Do You Trust LAST PASS

Discussion in 'other software & services' started by Rainwalker, Oct 20, 2014.

  1. molhopicante

    molhopicante Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    134
    Very good Thread.

    Thank you for all your answers because they helped me to clarify lots of things about Last Pass.

    i'm using 3 passwords for all sites i'm using.

    Nothing special because are forums or others pages similars.

    But i think it was better 1 pass for each site i'm using.

    So i decided to give a try to Last Pass and test it.


    One last thing.
    The eMail passwords I have, I stored it in my MS Outlook in order to connect and downloading the emails messages.

    Is that dangerous?
     
  2. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Another method used for products like Lastpass is to only store 'partial' passwords, and disable autofill. So for example let's say you have a password for your bank stored in Lastpass that is;

    S18z01495SQYksg

    What you do is salt the password with your own algorithm finisher. So let's say my salting method is the last 4 words of a domain, combined with a few digits from my social security. My password would become;

    S18z01495SQYksg!ERAL7621

    So even if Lastpass is compromised, all of your important stuff is salted with additional algorithms. This way you have have extremely complex, random passwords, and still have ones stored in your brain based on your own algorithm. This to me is really the ideal method to secure yourself because you are placing 'minimal' trust with a company like Lastpass, and enhancing your security with your own methods.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,700
    Location:
    Slovenia, EU
    That's good method @Mayahana :thumb: I will probably use something similar if I decide to use some online password storage.
     
  4. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    To be honest, this method is a hybrid of what I developed a long time ago at a military contractor I worked for, and I was hesitant to post it here. We called the method 'hybrid credentials', no clue what people call it now, or if people even talk about it. Essentially you are relying on stored credential for a significant portion of the authentication, and securing that with your own cipher. Your own cipher doesn't need to be overly complex, because it is riding on a rather large key itself. It's largely considered unbreakable in terms of compromises to databases because there isn't any real loss of true data even if the database or company is compromised. This also allows 'time' in the event of a threat discovery. So if your database is compromised, you have some time to clean things up, change passwords that were compromised before your cipher hybrid credential is broken.
     
  5. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,983
    Location:
    USA
    Classified? :cool:
     
  6. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,410
    Location:
    Lancashire
    excellent suggestion. i mentioned a very rudimentary non 3rd party based version of this concept on this forum in 2011 when the last lastpass scare occurred.
     
  7. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,410
    Location:
    Lancashire
    just out of curiosity, what made you change your mind?
     
  8. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    :isay:
     
  9. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,415
    Location:
    USA
    That was 3 years ago. I did some research and testing and considered it to be safe enough to use. I haven't found a credible instance where LastPass has been compromised, and I use a ridiculous master password. The convenience also weighs heavily, as I can use it on all of my devices where KeePass and Sticky Password require (unless newer versions have changed) separate databases on each device. And no, I am not going to put one of the databases in Dropbox for sync purposes, I do not trust them at all.
     
  10. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    74
    That's an excellent idea @Mayahana! Although going through each site currently stored in LastPass and changing my password on those sites, while simultaneously modifying the (unsalted) password in LastPass... oh the drudgery. I just might do that though, it's such a simple and effective way to increase security. The master password can especially use something like this.
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,983
    Location:
    USA
    Yes, this is a great idea though laborious to implement as you note. Regarding protecting the master password the most convenient option I've found is Google Authenticator on a smartphone.
     
  12. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,410
    Location:
    Lancashire
    thank you for answering, good that you never came across any concerns during research as i generally agree with you on most matters and value your opinion. i suppose in the ever increasing times of mobile computing, the attractiveness of a cloud based password manager over a fully local manager is only going to increase.
     
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,983
    Location:
    USA
    Just discovered that YubiKey can be used with a number of NFC capable smartphones:

    https://www.yubico.com/products/yubikey-hardware/yubikey-neo/

    http://forum.yubico.com/viewtopic.php?f=26&t=1302
     
  14. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    No, there have been too many security breaches and database hacked too many times over the years. I can not honestly trust anything being stored online as safe.
     
