kungfujoe Wrote:Are you certain about this?
Yes, absolutely. More on this later.
kungfujoe Wrote:I'm not seeing anything in LastPass' explanation of their partnership that explicitly says whether they do or do not check passwords against PasswordPing's database.
A good indicator that they don't. Notice that they do explicitly say that they check emails.
kungfujoe Wrote:It seems unlikely that they'd omit that
It's quite likely. LastPass has no lack of its "corporate speak" if you've been paying attention, especially to technical details.
For example, even in their "Technical Whitepaper", they don't explicitly mention that they don't encrypt URLs, custom templates, and lots of metadata.
kungfujoe Wrote:PasswordPing does offer a service to check passwords against their list of compromised passwords
True, but LastPass doesn't use it.
kungfujoe Wrote:This service has K-anonymity, in that it only tells you whether a password has been compromised or not
This is not what K-anonymity means.
If you click on "Learn more about this site" and read the details, it's pretty clear that they don't use K-anonymity.
They simply ask for three(!) full(!) hashes of your password (including MD5!!!).
I monitored network traffic to confirm this. Three kinds of full hashes (of my test "password") were indeed in my outgoing traffic!
This is NOT k-anonymity! This is not secure at all, in the sense that it's not "trustless" by any standard.
It would be irresponsible of LastPass to use this service of PasswordPing.
kungfujoe Wrote:You’re probably also familiar with the LastPass Security Challenge, which identifies compromised passwords (as well as weak, reused and old ones).
This is standard "corporate talk" which provides vague info and misleads readers.
I've mentioned how this works in my earlier post - LastPass checks if the site was implicated in a data breach, without checking the actual password. They count this as "checking compromised passwords".
Finally, why am I certain that LastPass does not check the actual passwords in our vaults when doing a Security Challenge?
- Notice that, during Security Challenge, before LastPass sends your email info to check against PasswordPing's database, they explicitly ask for your permission! There's one extra button to click! This is good!
But they don't ask you anything about sending your passwords info!
Which possibility do you choose to believe? That LastPass sends your passwords' hashes (full hashes! without K-anonymity!) to a third party service without your explicit consent? Or LastPass doesn't send any info of your actual passwords to a third party service, hence not checking your actual passwords?
- I monitored network traffic during a Security Challenge. Sure enough, I can see all email addresses (SHA-256 hashed) in my outgoing traffic. But nothing related to my passwords. Hundreds of passwords (hashes or whatever other forms they're in) are hard to miss.