Do You Trust LAST PASS

Discussion in 'other software & services' started by Rainwalker, Oct 20, 2014.

  1. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Yes, and Microsoft did not release data from EU servers. So, so far it worked. ;)
    So you can use lastpass.eu data centers, beta only currently.... as lastpass is doing the papers to register the company in the EU. BUT EU law enforcement can still ask for the access. Bottom line... you face the same issue. As lastpass has no key to decrypt lastpass data its just the same... US or EU. And as already said NSA couldn't care less of your lastpass database as they have other means to tap you. :)
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I think your "Cipher Salting" approach is a good defence against those issues (although I think I'd prefer to call it "decoration" rather than salting which has a technical association with hashing) - but clearly does not protect against other threats (in addition to keyloggers), such as MITB, MITM etc. That's why we need good TFA on the websites themselves, and that's why it's annoying that the industry is so slow to adopt a decent privacy protecting standard - funny that.....

    In a way, using Lastpass (or other password managers) is a necessary evil till that day arrives.
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Different product: PasswordBox.
     
  4. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,286
    Location:
    EU
    Tested for a while (I have two lifetime licences) but dropped because of lack of 2 factor auth. They told me it's under development and should be ready in 2014. We are almost in November now..
     
  5. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I can't believe they don't have TFA yet, I do recall when I purchased the lifetime packs they said TFA was 'coming'.. My 'decoration' or 'cipher' method makes TFA more of a formality anyway in my case, but it would still be nice to have it, and should be an option available for anyone.
     
  6. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,089
    Location:
    USA
    The authors note that their attacks on the password managers were "severe". There were more issues with bookmarklets and password sharing. Password sharing in particular seems like a bad idea. Do you know if any of the documented vulnerabilities have been exploited in the field?
     
    Last edited: Oct 27, 2014
  7. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    That's the problem with a lot of these tests, they factor synthetic environments. Hacker tournaments start by testing hackers ability to compromise from remote, then progress into more direct hacking with access to the machine physically. Personally I do not have sharing of any kind activated on any password managers. But again my 'decoration' mode would defeat that because you are sharing a password without the decorations, hence useless.

    You share Skype PW with Joe-Bob, which is; 4oAecs0:K1%PT"6@~~'O Knowing that is useless, as my cipher/decoration for that 'type' and 'link' is; 4oAecs0:K1%PT"6@~~'O!kype92JoT

    The MANUAL salt is !kype92JoT which is based off of an undocumented, personal algorithmic method. Which is why we used this method at a defense contractor I worked for, and I believe it's a method to ensure ultimate security against all known NON-Keylogger/NON-MTM types of assaults. If someone has keyloggered you, not much you can do anyway. Atkinson was hacked with state sponsored malware, and it achieved access to her system through her clicking a file sent through email. Ultimately there isn't much you can do if you 'click' stuff randomly. Ultimately it will be revealed that Atkinson wasn't very intelligent in her use of security, passwords, and encryption.

    So use a password manager, then develop your own salting/decoration method, and give yourself 'quantitative' security improvements for no cost, and little hassle. I could post my entire Lastpass database as a text file here, and it's going to do you no good unless you can brute force a 10 mixed character decoration appended to each one.

    So let's all use this method, and not fuss with arguing if this or that is secure, make them all secure! :argh:
     
  8. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,089
    Location:
    USA
    I guess bypassing in a synthetic environment keeps us humble :) but unfortunately it sometimes causes people to lose confidence in a system which is nevertheless exponentially more secure than what the vast majority use. By the way, I don't see how to actually disable password sharing in LastPass; is there a setting for that?
     
  9. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    I use LastPass and I trust it.
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Yes, I keep my feet on the ground by thinking about the way I used to run - weak web passwords with many duplicates, it couldn't have been much worse! .... Plus LastPass are a company dedicated to what they do, you pay for the service, and they seem to be doing sensible things.

    The way sharing works is that you have to specifically set that up in your account (only works with paid accounts), and then you nominate whether a particular site is going to be shared with the other account(s) or not. There's obviously more vulnerability that way, but it is really convenient and you can be selective about what you share. It's one of these risk things, the convenience of me and spouse being able to access shared accounts for not desperately important things (where the exposure and damage is limited) is a pretty good trade-off. In any case, I don't put any sensitive (master or financial) passwords into LP regardless. And you can also use the MayahanaTM's decorative method (which can also be done selectively).

    As others have noted, having TFA is pretty essential for the password manager itself.
     
  11. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Sorry I was thinking of Passwordbox, which has the ability to disable any kind of sharing. I've been testing Passwordbox this week and really like it, but I am puzzled as to why there isn't TFA. Given my decorating method I am not all that concerned, but still... As for decorating, use it on crucial things, and things that can be used to engineer you. Facebook, Emails, Banks/Financials/CC's, Photoshare/storage, etc. A tremendous amount of hacks happen because of social engineering, so I would work pretty hard to contain those with decorations, same with email. If your email is compromised then your whole structure can fail.
     
