I am a Premium user of Lastpass app and I love it, but I don't know how safe is it to put all my passwords in the cloud?
Asked
Active
Viewed 422 times
1 Answers
4
Depends if you trust Lastpass developers, sysadmins, and legal team.
Lastpass claim to use AES, with a HTTPS connection to their server, sending encryption code to a browser from their servers, so your computer/device performs the encryption with a master password which they never see. The encrypted passwords are then sent to their server.
What could go wrong?
The AES code could be incorrect, or, worse, malicious. There might be a backdoor in it with a long secret password they can use to view your passwords.
They might actually send the master password to their servers, maybe through difficult to detect means, so they can see all your passwords.
Someone might have hacked their servers and replaced the code with a version that had the above behaviour, but which sends the data to a third party.
Someone might have managed to steal the server certificates, and performed a MitM attack against you.
A government might have compelled Lastpass to replace the normal code with malicious code, and their legal team may have complied.
Are these likely?
Hard to say - but all are possible.
So...
If they are operating exactly as they claim, keeping servers secure from tampering, ensuring certificates are kept properly, and resisting government interference, theoretically, AES encrypted password data should be fine. But there are a lot of things that could go wrong.
Personally, I use their service, but I wouldn't if I was storing nuclear launch codes!
Matthew
- 27,233
- 7
- 87
- 101