Yes, and Microsoft did not release data from EU servers. So, so far it worked. So you can use lastpass.eu data centers, beta only currently.... as lastpass is doing the papers to register the company in the EU. BUT EU law enforcement can still ask for the access. Bottom line... you face the same issue. As lastpass has no key to decrypt lastpass data its just the same... US or EU. And as already said NSA couldn't care less of your lastpass database as they have other means to tap you.
I think your "Cipher Salting" approach is a good defence against those issues (although I think I'd prefer to call it "decoration" rather than salting which has a technical association with hashing) - but clearly does not protect against other threats (in addition to keyloggers), such as MITB, MITM etc. That's why we need good TFA on the websites themselves, and that's why it's annoying that the industry is so slow to adopt a decent privacy protecting standard - funny that..... In a way, using Lastpass (or other password managers) is a necessary evil till that day arrives.
Tested for a while (I have two lifetime licences) but dropped because of lack of 2 factor auth. They told me it's under development and should be ready in 2014. We are almost in November now..
I can't believe they don't have TFA yet, I do recall when I purchased the lifetime packs they said TFA was 'coming'.. My 'decoration' or 'cipher' method makes TFA more of a formality anyway in my case, but it would still be nice to have it, and should be an option available for anyone.
The authors note that their attacks on the password managers were "severe". There were more issues with bookmarklets and password sharing. Password sharing in particular seems like a bad idea. Do you know if any of the documented vulnerabilities have been exploited in the field?
That's the problem with a lot of these tests, they factor synthetic environments. Hacker tournaments start by testing hackers ability to compromise from remote, then progress into more direct hacking with access to the machine physically. Personally I do not have sharing of any kind activated on any password managers. But again my 'decoration' mode would defeat that because you are sharing a password without the decorations, hence useless. You share Skype PW with Joe-Bob, which is; 4oAecs0:K1%PT"6@~~'O Knowing that is useless, as my cipher/decoration for that 'type' and 'link' is; 4oAecs0:K1%PT"6@~~'O!kype92JoT The MANUAL salt is !kype92JoT which is based off of an undocumented, personal algorithmic method. Which is why we used this method at a defense contractor I worked for, and I believe it's a method to ensure ultimate security against all known NON-Keylogger/NON-MTM types of assaults. If someone has keyloggered you, not much you can do anyway. Atkinson was hacked with state sponsored malware, and it achieved access to her system through her clicking a file sent through email. Ultimately there isn't much you can do if you 'click' stuff randomly. Ultimately it will be revealed that Atkinson wasn't very intelligent in her use of security, passwords, and encryption. So use a password manager, then develop your own salting/decoration method, and give yourself 'quantitative' security improvements for no cost, and little hassle. I could post my entire Lastpass database as a text file here, and it's going to do you no good unless you can brute force a 10 mixed character decoration appended to each one. So let's all use this method, and not fuss with arguing if this or that is secure, make them all secure!
I guess bypassing in a synthetic environment keeps us humble but unfortunately it sometimes causes people to lose confidence in a system which is nevertheless exponentially more secure than what the vast majority use. By the way, I don't see how to actually disable password sharing in LastPass; is there a setting for that?
Yes, I keep my feet on the ground by thinking about the way I used to run - weak web passwords with many duplicates, it couldn't have been much worse! .... Plus LastPass are a company dedicated to what they do, you pay for the service, and they seem to be doing sensible things. The way sharing works is that you have to specifically set that up in your account (only works with paid accounts), and then you nominate whether a particular site is going to be shared with the other account(s) or not. There's obviously more vulnerability that way, but it is really convenient and you can be selective about what you share. It's one of these risk things, the convenience of me and spouse being able to access shared accounts for not desperately important things (where the exposure and damage is limited) is a pretty good trade-off. In any case, I don't put any sensitive (master or financial) passwords into LP regardless. And you can also use the MayahanaTM's decorative method (which can also be done selectively). As others have noted, having TFA is pretty essential for the password manager itself.
Sorry I was thinking of Passwordbox, which has the ability to disable any kind of sharing. I've been testing Passwordbox this week and really like it, but I am puzzled as to why there isn't TFA. Given my decorating method I am not all that concerned, but still... As for decorating, use it on crucial things, and things that can be used to engineer you. Facebook, Emails, Banks/Financials/CC's, Photoshare/storage, etc. A tremendous amount of hacks happen because of social engineering, so I would work pretty hard to contain those with decorations, same with email. If your email is compromised then your whole structure can fail.
