Elcomsoft reviews iOS password managers, LastPass dinged

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantie, robyn, JoeSiegrist

Elcomsoft reviews iOS password managers, LastPass dinged

Postby jonat » Sat Mar 17, 2012 9:40 am

Elcomsoft, well known for research into computer security, published a paper titled “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really? One of the password managers analyzed was LastPass Mobile on iOS. It focused on the local storage of the vault and dinged LP for not using the iOS keychain. The article suggested that the local vault was susceptible to offline attacks, though nowhere near to the degree that some others were. (I almost fell off my chair when I read that SplashID, a product I have used in the past, stores the master password in the database using reversible encryption and a fixed key!)

An interesting read.
jonat
 
Posts: 1185
Joined: Thu Dec 09, 2010 8:42 pm

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby Israel » Mon Mar 19, 2012 10:36 am

There were a few corrections to the article regarding LastPass - some facts were misrepresented, for instance, you can change how many rounds of PBKDF2 key derivation you want - I'm using 500 with only a small noticeable delay when logging in / decrypting on the iphone. This is MUCH safer than using keychain on the device.
Israel
Site Admin
 
Posts: 1475
Joined: Tue May 04, 2010 9:40 am

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby XIII » Mon Mar 19, 2012 4:53 pm

I did not know about this option. It says 500 is recommended, but the default is 1...

Apparently more information can be found here:

http://helpdesk.lastpass.com/security-o ... ns-pbkdf2/

I would have appreciated a notification about this (blog, mail, pop-up, ...)

How did you inform users? (What channel do I currently miss?)
XIII
 
Posts: 362
Joined: Fri Oct 16, 2009 6:18 pm

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby Israel » Mon Mar 19, 2012 5:00 pm

This is a soft rollout for now, so there's no blogpost - we're rolling it gradually and making sure there aren't any usage cases that go badly (like a phone locking up, etc..)

We'll announce globally at some future date.
Israel
Site Admin
 
Posts: 1475
Joined: Tue May 04, 2010 9:40 am

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby kilgry » Mon Mar 19, 2012 5:14 pm

Works well at 500 for me and my Android DroidX (android LP app). It did take a bit longer to access on the phone but plenty smooth enough.
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby kilgry » Mon Mar 19, 2012 6:21 pm

Hmm, did have some problems after the change. LastPass would not recognize sites. I had to logoff Windows and back into again. Then LastPass started working properly.
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby XIII » Tue Mar 20, 2012 4:00 am

Israel wrote:This is a soft rollout for now, so there's no blogpost - we're rolling it gradually and making sure there aren't any usage cases that go badly (like a phone locking up, etc..)

Ah, I see. Thanks.

I'll do my testing as well (value 500; on Windows, Mac, and iOS).
XIII
 
Posts: 362
Joined: Fri Oct 16, 2009 6:18 pm

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby jonat » Tue Mar 20, 2012 11:20 am

Glad to hear about this new feature. I set mine to 500 (was also 1) and from an iPhone 4S there is no noticeable lag in logging in.

However, if this is set to anything but 1, Show Password no longer works on the iPhone.
jonat
 
Posts: 1185
Joined: Thu Dec 09, 2010 8:42 pm

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby evilthought » Wed Mar 21, 2012 4:21 pm

Strange that Lastpass default iteration was 1. Most encryption software use at least some iteration by default. Isn't that just common sense?
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Re: Elcomsoft reviews iOS password managers, LastPass dinged

Postby evilthought » Thu Mar 22, 2012 6:20 am

In September 2010, ElcomSoft announced a password cracking utility for Research In Motion BlackBerry device backups that takes advantage of what Vladimir Katalov, ElcomSoft's CEO, described as the "very strange way, to say the least" in which the BlackBerry uses PBKDF2. The BlackBerry encrypts backup files with AES-256. In turn, the AES key is derived from the user's password using PBKDF2. However the BlackBerry software uses only one PBKDF2 iteration. By contrast, according to Katalov, Apple's iOS 3 uses 2000 iterations and iOS 4 uses 10,000.


As it turns out, lastpass by default used only 1 iterations too, so now we have several thousand users online with 1 iteration encrypted vault only. They have to manually go to setting and change the iteration, and as we know, 99% will not do that.

how come lastpass didn't know about that weakness until now?
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Next

Return to Feedback

Who is online

Users browsing this forum: No registered users and 5 guests