Make it a standalone product, online backup an option

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantie, robyn, JoeSiegrist

Make it a standalone product, online backup an option

Postby sunshine_and_rain » Wed Feb 03, 2010 9:33 pm

I do like LastPass, but my only grumble is that I would prefer that I could set it up and use it without any interaction with LastPass servers. In short give the user/paying customer absolute control over how they want their passwords and account details handled.

Whilst there is much to laud over all the security features it offers (claims) and how it encrypts and decrypts data locally before interacting with the server, I can see no reason why it cannot be designed to function as a standalone product that does not ever have to upload to lastpass servers unless I explicitly want it to do so.

Put simply, why not just add a local tick-box option that will completely disable uploading my passwords and data to lastpass servers.

Today we are increasingly, by choice or compulsion, having to run our lives via internet enabled services. I think lastpass should just give me total control, profit motives may mean that it has been designed so you HAVE to use the online service for it to be practicable, why? It must be technically very easy to enable a standalone function.

I would suggest that it's PocketPass. or LastPass full-stop, software be developed into a fully fledged standalone piece of software, akin to roboform.com and make the online service an option, as roboform and other similar software does. When an online sync has been enabled, options should exist so the user can choose which passwords/accounts are kept on lastpass servers and which are kept locally.

Anyone trusting online services should always remember that the account security can always be bypassed by law enforcement, in ways similar to HushMail:

Encrypted E-Mail Company Hushmail Spills to Feds
http://rinf.com/alt-news/sicence-techno ... s-to-feds/

As LastPass is in a US company and post 9-11, we have to assume we can place trust in a society that deploys warrantless wiretapping (http://www.eff.org/issues/nsa-spying) on a wholesale basis and legislation which has no protections for anyone deemed not be be a US citizen, or who is but outside it's borders, therefore allowing all forms of phone/internet wiretapping to be conducted with impunity.

On yes, it might be worth noting that it you have a copy of a users backup file and assume it can only be accessed with 1) an account email address, 2) password and if enabled 3) a multi authenticate grid, remember that the the grid is not needed if you use PocketPass to access the backup file. Also, why does LassPass make it so difficult to keep a local copy/backup of passwords.... Does it like a design that created dependency on it's online services?

Laws exist in the US and UK that punish those who, in certain situations refuse to disclose passwords to encrypted data, with a penalty for refusal being a loss of liberty and the 5th amendment like defenses are excluded.
sunshine_and_rain
 
Posts: 4
Joined: Wed Feb 03, 2010 8:34 pm

Re: Make it a standalone product, online backup an option

Postby JoeSiegrist » Wed Feb 03, 2010 10:07 pm

sunshine_and_rain wrote:I do like LastPass, but my only grumble is that I would prefer that I could set it up and use it without any interaction with LastPass servers. In short give the user/paying customer absolute control over how they want their passwords and account details handled.

We still may do this -- but the reason we haven't and aren't rushing into it is for 3 reasons:
- It removes one of our best features: painless synchronization
- The time frames to attack what we keep server side is so beyond over the top (AES-256) that the end of the universe is thrown around with conceivable technology advances. Even if there's major advances in every area needed to mount an attack the writing will be on the wall and we'll upgrade before that happens. Also we've have over a half million accounts before the end of the quarter -- no one cares about your impossible to recover data, that can nearly instantly be made useless just by changing your passwords.
- The number of people who care is low. Given that what we are doing is secure, why should they? This is probably the most important aspect because if there's not a payback it won't make sense for us to do.

sunshine_and_rain wrote:Encrypted E-Mail Company Hushmail Spills to Feds
http://rinf.com/alt-news/sicence-techno ... s-to-feds/


This is a great example, because it's exactly what LastPass has refused to do: offer ANY solutions that involve the encryption/decryption keys on our servers. We don't want this problem or this liability.

sunshine_and_rain wrote:As LastPass is in a US company and post 9-11, we have to assume we can place trust in a society that deploys warrantless wiretapping (http://www.eff.org/issues/nsa-spying) on a wholesale basis and legislation which has no protections for anyone deemed not be be a US citizen, or who is but outside it's borders, therefore allowing all forms of phone/internet wiretapping to be conducted with impunity.