  15. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Statistics are starting bear out that cloud is actually safer. Examine all of the breaches in the last 3 years, how many were cloud vs localized? (Kmart, Home Depot, Target, Chase - all localized)

    Saying you don't trust the cloud is like people in 1910 saying they don't trust electric companies. Back then companies, farms, even individuals often generated their own electricity. Resistance to centralized, distributed electric was pretty vehement. Eventually it was realized that it made more sense to rely on the distribution network for reasons of scalability, reliability, and adaptability. The cloud is in a similar phase, but within 5 years anyone not relying on hosted/virtualized/cloud solutions will be so far behind on the curve. Anyone in the IT field can see it happening, and they can also see the improvements it is bringing. The days of a company having extensive data center allocations, large hardware expenses, and proprietary applications are coming to an end. Simply put - cloud in general you will find safer. Unless you are very skilled, you are likely LESS safe with local password storage as companies like Lastpass invest a lot of money in top talent to monitor, test, probe their security, and implement preventative measures. Most home networks and systems are a joke in comparison. If you think your $29 Netgear NAT Router, $5 switches, and 'Free' security software is going to secure you then I have some very bad news for you.

    I deal with it everyday.. A medium size company with their own servers, their own security and IT people vs our hosted solutions. We were working on BASH within 32 minutes of it's discovery. I still talk to IT guys at localized companies that aren't aware of BASH and/or don't know if they are protected from it. Joe-Bob-IT running around to some PowerEdge's running MBAM, and tweaking his Linksys has become a joke when I can put a company behind 4 million dollars of security, and 19 trained threat engineers for half of the cost with non-vendor locked API's.
     
  16. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    556
    Location:
    USA
    I think the concern is more about privacy though. Does Lastpass store everything (like your list of sites and usernames) encrypted, or just the passwords?
     
  17. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,983
    Location:
    USA
    This is from the LastPass privacy statement. To read the full disclosure click the link.

    https://lastpass.com/privacy-statement/

    • We don’t allow you to send LastPass critically important information like your usernames, passwords, account notes, and LastPass master password; instead your LastPass master password is used locally to encrypt the important data that’s sent to us so that no one, including LastPass employees ever can access it.
    • We don’t ask you for personal information unless we truly need it.
    • We don’t share your personal information with anyone except to comply with the law, develop our products, or protect our rights.
    • We don’t store personal information on our servers unless required for the on-going operation of one of our services. (For example: If you choose to store login history, we keep login history, if you choose not to, we don’t)
     
  18. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,605
    no , i don't trust about it
    i would like to use keeppass and my website but i don't know how do it :(
     
  19. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Lastpass has no data that can reveal your passwords. Even if they were hacked, a hacker would have nothing they could make any sense of. If you use my cipher method, even if someone broke the encryption, unscrambled the hashed file, and brute forced your master password they STILL wouldn't have access to your real password. It's the ultimate protection really. I could post my passwords here, or even post my lastpass master password, but it would be totally useless because you don't have my cipher salts based on the method I already posted.

    So you partake in the convenience of lastpass, and have military grade cipher security, with salting. It's a win win, there is nothing you can do that's more secure in my opinion because you are spreading risk so thin. NOBODY has 'everything' in one location, and your cipher is the ultimate key should all of your layers be penetrated.
     
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,983
    Location:
    USA
    From the LastPass website:

    We've implemented AES 256-bit encryption with routinely-increased PBKDF2 iterations. That's tech speak for strong protection for the data you store in LastPass.

    A little light reading suggests that no one will be brute force cracking AES 256 bit encryption. The master password is the vulnerable point in any password management system; If it is easy to guess or gain through social engineering, used in other accounts, etc, and not protected by two factor authentication (TFA) then the attacker has your passwords. A lot of focus is being placed on how the last LastPass system might be hypothetically hacked but the user is always the weakest link.

    By the way here's that light reading LOL:

    https://www.reddit.com/r/theydidthe...e_and_energy_required_to_bruteforce_a_aes256/
     
    Last edited: Oct 24, 2014
  21. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,105
    Location:
    Mountaineer Country
    I don't trust this program because of where its headquarters are located.
     
  22. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,369
    Do you mean this location?

    If so what bothers you? That it is in the States or ... ? Sorry to ask but you said it and I'm quite confused.
     
  23. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,410
    Location:
    Lancashire
  24. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,369
    OK, I may not understand as I live in the Central Europe and I never felt to be threatened by NSA. :) Furthermore I don't think I'm somehow interesting to them.
     
  25. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,983
    Location:
    USA
    Why do you think the LastPass people are taking lunch breaks with the NSA? :cool: Ok, seriously it's a good question whether or not proximity has implications. I guess being next door would be advantageous if they were collaborating, but given modern communications it could probably be done just as well regardless of where the companies were physically located.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.