Have I Been Pwned Integration?

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

Re: Have I Been Pwned Integration?

Postby kungfujoe » Sun Jan 20, 2019 5:21 pm

eschulma Wrote:I submitted a premium support ticket, and the response indicated I could check my email. Not the passwords.

Password Ping does not use K-anonymity. This it would be somewhat irresponsible of LP to use them without explicit permission.


The link I shared (which was kind of hard to see thanks to the forum theme) does exactly that - it looks passwords up anonymously on PasswordPing, the service LastPass uses for its security check. This service has K-anonymity, in that it only tells you whether a password has been compromised or not (and whether or not it qualifies as a strong password). It would be trivial for LastPass to use this in the same manner that 1Password uses HIBP's equivalent service. Feed in all of the passwords for all of your sites, and based on the hits that come back, say "your password on this site is compromised." PasswordPing's API wouldn't know which password is for which site, but LastPass obviously would, since it'd have to decrypt each password (on your local machine) and feed it to the API.

Here's the link without any link text, since the forum makes links so difficult to see: https://www.passwordping.com/password-check/. Type "P@ssw0rd" into there, and it'll tell you that it's been compromised in one or more breaches (it doesn't even bother to tell you that it's also a pretty weak password, since it's compromised).
kungfujoe
 
Posts: 11
Joined: Sun Apr 05, 2015 10:25 pm

Re: Have I Been Pwned Integration?

Postby kungfujoe » Sun Jan 20, 2019 5:24 pm

Duh, I missed this in the LastPass blog post about PasswordPing. It seems to say that LastPass does indeed check passwords, and that whoever answered your support ticket was mistaken:

"You’re probably also familiar with the LastPass Security Challenge, which identifies compromised passwords (as well as weak, reused and old ones). We also leverage the PasswordPing database when running the Security Challenge."
(from https://blog.lastpass.com/2018/11/protect-your-accounts-with-breach-alerts-through-lastpass.html)
kungfujoe
 
Posts: 11
Joined: Sun Apr 05, 2015 10:25 pm

Re: Have I Been Pwned Integration?

Postby FlyingHawk » Mon Jan 21, 2019 12:18 am

kungfujoe Wrote:Are you certain about this?

Yes, absolutely. More on this later.

kungfujoe Wrote:I'm not seeing anything in LastPass' explanation of their partnership that explicitly says whether they do or do not check passwords against PasswordPing's database.

A good indicator that they don't. Notice that they do explicitly say that they check emails.

kungfujoe Wrote:It seems unlikely that they'd omit that

It's quite likely. LastPass has no lack of its "corporate speak" if you've been paying attention, especially to technical details.
For example, even in their "Technical Whitepaper", they don't explicitly mention that they don't encrypt URLs, custom templates, and lots of metadata.

kungfujoe Wrote:PasswordPing does offer a service to check passwords against their list of compromised passwords

True, but LastPass doesn't use it.

kungfujoe Wrote:This service has K-anonymity, in that it only tells you whether a password has been compromised or not

This is not what K-anonymity means.
If you click on "Learn more about this site" and read the details, it's pretty clear that they don't use K-anonymity.
They simply ask for three(!) full(!) hashes of your password (including MD5!!!).
I monitored network traffic to confirm this. Three kinds of full hashes (of my test "password") were indeed in my outgoing traffic!
This is NOT k-anonymity! This is not secure at all, in the sense that it's not "trustless" by any standard.
It would be irresponsible of LastPass to use this service of PasswordPing.

kungfujoe Wrote:You’re probably also familiar with the LastPass Security Challenge, which identifies compromised passwords (as well as weak, reused and old ones).

This is standard "corporate talk" which provides vague info and misleads readers.
I've mentioned how this works in my earlier post - LastPass checks if the site was implicated in a data breach, without checking the actual password. They count this as "checking compromised passwords".