The way we've setup the system we don't have the ability to do anything with data going over the wire.

sunshine_and_rain wrote:On yes, it might be worth noting that it you have a copy of a users backup file and assume it can only be accessed with 1) an account email address, 2) password and if enabled 3) a multi authenticate grid, remember that the the grid is not needed if you use PocketPass to access the backup file. Also, why does LassPass make it so difficult to keep a local copy/backup of passwords.... Does it like a design that created dependency on it's online services?


Grid is to protect your account from others being able to download the encrypted data off our servers, not the local data, use Sesame or Yubikey for that -- there's absolutely no truth to us making it difficult to keep a local copy: we ALWAYS keep a look copy, pull the network cable out of the wall, logout and back in and witness how it works.
JoeSiegrist
 
Posts: 4144
Joined: Wed Aug 20, 2008 10:40 am

Re: Make it a standalone product, online backup an option

Postby sunshine_and_rain » Thu Feb 04, 2010 7:39 am

Thanks for taking the time to give a detailed reply.

For me I would prefer a system that gives me:

1) The option to completely disable any password and account details being placed on lastpass servers, unless I click on a specific button, such as one named akin to 'sync-now'. The default syncing time period is set at every 15 mins, it cannot be set to zero (0), but I just just set it to syncing to every 1500 minutes, to practically disable the syncing... Or I could set my firewall to block syncing with lastpass servers.

2) A system that is completely portable and can and will function with or without any syncing with lastpass servers, regardless of any assurances of how secure the technology may be.

I acknowledge that I no doubt use internet services that don't appear to be as secure as lastpass, it's just that I follow the scientific precept of always being sceptical. Mentioning HushMail being compromised by the 'feds' arranging for a malformed set up to be deployed, was just to point out it's weakness. I am just not tech savvy enough to know if such a weakness could be against the lapstpass system, when accessed online

"But can the feds force Hushmail to modify the Java applet sent to a particular user..."
http://www.wired.com/threatlevel/2007/1 ... ted-e-mai/

Of course if a court authorised warrant required lastpass to develop such a modified applet for a specific user, then this would seem to just reflect standard lawful practice.

I am use to syncing encrypted password files locally and keeping a backup online via a https enabled cloud service, I use syncing software that enables me to very explicitly choose which specific files I want to sync, I just like to sync files I use for passwords via third party cloud service, I then sync it back into the password software myself, sort of manually. I therefore retain control over the process. Whilst this may not be convenient for some, it does seem more 'secure' to my way of thinking.
sunshine_and_rain
 
Posts: 4
Joined: Wed Feb 03, 2010 8:34 pm

Re: Make it a standalone product, online backup an option

Postby sunshine_and_rain » Thu Feb 04, 2010 6:20 pm

I have been mulling over your feedback and I am unconvinced by any argument that giving users a tick box option to disable syncing with lastpass servers is somehow difficult to deploy or somehow interfears with “painless synchronization”.

Many IT conscious users/customers like to tweak default settings, particularly if they work on computers in differing locations/countries.

I don't consider giving a user/customer the option to disable server syncing, would end up removing “.... one of our best features...”, it simply gives a choice that would seem to be a minor technical design change. LastPass has obviously designed the syncing option so it cannot be set at zero, so clearly someone has chosen to prevent users/customers from having control over their own password/account information. Why?

In terms of a potential attacks against a users lastpass saved server or local data. It is always worth remembering that some organistions use SSL/HTTPS inspection technology to be able to automatically inspect/view/retain decrypted copies of data [1]. The government's of countries like India have installed a 'legal' keylogging and and screen capture system onto cyber cafe computers [2].

