PRISM and LastPass

Have anyone heard anything that could relate LasPass and PRISM?

 

Its a web company, them their servers their staff or their software could be tied in in some way. Simply put, never trust anyone else with your passwords.

 

Unless AES256 has been broken (it's LP algorithm) by NSA, I feel safe enough.

Anyway: https://forums.lastpass.com/viewtopic.php?f=6&t=89095

 

I remember reading a while ago that LastPass was offering the users the possibility to check how strong are their passwords. I don't see how this can be done without LP decrypting every password you stored on their servers, so I think that is a problem.

 

Decryption is done locally on your machine.

https://forums.lastpass.com/viewtopic.php?f=6&t=24879&p=90409&hilit=challenge#p90409

 

Yeah as long as LastPass does everything they claim it does, your data is pretty secure. They use AES-256 with PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds, all of which is basically good standard encryption/password-storing protocol.

The only issue of course is confirming that what they say about how all the encryption/decryption is done client side.

One suggestion is to use the Non-binary Chrome, Firefox, Opera, or Safari extension, which is 100% JavaScript, and use network sniffing with a proxy to see that the sensitive data is encrypted before being sent.

Then you simply wouldn't update/upgrade your extension until you want to audit it again. The employee says "you could also audit the way we interact with the binary extension to decide if you trust that."

 

Thanks for the info.

 

Encryption can be breached easily thanks to power of GPUs. If you want smthg to be private never put it online, not even for a backup. Privacy means do not trust anyone.

 

I can't tell if this is sarcasm or completely serious. I really hope the former.

 

I can see a large increase in use of opensource software. There are many great products out there that are opensouce that the masses do not know about. Its about time they started supporting those they can trust. Well, I don't really trust anyone, but I have more trust in opensource software out of all the options available. Its just not practical to do everything person to person.

 

Due to the last news from the NSA "affair" I decided to revert 100% to Keepass and delete my Lastpass account.

I believe it's still a secure system, but for sure I am not going to fully trust any security-related US company, until maybe some more information will be undisclosed.

 

Given what we now know, the federal government is inserting itself into the design and development process. So it's not a question of brute-forcing encryption, but rather them subverting proper implementation. With exception to encrypting the data yourself, the majority of users will need to rely on open-source alternatives, while avoiding off-site storage and storage on networked devices. I can understand protecting this data from criminals, but do we honestly still think they need our login information if they are this close to hardware and software development?

 

Just in case...
http://www.guidingtech.com/11787/transfer-passwords-lastpass-to-keepass-right-way/

 

Just to offer an alternative, I prefer Bruce Schneier's Password Safe (which I talk about and begin to compare to KeePass in the section called "Extras" here). One thing I like about Pwsafe over KeePass is the option of a nested tree view, which is what I pretty much always use. KeePass doesn't offer this.

Also, as Schneier recently mentioned, there is a command line option to encrypt any file, making it a handy, portable encryption tool as well.

The steps for importing a LastPass database are largely the same as outlined with KeePass (if not fewer).

 

http://blog.lastpass.com/2013/09/lastpass-and-nsa-controversy.html

 

If you like/use LastPass (I'm not trying to convert anyone to it)...

It seems to me, if the NSA (using PRISM or whatever) is able to capture and decrypt our web credentials (as we use them), LastPass is not the concern. From what I understand, there is no evidence that anyone else besides the NSA could pull off decryption at this level/scale. So in my mind, LastPass is just as viable as it has been. And the NSA has nothing more than what they have already grabbed vis PRISM.

Bottom line for me is that until I feel LastPass is unsafe from anyone besides the NSA, I'll continue to use it.

 

No security company will ever say "Yes, we cooperated with the government and made it easier for them to access your data".
For companies in business in US it is illegal to say so even they want to.

So you still have to trust that they are telling truth when they claim such stuffs.

I use LP but I do not trust them 100%.

 

Many LP users use their free service.

How does LP make money from that? What is the benefit to LP?

 

Market share, word of mouth, (upgrade) ads, universal recognition, and increased dependence (especially with mobile).

 

...all the same stuff they'd get if they were completely open source. Which makes their lame excuses in the comments largely irrelevant.

 

Think of LP as storing a KeePass .kdbx file on their server. When you log in, they send you the encrypted file, and it is opened on your machine...just like a .kdbx file, or TC container is. NSA could get the file, assuming they coerced the SSL/TLS keys, or can break it outright, but what to do with the file? If you use a weak master, you're toast, but if not, they would need an AES break I would think. If they have that, any AES TC container in DropBox is toast too, etc...

I'm less "they can't do that" since June, but I still use LP. LP makes money off mobile - $1 a month. I bought it to support the company, but I rarely use it on mobile.

PD

 

I'm with PaulyDefran here. I think LastPass is safe. They offer a great service and run the security exactly like they should.

Steve Gibson did an in-depth analysis of their security a while back and had great things to say. He also revisited the issue on the Security Now episode yesterday (9/11/2013) where he discussed LastPass in light of the recent NSA revelations.

Based on his analysis and everything else I've seen, I'm completely comfortable trusting their service.

 

I'll say exactly what I said in the comments on their blog - open it up or it's a moot point. I use LastPass, I want to trust LastPass, but they should open it up.

 

No...as I said you cannot be sure that's how it works without avoiding the binaries and using only the javascript (after auditing it, of course) and then not updating until you're ready to comb through the code again.

Outside of that, just as I pointed out with cloud encryption, you're simply taking them at their word that:

a) they're not lying

b) they implemented the encryption scheme properly and securely

c) they won't flip the script on you (literally) and grab your key (e.g. at the request of government authorities, perhaps?)​

This Mitro service looks interesting, and seems to try to address those issues by offering a browser plugin instead, ultimately it's the same process to ensure your security: audit the code, and don't update until you're ready to do it again.

One more time: If you want something encrypted, do it yourself locally, and upload only encrypted files. Don't simply trust that some service is doing it for you.

 

Steve Gibson is a hack. He's like the Dave Ramsey of the security world.

The only analysis that matters is an audit of the javascript. Who has done that? When enough people have done that, and not a single one raises any suspicion, and after you've done a test run and sniffed your packets and confirmed that everything is encrypted before it's sent...then I'd say you have decent reason to feel secure. Outside of that, you're just trusting a company running a closed-source service at their word.

Bingo.