leushino wrote:Recently I told some others in another forum about LP and received this response: "I would not feel at all comfortable having my passwords stored on a remote server - encrypted or not, Anything can be hacked one way or another and you are trusting people that you do not know, have never met and indeed are unlikely to do so. I have the same view of remote data storage."
How does LastPass respond to statements like these?
Ultimately LastPass can never address these statements in a way that can 100% satisfy absolutely everybody. There are probably four increasingly satisfactory levels of assurance as follows:
1) The technology is solid. The encryption is military grade to an extent that even the NSA would need to expend significant resources to crack it and anyone who doesn't have a computer on the top500 list (http://www.top500.org
) would need to tie up their resources for months or years to decrypt the data. The password for your account is indeed never sent to LastPass.
2) The above has a weakness because we are taking LastPass's word for this so the next level would be to have all of the above independently verified by a trusted third party such as one of the big accountancy firms or even a government body of some sort.
3) Even the above has a weakness. What if LastPass staff are really devious so they do (2) above but, immediately after whoever the trusted body is issues the "we believe them" certificate, LastPass go and slip a change into the system that steals all your data. To protect against this you probably need to be a personal friend of all the LastPass staff that are in a position to do this and have made an accurate assessment of their character such that you don't believe they would ever do this. This level of assurance is available to almost noone.
And guess what, taking this to the logical extreme, even (3) isn't the end of the story and isn't good enough, there's a (4)!
4) What if something happens to one of the key LastPass members of staff such that their character changes (drug adiction, brain tumor, psychotic illness, taken over by aliens).
If you take the trust (or lack of it) scenario far enough then you will never be satisfied. As has already been stated, this question does come up a lot and right now all LastPass can really do is re-iterate their explanations of the level 1 assurances although there has been talk of moving to level 2 (trusted third party audit) at some point and I for one would be interested in hearing any update on that front. I think the issue was that they were waiting for the product to get more mature before doing this. It's also going to cost money so maybe they don't have the revenue cover for this yet.
Also, although DarkDestiny got flamed for this, I thought his(?) question was very interesting and moved the thread forward because it added and reinforced the general security concerns of the original poster by citing a specific case where it could look to some people (including me) that the security is compromised:
DarkDestiny wrote:When we log in to lastpass.com to access our vault, we are using our master password to log in to it. Doesn't that mean our master password does go through your server which means it can technically be logged and used to decrypt the encrypted passwords on the server?