PRISM and LastPass

Discussion in 'privacy problems' started by lordraiden, Jun 13, 2013.

Thread Status:
Not open for further replies.
  1. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,067
    Have anyone heard anything that could relate LasPass and PRISM?
     
  2. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Its a web company, them their servers their staff or their software could be tied in in some way. Simply put, never trust anyone else with your passwords.
     
  3. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
  4. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I remember reading a while ago that LastPass was offering the users the possibility to check how strong are their passwords. I don't see how this can be done without LP decrypting every password you stored on their servers, so I think that is a problem.
     
  5. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Last edited: Jun 13, 2013
  6. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    Yeah as long as LastPass does everything they claim it does, your data is pretty secure. They use AES-256 with PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds, all of which is basically good standard encryption/password-storing protocol.

    The only issue of course is confirming that what they say about how all the encryption/decryption is done client side.

    One suggestion is to use the Non-binary Chrome, Firefox, Opera, or Safari extension, which is 100% JavaScript, and use network sniffing with a proxy to see that the sensitive data is encrypted before being sent.

    Then you simply wouldn't update/upgrade your extension until you want to audit it again. The employee says "you could also audit the way we interact with the binary extension to decide if you trust that."
     
  7. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Thanks for the info.
     
  8. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Encryption can be breached easily thanks to power of GPUs. If you want smthg to be private never put it online, not even for a backup. Privacy means do not trust anyone.
     
  9. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    I can't tell if this is sarcasm or completely serious. I really hope the former.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I can see a large increase in use of opensource software. There are many great products out there that are opensouce that the masses do not know about. Its about time they started supporting those they can trust. Well, I don't really trust anyone, but I have more trust in opensource software out of all the options available. Its just not practical to do everything person to person.
     
  11. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Due to the last news from the NSA "affair" I decided to revert 100% to Keepass and delete my Lastpass account.

    I believe it's still a secure system, but for sure I am not going to fully trust any security-related US company, until maybe some more information will be undisclosed.
     
  12. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    Given what we now know, the federal government is inserting itself into the design and development process. So it's not a question of brute-forcing encryption, but rather them subverting proper implementation. With exception to encrypting the data yourself, the majority of users will need to rely on open-source alternatives, while avoiding off-site storage and storage on networked devices. I can understand protecting this data from criminals, but do we honestly still think they need our login information if they are this close to hardware and software development?
     
  13. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
  14. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    Just to offer an alternative, I prefer Bruce Schneier's Password Safe (which I talk about and begin to compare to KeePass in the section called "Extras" here). One thing I like about Pwsafe over KeePass is the option of a nested tree view, which is what I pretty much always use. KeePass doesn't offer this.

    Also, as Schneier recently mentioned, there is a command line option to encrypt any file, making it a handy, portable encryption tool as well.

    The steps for importing a LastPass database are largely the same as outlined with KeePass (if not fewer).
     
    Last edited: Sep 9, 2013
  15. tlu

    tlu Guest

  16. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    If you like/use LastPass (I'm not trying to convert anyone to it)...

    It seems to me, if the NSA (using PRISM or whatever) is able to capture and decrypt our web credentials (as we use them), LastPass is not the concern. From what I understand, there is no evidence that anyone else besides the NSA could pull off decryption at this level/scale. So in my mind, LastPass is just as viable as it has been. And the NSA has nothing more than what they have already grabbed vis PRISM.

    Bottom line for me is that until I feel LastPass is unsafe from anyone besides the NSA, I'll continue to use it.
     
  17. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    No security company will ever say "Yes, we cooperated with the government and made it easier for them to access your data". :rolleyes:
    For companies in business in US it is illegal to say so even they want to.

    So you still have to trust that they are telling truth when they claim such stuffs.

    I use LP but I do not trust them 100%.
     
  18. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    Many LP users use their free service.

    How does LP make money from that? What is the benefit to LP?
     
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Market share, word of mouth, (upgrade) ads, universal recognition, and increased dependence (especially with mobile).
     
  20. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    ...all the same stuff they'd get if they were completely open source. Which makes their lame excuses in the comments largely irrelevant.
     
  21. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Think of LP as storing a KeePass .kdbx file on their server. When you log in, they send you the encrypted file, and it is opened on your machine...just like a .kdbx file, or TC container is. NSA could get the file, assuming they coerced the SSL/TLS keys, or can break it outright, but what to do with the file? If you use a weak master, you're toast, but if not, they would need an AES break I would think. If they have that, any AES TC container in DropBox is toast too, etc...

    I'm less "they can't do that" since June, but I still use LP. LP makes money off mobile - $1 a month. I bought it to support the company, but I rarely use it on mobile.

    PD
     
  22. Grassman20

    Grassman20 Registered Member

    Joined:
    Jul 14, 2013
    Posts:
    26
    Location:
    USA
    I'm with PaulyDefran here. I think LastPass is safe. They offer a great service and run the security exactly like they should.

    Steve Gibson did an in-depth analysis of their security a while back and had great things to say. He also revisited the issue on the Security Now episode yesterday (9/11/2013) where he discussed LastPass in light of the recent NSA revelations.

    Based on his analysis and everything else I've seen, I'm completely comfortable trusting their service.
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  24. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    No...as I said you cannot be sure that's how it works without avoiding the binaries and using only the javascript (after auditing it, of course) and then not updating until you're ready to comb through the code again.

    Outside of that, just as I pointed out with cloud encryption, you're simply taking them at their word that:

    a) they're not lying

    b) they implemented the encryption scheme properly and securely

    c) they won't flip the script on you (literally) and grab your key (e.g. at the request of government authorities, perhaps?)​

    This Mitro service looks interesting, and seems to try to address those issues by offering a browser plugin instead, ultimately it's the same process to ensure your security: audit the code, and don't update until you're ready to do it again.

    One more time: If you want something encrypted, do it yourself locally, and upload only encrypted files. Don't simply trust that some service is doing it for you.
     
  25. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    Steve Gibson is a hack. He's like the Dave Ramsey of the security world.

    The only analysis that matters is an audit of the javascript. Who has done that? When enough people have done that, and not a single one raises any suspicion, and after you've done a test run and sniffed your packets and confirmed that everything is encrypted before it's sent...then I'd say you have decent reason to feel secure. Outside of that, you're just trusting a company running a closed-source service at their word.


    Bingo.
     
Thread Status:
Not open for further replies.