Warning about Passwordbox. My network sniffer showed it sending data to Mixpanel, a datamining firm. Confirmed it does this on both mobile, and desktop/laptop platforms! Bad form.
As your sig says nothing is impossible, however the main weaknesses in LastPass have to do with the user and not the software. For instance if the user chooses a master password that is so weak that it can simply be guessed then it doesn't matter how strongly the password is encrypted. Should the LastPass folks require that the master password be longer and more complex? If they did it would result in more people forgetting their master password and possibly losing access to their password vault permanently. As always the weakest link is the user. When properly implemented LastPass is exponentially more secure then the password management schemes most people use.
I just posted this info to let fellow members of this forum to know about the issue.I am a die hard fan of LastPass
This is a non-issue. As it would require some pretty selective malware, along with some pretty idiotic user behavior. Lastpass already addressed it anyway - just in case. Lastpass is probably the most secure password product because it's the most attacked, the most analyzed from what I can tell. They also reward people that find stuff that needs fixing, and in some cases place a bounty on exploits. Interesting, some of the most paranoid IT people I know that work for pentest companies - use Lastpass. One of the most well known brute force password hackers, actually uses Lastpass.
Thanks to all for the continuing updates in this thread. Always good to stay informed about something as important as LastPass.
Maybe the best finding within several months in Wilders for me! Great, thank you Mayahana for your decoration method! I, like some guys, use my algorithm for password but still use LastPass & Norton ID safe for convenience (automatic filling) and also for central management of dozens of accounts. I can re-generate password by algorithm but remembering all about what account I made is quite hard for me. My algorithm already includes 'decoration suffix' so I have deleted all of them from all passwords, but LP have 'history' feature so I had to delete each accounts and recreate one by one and even after that I had to remove history of deleted accounts.(-。-)=3 I also deleted part of my email account info e.g. changed "examaple.2718@anymail.com" into just "example." so even if adversary hacked this account he still can't know my email (that email account itself is not in LP from the beginning) Anyway, besides that decoration staff, I appreciate all you guys here for valuable discussion!
My pleasure Yuki. Decoration method is largely considered to be unbreakable unless the system is keylogged, and if that's the case nothing much will help that anyway My decoration method is used to protect some pretty big secrets. I am unsure why this isn't shared with the masses as the method of choice? A few simple characters appended to the end of passwords in password managers would completely negate potential risk of compromise of those password databases. It's viewed as a three factor authentication, following TFA.. Maybe the snoops don't want the public to be using more advanced methods? This way you can trust LastPass for convenience, and whatever security they offer, then secure it beyond that to where even LP doesn't have everything needed to access your accounts. Any single compromise doesn't defeat you. We saw above a 'theoretical' compromise of LP was possible, but using decoration STILL would have protected you. As you note, it can take some work to setup decoration but really is worth it once you deploy it and have a system to keep them maintained. I am beginning to wonder if my revealing the decoration method here was the first time the method has been disclosed, and explained in detail? I'd be curious to see if it was disclosed anywhere else.
https://www.wilderssecurity.com/thre...es-account-details.293992/page-2#post-1871826 same thing, except you recommend lastpass instead of a 'base password'
Interesting, a similar concept for sure. One reason I like my method is because you can have ridiculously strong, long passwords managed by LP, then affirm their integrity with your decoration. To me, it's foolproof unless someone can probe your mind and figure out your method of decoration, or keylogger your system. I will eventually share some methods to stop harvesting of data by privacy violating organizations. Snowden broke some of this to the masses, but I was dealing with this a decade or more ago. Essentially for EMF harvesting (keystroke leaks from USB pulses, etc) what you do is introduce EMF-Chaos into a room with sensitive gear. They can't parse the data effectively with the EMF chaos. It's like a woodpecker on the window for a laser microphone. A true variable pink-noise generator also defeats much technology for snooping. We were coating rooms in grounded carbon paints almost 2 decades ago to contain the WiFi. Another fun thing are Air Chokes(Baluns) to drop off RF so the RF resonating on your lines isn't able to be sniffed outside of the location. So much fun stuff, unfortunately much of the public isn't aware of the really advanced methods of spying/snooping/harassment. Snowden exposed quite a good number of them, I wonder what else they will expose from his documents? I can't believe these sensitive locations, like the German Chancellors office weren't taking precautions. I use more precautions in my home than some of these high value targets, and I find that sad. Anyway, decorate your passwords and password privacy isn't an issue anymore.
People distrust LastPass because for some reason they think that ridiculously complex attacks are viable, or even likely. The fact of the matter is that LastPass provides convenience, and the greatest attack vector against it is the same one every local manager or anything else will have - an infected computer.