------

Finally, why am I certain that LastPass does not check the actual passwords in our vaults when doing a Security Challenge?

  1. Notice that, during Security Challenge, before LastPass sends your email info to check against PasswordPing's database, they explicitly ask for your permission! There's one extra button to click! This is good!
    But they don't ask you anything about sending your passwords info!
    Which possibility do you choose to believe? That LastPass sends your passwords' hashes (full hashes! without K-anonymity!) to a third party service without your explicit consent? Or LastPass doesn't send any info of your actual passwords to a third party service, hence not checking your actual passwords?
  2. I monitored network traffic during a Security Challenge. Sure enough, I can see all email addresses (SHA-256 hashed) in my outgoing traffic. But nothing related to my passwords. Hundreds of passwords (hashes or whatever other forms they're in) are hard to miss.
FlyingHawk
 
Posts: 713
Joined: Wed Mar 18, 2015 12:04 pm

Re: Have I Been Pwned Integration?

Postby eschulma » Tue Jan 22, 2019 9:17 pm

Exactly, hashing passwords vs K-anonymity is NOT the same at all.

Look, I like PasswordPing; I looked at their service before implementing HIBP on our site. HIBP is better, both for the true K+anonymity and that every security researcher out there contributes to that database.

Again, it's free. No reason not to add it along with PasswordPing!
eschulma
 
Posts: 8
Joined: Wed Aug 31, 2016 10:22 pm

Re: Have I Been Pwned Integration?

Postby RoGReandir » Wed Jan 23, 2019 11:58 am

Yes, please!
RoGReandir
 
Posts: 1
Joined: Wed Jan 23, 2019 11:57 am

Re: Have I Been Pwned Integration?

Postby Symo85 » Thu Jan 24, 2019 9:46 am

Symo85 Wrote:Great idea...I've just submitted this as an improvement to the lastpass vault


This is the reply I got from my ticket...looks like I'll be off to 1Password once my LP subscription ends...

Hello there,

You can find more about the service that LastPass uses to track breaches here: https://blog.lastpass.com/2018/11/prote ... pass.html/.

Kindest,
Michelle


-------

EDIT TO ADD:
FlyingHawk Wrote:Finally, why am I certain that LastPass does not check the actual passwords in our vaults when doing a Security Challenge?

Along with: "No passwords or password hashes are ever sent to PasswordPing"
Symo85
 
Posts: 7
Joined: Tue Mar 19, 2013 10:39 pm

Re: Have I Been Pwned Integration?

Postby equinox » Thu Jan 24, 2019 10:54 am

I don't think my support ticket ever even got a reply.
equinox
 
Posts: 9
Joined: Thu Feb 11, 2016 10:12 am

Re: Have I Been Pwned Integration?

Postby jpenny84 » Thu Jan 24, 2019 11:42 am

equinox Wrote:I don't think my support ticket ever even got a reply.


You can easily check your ticket history for any replies. See FAQ below.

https://lastpass.com/support.php?cmd=showfaq&id=7556
jpenny84
 
Posts: 8297
Joined: Tue Mar 06, 2012 9:10 pm

Re: Have I Been Pwned Integration?

Postby HeadScratcher » Thu Jan 24, 2019 11:59 am

I've been a LastPass premium user for more than five years. I'm contemplating a switch to 1Password specifically because that service offers HIBP integration. Convince me why I shouldn't make the switch.
HeadScratcher
 
Posts: 13
Joined: Tue Oct 16, 2012 9:27 am

Re: Have I Been Pwned Integration?

Postby eschulma » Thu Jan 24, 2019 10:43 pm

equinox Wrote:I don't think my support ticket ever even got a reply.


I kept getting BS canned replies and kept explaining that it wasn't sufficient until they (said) they would make a feature request to the dev team. Keep it up, the more requests they get the better.
eschulma
 
Posts: 8
Joined: Wed Aug 31, 2016 10:22 pm

PreviousNext

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 19 guests