stored on a remote server - encrypted or not, Anything can be hacked one way or another and you are trusting people that you do not know, have never met and indeed are unlikely to do so. I have the same view of remote data storage."

How does LastPass respond to statements like these?


You can take these statements to extremes -- you trust your CPU to not have spyware hardware built in, right? You trust your OS to not to spy on you, right? These are equally difficult problems and we all feel safe about it because there's a lot of watchdogs out there to call foul and create negative publicity about the company if they do something that's questionable. We'd like to setup some kind of independent group to analyze our releases and certify them, and we could offer the group free LastPass premium memberships for doing the testing with each release. We've had people do it in the past in the forums and want to actively nurture this. The more eyeballs on it, the more secure everyone can feel about it. This may happen by itself with LastPass reaching a critical mass.

Using the website to do your logins is a tougher problem to reliably prove safety without trust because there is always some degree of trust involved, there's really no way around it with the web based features. You can choose not to use them (only using the LastPass plugins) or you can decide that LastPass sees far more money to be made by making a great product than doing anything nefarious, the fact that we've built and sold another company should hopefully help. https://lastpass.com/aboutus.php

If you're worried about someone holding a gun to our heads to force us to do something there are things you can do to mitigate that risk -- e.g. Using the plugin to login rather than the website ensures that the code hasn't changed on you unless you upgrade and you can use products like TamperData to analzye everything that's sent to and from LastPass.
JoeSiegrist
 
Posts: 4144
Joined: Wed Aug 20, 2008 10:40 am

Re: Just how secure is LastPass???

Postby Cassandra » Wed Jul 28, 2010 8:20 am

h0pc wrote:Many people have used various programmer tools to analyze the data being sent back and forth and through their skepticism have helped to verify that the LP team does what they say they do.

Hi!

I'm new here, and I'm looking for a Roboform substitute which plays well with Opera.

Could someone please post the URLs of some of these third-party tests of the data going to the LP servers? This is the question which most bothers me. If possible, I'd like as many serious tests as possible.

Thanks.
C.
Cassandra
 
Posts: 9
Joined: Wed Jul 28, 2010 8:13 am

Re: Just how secure is LastPass???

Postby Israel » Wed Jul 28, 2010 10:26 am

4) What if something happens to one of the key LastPass members of staff such that their character changes (drug adiction, brain tumor, psychotic illness, taken over by aliens).


I wanted to address this. We never have access to your encrypted data, because we don't have your master password. We don't even have a copy of your master password stored on the server or some admin tool to recover or reset your password.

As anyone who's forgotten their password, hint, and has no onetime passwords can tell you -- the only thing we can do is delete the encrypted data and let you start over. Even if I overnight became a psychotic, drug addicted russian hacker working for aliens on Theta Zau, there's no way I could decrypt any of your vaults. A full 256-bit encryption would take up to 149 trillion years to brute force. Even a best case scenario with a weak starting key would take at the very shortest end, 2-5 years of brute forcing with a very powerful computer.
Israel
Site Admin
 
Posts: 1475
Joined: Tue May 04, 2010 9:40 am

Next

Return to General Support & Troubleshooting

Who is online

Users browsing this forum: matt1453 and 17 guests