  12. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Warning about Passwordbox. My network sniffer showed it sending data to Mixpanel, a datamining firm. Confirmed it does this on both mobile, and desktop/laptop platforms!

    Bad form.
     
  13. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,089
    Location:
    USA
    As your sig says nothing is impossible, however the main weaknesses in LastPass have to do with the user and not the software. For instance if the user chooses a master password that is so weak that it can simply be guessed then it doesn't matter how strongly the password is encrypted. Should the LastPass folks require that the master password be longer and more complex? If they did it would result in more people forgetting their master password and possibly losing access to their password vault permanently. As always the weakest link is the user. When properly implemented LastPass is exponentially more secure then the password management schemes most people use.
     
    Last edited: Dec 4, 2014
  15. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    :thumb:I just posted this info to let fellow members of this forum to know about the issue.I am a die hard fan of LastPass:D
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,089
    Location:
    USA
    Yes, the information is good to have and thanks for posting it :thumb:
     
  17. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    You are most welcome :)
     
  18. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    I've been using it since it was released and I've never had my passwords stolen.
     
  19. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    This is a non-issue. As it would require some pretty selective malware, along with some pretty idiotic user behavior. Lastpass already addressed it anyway - just in case. Lastpass is probably the most secure password product because it's the most attacked, the most analyzed from what I can tell. They also reward people that find stuff that needs fixing, and in some cases place a bounty on exploits. Interesting, some of the most paranoid IT people I know that work for pentest companies - use Lastpass. One of the most well known brute force password hackers, actually uses Lastpass.
     
  20. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,098
    Location:
    USA
    Thanks to all for the continuing updates in this thread. Always good to stay informed about something as important as LastPass.
     
  21. 142395

    142395 Guest

    Maybe the best finding within several months in Wilders for me!
    Great, thank you Mayahana for your decoration method!
    I, like some guys, use my algorithm for password but still use LastPass & Norton ID safe for convenience (automatic filling) and also for central management of dozens of accounts.
    I can re-generate password by algorithm but remembering all about what account I made is quite hard for me.

    My algorithm already includes 'decoration suffix' so I have deleted all of them from all passwords, but LP have 'history' feature so I had to delete each accounts and recreate one by one and even after that I had to remove history of deleted accounts.(-。-)=3

    I also deleted part of my email account info e.g. changed "examaple.2718@anymail.com" into just "example." so even if adversary hacked this account he still can't know my email (that email account itself is not in LP from the beginning)

    Anyway, besides that decoration staff, I appreciate all you guys here for valuable discussion!:thumb:
     
  22. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    My pleasure Yuki. Decoration method is largely considered to be unbreakable unless the system is keylogged, and if that's the case nothing much will help that anyway

    My decoration method is used to protect some pretty big secrets. I am unsure why this isn't shared with the masses as the method of choice? A few simple characters appended to the end of passwords in password managers would completely negate potential risk of compromise of those password databases. It's viewed as a three factor authentication, following TFA.. Maybe the snoops don't want the public to be using more advanced methods? This way you can trust LastPass for convenience, and whatever security they offer, then secure it beyond that to where even LP doesn't have everything needed to access your accounts.

    Any single compromise doesn't defeat you. We saw above a 'theoretical' compromise of LP was possible, but using decoration STILL would have protected you. As you note, it can take some work to setup decoration but really is worth it once you deploy it and have a system to keep them maintained.

    I am beginning to wonder if my revealing the decoration method here was the first time the method has been disclosed, and explained in detail? I'd be curious to see if it was disclosed anywhere else.
     
  23. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
  24. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Interesting, a similar concept for sure. One reason I like my method is because you can have ridiculously strong, long passwords managed by LP, then affirm their integrity with your decoration. To me, it's foolproof unless someone can probe your mind and figure out your method of decoration, or keylogger your system.

    I will eventually share some methods to stop harvesting of data by privacy violating organizations. Snowden broke some of this to the masses, but I was dealing with this a decade or more ago. Essentially for EMF harvesting (keystroke leaks from USB pulses, etc) what you do is introduce EMF-Chaos into a room with sensitive gear. They can't parse the data effectively with the EMF chaos. It's like a woodpecker on the window for a laser microphone. A true variable pink-noise generator also defeats much technology for snooping. We were coating rooms in grounded carbon paints almost 2 decades ago to contain the WiFi. Another fun thing are Air Chokes(Baluns) to drop off RF so the RF resonating on your lines isn't able to be sniffed outside of the location. So much fun stuff, unfortunately much of the public isn't aware of the really advanced methods of spying/snooping/harassment. Snowden exposed quite a good number of them, I wonder what else they will expose from his documents? I can't believe these sensitive locations, like the German Chancellors office weren't taking precautions. I use more precautions in my home than some of these high value targets, and I find that sad.

    Anyway, decorate your passwords and password privacy isn't an issue anymore.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    People distrust LastPass because for some reason they think that ridiculously complex attacks are viable, or even likely. The fact of the matter is that LastPass provides convenience, and the greatest attack vector against it is the same one every local manager or anything else will have - an infected computer.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.