Do You Trust LAST PASS

Discussion in 'other software & services' started by Rainwalker, Oct 20, 2014.

  1. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,961
    Thinking that proximity has any implications is really crazy. I manage a company and the next door is our municipal financial department. Should I be worried that that they will be coming to my company every week to check our accounting just because they're so close? It's really paranoid.
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    True. Also consider that if the NSA wanted your password for something they wouldn't have to get it from LastPass. They could get it directly from the source. If they want your bank password, they will get it from your bank. If they want your Facebook password... you get the idea.
     
  3. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    Certainly i would trust it as i have used it on and off for years,However i have chosen to use keepass which uses a locally stored database.
     
  4. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    One of the engineers here uses Keepass, and when he needs to remember a password from home before he leaves for work he snaps a picture of the opened entry in Keepass. I explained to him that those pictures are now on his phone, which means they are on iCloud since that's not disabled on his phone. He said 'whoops'.. SO there is something to be said for the convenience of Lastpass.

    Using my cipher method, it's probably unbreakable anyway.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    That's not very wise use of password manager :)
    I agree that Lastpass can be convenient. I don't know if it is unbreakable, though. Sometimes password doesn't have to be broken, it can just get stolen (keyloggers...).
     
  6. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    exactly my thoughts. as long as you are not planning on being a very naughty boy, i would not let the 3 letter agencies put me off using any software as the efforts to stop them would be futile IMO for the reasons stated by Jack
     
  7. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    74
    That's where not "keeping all your eggs in one basket" applies, and where other security/privacy systems come into play. A good firewall setup can prevent software keyloggers from phoning home. Good point, though.
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Yubikey with NFC (the larger key in the NEO range) only works on Android (not iPhones or WP:cool: and allows Lastpass to operate on them.

    Just in the last few days, Google has announced their support for the Fido U2F authentication, and the new versions of the Yubikey NEO now supports this. But I'm not sure if that extends to anything via NFC.

    I use Yubikeys for TFA on the (W7x64) desktop for Lastpass (in OTP mode), and also the HMAC-SHA1 for Windows Logon and Password Safe (which supports the Yubikey for TFA). I don't trust anything on smartphones so haven't used the NFC.

    I also don't trust any software, including Lastpass, though I'd rate them reasonably highly as a focussed company who appear to be doing the right thing - that's what they do, and you pay for that service. There have been a few threads on here and various papers analysing how secure password managers are, and the answer is, like pretty much anything, there are vulnerabilities. But I only use it for the run-of-the-mill web account passwords, not for anything really sensitive, nor for my master passwords. I also use Password Safe with Yubikey support for things I only want locally on my machine. Lastpass is easily the most convenient web-based login tool I've come across, I like it a lot in this mode, and the addition of TFA makes it fairly good IMO).

    Of course, what really needs to happen is for more of the website account logins to support 2FA, then long nasty passwords would be moot. But unless the industry gets behind something like Fido U2F, this remains a Shangrila.
     
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    That would be true (as you point out) - from the technical response and patching and hardening perspective.

    What makes it untrue (sometimes), is that the corporates are busy ransacking the cloud data and merrily passing it on to the TLAs and other third parties. Plus there's legitimate concerns over ownership and continued access to the data. And denial of service (for example, I read about a photographer who stored some legal adult material in a private area of the cloud and was locked out of his account for Tos violation).

    Which is not OK.

    Which is why cloud providers have (rightly) been hurting.
     
  10. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Agreed deBoetie, it's (relatively) new part of the industry and is still in a state of flux. Ultimately it will be regulated, and have privacy laws that pertain specifically to it. As of right now a lot of reliance is on individual companies, and how serious they take privacy. All of them seem to take security pretty seriously as a compromise to a major cloud vendor could spell disaster. Individual networks are often a mess.. Tangled wires, unpatched servers/systems, dated firmware, lack of security protocols. Almost none of this impacts the cloud systems because they are so focused, and unified on the task. Most of the cloud vendors I deal with had dealt with BASH before the public was even aware of it, while I still deal with individual corporations attempting to deal with it.

    Ultimately I think the best policy of a cloud company is 'no-knowledge' technology and privacy policies. The fact is, if they have no-knowledge, then they can't be compelled to reveal anything. In the case of iOS8 and the upcoming Android releases, both companies are moving to no-knowledge.
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Great information, thanks! Do you know if the Yubikey NEO can be used for TFA when logging into LastPass on an android smartphone with NFC? Here's a video showing the Yubikey NEO connecting to the Yubico Authenticator app on a smartphone, but it's not clear how that capability is extended to other apps such as LastPass.

    https://fidoalliance.org/adoption/video/yubico-fido-alliance-universal-2nd-factor-u2f-demonstration

    Can you say more about vulnerabilities in LastPass?
     
    Last edited: Oct 25, 2014
  12. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    They are located in USA, so they have to follow US laws, it is as simple as that. There are already many anti-privacy laws, that most people do not even know about.
     