[1] HTTPS/SSL Inspection
http://www.finjan.com/Content.aspx?id=184

[2] Police to Monitor Indian Cyber-Cafes
http://www.darknet.org.uk/2007/10/polic ... ber-cafes/
sunshine_and_rain
 
Posts: 4
Joined: Wed Feb 03, 2010 8:34 pm

Re: Make it a standalone product, online backup an option

Postby cawas » Mon May 03, 2010 3:12 pm

Funy thing the OP reply came about 2 years later. About the same time I've been using lastpass (was using KeePass before that). :o

Well, I agree with almost every point from both sides here. So I think we could come to a middle term.

How about making an API and letting the community develop the plugins they need?

I personally would like to be able to do the exact same thing as sunshine_and_rain and be able to use lastpass offline without any server evolved, but I also don't really care all that much given that lastpass must be doing their service of keeping everything secure.

The API can potentially solve that, and it is always interesting for a big platform to have one way for users to customize as much as possible their use.

I think a nice step towards the lastpass offline would be being able to export / backup automatically. Keep my local backup in sync and able to access even if I have no internet access. Specially nice if it could be exported to a KBD file so I could open it with KeePass. That would make lastpass use much broader - I could store much more sensitive data, and not just online forms.

Anyway, just my 2 cents. Thanks for the great product! :)

edit: This was the first result I've found on Google, but little bit later I found a better link.
There is lastpass pocket that does at least one thing I've suggested, the offline secure access. Just download it from: https://lastpass.com/misc_download.php

But it still doesn't do automatic backup, which would be ideal, since manual backups like the way this works are doomed to be outdated. This is only good if you're going offline before hand knowing it and remembering to export it prior to the event. Not a good backup solution, but so darn close to being one.
cawas
 
Posts: 8
Joined: Mon May 03, 2010 3:03 pm

Re: Make it a standalone product, online backup an option

Postby JoeSiegrist » Mon May 03, 2010 7:42 pm

cawas wrote:But it still doesn't do automatic backup, which would be ideal, since manual backups like the way this works are doomed to be outdated. This is only good if you're going offline before hand knowing it and remembering to export it prior to the event. Not a good backup solution, but so darn close to being one.


I don't understand -- every time you login or use LastPass you're storing a copy of your encrypted data locally, acting as a perfectly up-to-date backup.
JoeSiegrist
 
Posts: 4144
Joined: Wed Aug 20, 2008 10:40 am

Re: Make it a standalone product, online backup an option

Postby cawas » Mon May 03, 2010 7:46 pm

JoeSiegrist wrote:
cawas wrote:But it still doesn't do automatic backup, which would be ideal, since manual backups like the way this works are doomed to be outdated. This is only good if you're going offline before hand knowing it and remembering to export it prior to the event. Not a good backup solution, but so darn close to being one.


I don't understand -- every time you login or use LastPass you're storing a copy of your encrypted data locally, acting as a perfectly up-to-date backup.


Cool! And how can I access that copy?
cawas
 
Posts: 8
Joined: Mon May 03, 2010 3:03 pm

Re: Make it a standalone product, online backup an option

Postby Cato2 » Tue May 04, 2010 2:32 am

In the plugin, you can use Tools | Export To - this makes a local backup, either encrypted or unencrypted. If that's what you meant.
Cato2
 
Posts: 52
Joined: Mon Apr 19, 2010 4:08 pm

Re: Make it a standalone product, online backup an option

Postby cawas » Tue May 04, 2010 4:53 am

Cato2 wrote:In the plugin, you can use Tools | Export To - this makes a local backup, either encrypted or unencrypted. If that's what you meant.


I couldn't see the encrypted option, but no, not at all what I or Joe meant. We're talking about synced automatic backup.
cawas
 
Posts: 8
Joined: Mon May 03, 2010 3:03 pm

Re: Make it a standalone product, online backup an option

Postby Cato2 » Sat May 15, 2010 1:02 pm

LastPass does a synced automatic backup automatically every time it pushes the local data to the server. If you want an independent backup, find the files within the Firefox profile and back those up independently.
Cato2
 
Posts: 52
Joined: Mon Apr 19, 2010 4:08 pm

Next

Return to Feedback

Who is online

Users browsing this forum: Joiner, steveE and 7 guests