1

I' trying to figure out how secure LastPass is if you have it on your Android device and it gets stolen. If I'm not mistaken there has to be a password vault stored somewhere locally on the device.

Would in that case be enough to just keep trying to brute force the LastPass password until successful? Does this answer my question?

What about when using two-factor authentication, would that make it any harder (with no access to two-factor authentication) in this case?

Community
  • 1
danizmax
  • 113
  • 5
  • 1
    Everything can be bruteforced given enough time and resources. Is it really the question? Or is it about methods other than brute force? – techraf Jun 02 '16 at 08:13
  • @techraf There is still second question.. Would two-factor authentication like google authenticator prevent brute-forcing or at least make it harder... – danizmax Jun 02 '16 at 08:54
  • Authentication to what? There's no authentication to a file. – techraf Jun 02 '16 at 08:57
  • 1
    You can't really apply 2FA to a file - it applies to a system to prevent access, but requires some verification process. A file doesn't have that - it can't check for a specific value being entered at a given time, since it doesn't know what the time is, and doesn't have the ability to execute code itself. A decryption program could implement some checks, but would be limited by the system it runs on - if it checked time based requirements, say, it could be fed false data. Additionally, by rewriting the decryption program, these checks could easily by bypassed. – Matthew Jun 02 '16 at 09:02
  • @techraf so what you're saying is that something like like google authenticator code is not checked against Lastpass password store data and can be avoided by using a custom cracking software for cracking the password. Note I'm asking specific for Lastpass and its not a theoretical debate. – danizmax Jun 02 '16 at 09:02
  • 2FA in LastPass is used for authentication to the online service only, not the password db. – techraf Jun 02 '16 at 09:05
  • I see... Thanks for the clarification... if you guys write your responses as answers I can give you credit. – danizmax Jun 02 '16 at 09:08

1 Answers1

3

Making brute-force attack the only possible option is a desired feature of a security system.

This "only" would mean there are no weaknesses in the algorithm or implementation and the system could be broken only by trying all combinations of possible passwords.

On top of making sure brute-force attack is the only possibly, it should also be made difficult to perform.

In case of LastPass' database (an offline, encrypted file) the countermeasures are limited, but both the system design and user have influence over the effectiveness of an attack.

First: the database is protected with a key derived from a password using PBKDF with a specified number of iterations, which increases the time required for confirming each guess attempt.

Users need to set the number of iterations of PBKDF high to the point they can bear the time required for opening the database on their devices (this can vary for PCs and mobile devices).

Second: users must use strong passwords to make the brute-force attack harder (possibly to the point of infeasibility).

Two-Factor Authentication in LastPass does not protect the password database, but the access to the online service which provides encrypted user's password database.

Once the database is downloaded it is a static encrypted file and 2nd factor authentication is not necessary to decrypt it.

techraf
  • 9,141
  • 11
  • 44
  • 62