  13. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    It's the same with almost every country. Pick your poison.

    But when a company like Last Pass doesn't have your encryption keys, and doesn't store your data, then you really have little to worry about.
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    They store your encrypted data, yes? But can anyone decrypt 256 bit AES without the key? From what I've read it borders on impossible, but encryption isn't my area.
     
  15. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Your encryption key is created from your email address and Master Password. Your Master Password is never sent to LastPass, only a one-way hash of your password when authenticating, which means that the components that make up your key remain local. This is why it is very important to remember your LastPass Master Password; we do not know it and without it your encrypted data is meaningless. LastPass also offers advanced security options that let you add more layers of protection. In other words, your computer encrypts your passwords with your email and master password and sends that data to Lastpass. When you authenticate with your master password at Lastpass.com, Lastpass.com returns all your encrypted passwords, which are decrypted locally on your computer with your email and master password. Every communication happens over SSL, so anything intercepted is doubly useless (since everything is encrypted with not just the SSL keys but with your email and master password).

    Sameer Kochhar, director at LastPass, says, "We only have the salted hash in our database, so they'd have to guess password, compute the salted hash, and then compare it to the value stored in the database. But even if they managed to do this they still don't have access to your actual encrypted data (sites, usernames, passwords, formfills, etc.).
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I should emphasise that I haven't used the android nfc Yubikey, so this is only based on my interest in whether it would suit or not! I'd actually want the nfc authentication to include smartphone logon, that would be my priority for any smartphone since I don't trust biometric reliability. Here's the Lastpass & Yubico descriptions of using their Android app with the Yubikey NEO (nfc) - which requires the LP Premium account in order to register 1 to 5 Yubikeys which can act as 2FA (this works a treat on the desktop). While the demonstration on the link you provided did indeed show nfc U2F login, this was to the Yubico test U2F service. As far as I know, the only major service supporting U2F is now Google, although I imagine there will be more support forthcoming. Whether Lastpass will offer U2F remains to be seen.

    Lastpass with mobile YubiKey NEO (nfc)
    http://blog.lastpass.com/2012/03/introducing-lastpass-mobile-support-for.html

    LastPass and Yubikey NEO on Android
    https://www.youtube.com/watch?v=mL30ro07GrQ

    Note that Lastpass 2FA is NOT U2F, it's OTP. The Yubikey normally has 2 "conventional" slots for things like OTP, HMAC-SHA1, VIP etc, and then added certificate-based support on the NEO (such as mifare, CCID etc), and now the U2F support (which is effectively a certificate-per-site). I believe there is a variant of the U2F only Yubikey available in the US for $18 on Amazon, this doesn't do nfc or anything else. Here's a summary of the models and their capabilities:
    https://www.yubico.com/products/yubikey-hardware/

    According to this discussion, Yubikey support is currently either U2F or OTP on a given configured key (although this appears to be a teething thing which would be changed in future).
    https://forums.lastpass.com/viewtopic.php?f=7&t=149465

    Currently, U2F client support is only on recent Chrome.

    The most recent discussion of web password manager security is:

    The Emperor's New Password Manager: Security Analysis of Web-based Password Managers
    http://devd.me/papers/pwdmgr-usenix14.pdf

    One of the vulnerabilities identified in Lastpass relates to bookmarklet features (I think other products were also vulnerable in this area), this paper was published around a year ago. There were also some brute-force attacks (which I assume would be made hard by good master passwords/use of TFA).

    I've also got a rather older analysis of local database password managers, but can't locate that right now. Obviously, those local databases, if exfiltrated, are available for offline brute force attack (hence 2FA is attractive).
     
  17. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,887
    Location:
    Stockholm Sweden
    Yup, I trust it and have done so for five years now.
     
  18. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    None of the issues cited in this article would impact a program like Lastpass if one used my Cipher Salting method, it's statistically impossible to compromise my system unless you have direct access to the device with a keylogger installed, therefore it makes almost any online password manager 'supremely' secure, the only consideration after that is which one offers the features and interface you prefer!
     
  19. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    What do you guys think about Passwordbox?

    I have 5-6 lifetime licenses I purchased for $9 each during some promo but never really used it. I think I will check it out this weekend.
     
  20. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    74
  21. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
  22. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    YES, I Would Trust LAST PASS :ninja:
     
  23. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Then use their EU servers ;)
     
  24. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,887
    Location:
    Stockholm Sweden
    I dont get the joke. I use 100 random characters from lastpass password generator on some sites (just because I can :p) so I dont understand what you are talking about?
     
  25. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    Well I picked Russia for that matter, all Russian products, a browser, emails and such. :cool:
    Not sure, if that would help, since US judge already told even to Microsoft to release data stored on servers in EU, like Ireland and such.
    And since it has been made a precedent, they do not need to take into a court anymore, so they can ask for data silently from any company.
     
    Last edited: Oct 26, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.