2

Can an online password vault, like LastPass, be defended through a security assessment that demonstrates the value they provide outweighs the risks of being a high value target?

A valid answer should:

  • avoid "Is secure" or "Is not secure" in favor of benefits and risk

  • consider how LastPass specifically differs from storing password
    vault files on cloud-based password managers

Edited based on comments.

Community
  • 1
Dan O'Boyle
  • 131
  • 6
  • This may help: http://security.stackexchange.com/questions/45170/how-safe-are-password-managers-like-lastpass/45173#45173 – paj28 Sep 10 '15 at 18:04
  • Passwords have no valid reason to be in the "cloud", so they should not be in the cloud. – André Borie Sep 11 '15 at 14:16
  • 3
    @AndréBorie - There is a compelling reason for passwords in the cloud: to be able to login to any online service from any device. The real question is whether this can be done securely. – paj28 Sep 11 '15 at 18:38

2 Answers2

3

LastPass is "safe" for most use cases. I suspect that Edward Snowden and Julian Assange do not use it however. (If you're not familiar with these guys, they're both on the run from the US government for releasing classified data).

An important feature of the LastPass design is that their cloud systems never see your passwords. All your passwords are encrypted on your device, using your master password. The LastPass servers only ever see the encrypted passwords. That is a major technical mitigation and makes me happy to use LastPass.

Safe does not mean zero risk. A colleague of mine found a Chrome zero-day that allowed any web site you visited to steal passwords from your LastPass vault. But all web browsers have had a number of similar vulnerabilities, and despite this, they are generally considered "safe" for typical uses.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • 1
    But if LP is hacked and the attacker can alter the JavaScript that runs in your browser, the attacker can steal your passwords without LP ever having *knowingly* been involved. – Neil Smithline Sep 10 '15 at 17:41
  • You can use the website without the plugin. That uses downloaded JavaScript. – Neil Smithline Sep 10 '15 at 17:45
  • In a browser without the LastPass plugin (or a private browsing tab), go to https://lastpass.com and login. – Neil Smithline Sep 10 '15 at 17:48
  • @NeilSmithline - ok, that is new since I checked it out. Anyway, I'm going to leave my answer unedited. The point of "safe" is not zero risk. That you have pointed out an additional risk does not really change things. – paj28 Sep 10 '15 at 17:53
  • So if forced, LastPass would be unable to reveal your information. Is there a minimum standard for Encryption today? I'm still trying to reform / edit this question – Dan O'Boyle Sep 10 '15 at 17:53
  • Correct, they would be unable. There's some info [here](https://blog.lastpass.com/2015/06/lastpass-security-notice.html/). There are encryption standards; I believe LastPass follow them (not confirmed) – paj28 Sep 10 '15 at 17:56
  • Assuming you choose a long, random master password, I think the encryption of LP matches the industry standard. But that doesn't mean that the website can't be hacked to steal your data. Nor does it mean that LP won't release an insecure plugin or one with malicious code in it. Nor does it mean that a 0-day won't be found in your browser that allows someone to steal your data. – Neil Smithline Sep 10 '15 at 17:57
  • @NeilSmithline - as you clearly think that LastPass is not safe, can I encourage you to add your own answer. – paj28 Sep 10 '15 at 17:59
  • I use LP (with a 20-char cryptographically secure master password). I think that the problem is that the question asks for an objective answer to a subjective question so any answer is going to be wrong in some way. – Neil Smithline Sep 10 '15 at 18:02
  • You're still running code served by LastPass servers each time you log in... if their servers are compromised (or if the owners are malicious, or if the government forces them), nothing prevents them from serving you a malicious version of that code that also exfiltrates your master password. – André Borie Sep 11 '15 at 14:18
  • @AndréBorie - That is true for the web interface. I use the Chrome plugin (and have disabled auto-update), which protects me against this. But yes, valid concern. – paj28 Sep 11 '15 at 18:36
0

When possible never use third parties to store sensitive data example: passwords.

Just by taking a quick look at: https://lastpass.com/how-it-works/ In theory they have taken all industry standard precautions and should be safe if you trust them. They also allow you to store credit cards etc so Im sure at the very least they are PCI Compliant (although I cannot answer with certainty they are required to be pci compliant).

However I can't find much information on the "cloud based platform" you are asking about. It looks to me like its the same setup but just stores the data on their servers instead of your computer or device. (The data from their cloud service to your computer is it Encrypted end-to-end? etc)

Placing all of this data in a centralized location will cause more interest for an attacker. So always keep this in mind but then again if everything is done correctly the attacker will not be able to obtain the data you would like to keep private.

702cs
  • 127
  • 1
  • Your last point about "If Everything is done correctly" seems important. Is there a set of standards that say "Yes, when implimented this way, end to end encryption for cloud based information is secure". If we could answer that, I think I could craft my question better. – Dan O'Boyle Sep 10 '15 at 16:47
  • They don't really store passwords. They store long random strings of text. You don't have to trust LastPass. You can prove to yourself that they are doing "everything right" by sniffing the traffic as it leaves your system. You can see that plaintext passwords never go to the cloud. You can also prove to yourself that strong encryption is used. – mcgyver5 Sep 10 '15 at 17:04
  • But unless you sniff the data *and* examine the downloaded JavaScript every time you use the service, you really can't be sure that they're doing something bad. At some point you just have to trust that they're not dishonest and that they haven't been hacked. – Neil Smithline Sep 10 '15 at 17:39