I think LastPass is a great consumer product because it allows users to conveniently utilize unique strong passwords for each site they use it with. It does encryption locally, but the fact that I can set it up on one computer/device and then use it on another computer/device seems to indicate that there must be some security trade-off for its consumer-friendliness. For example, the salt element of the password derivation algorithm presumably must reside on their server rather than on my own computer/device. Is my understanding correct? (Pardon me if anything I've said is uninformed, I'm not a cryptographer).
4 Answers
If you're looking to compare a cloud service like LastPass to a local application such as KeePass, then yes, there is a security tradeoff.
With an application such as KeePass, where you have full control over the storage of your password database (presuming you're not putting it up on DropBox or something), the only attack surface you have to worry about is your own system and the devices on which your password database is stored. Generally speaking, these are not likely to be subject to targeted attacks (or, as the media likes to call them, APTs). As long as you follow regular security best practices on your system (apply software updates, use antivirus, keep a properly configured firewall and/or router between you and the Internet, etc.), your password database is probably safe from Internet-based threats.
Note that I am not comparing local threats (involving physical access) here, because this is something that affects both options pretty much equally - you must have a local copy of your password database somewhere in order to use it, so you will be equally vulnerable to physical threats regardless of whether you use a cloud-based or local-only solution. That is not to say these systems are especially weak against local threats - protecting the database with a strong password and encryption algorithm largely mitigates this - but that one is not likely to be much better than the other in such scenarios.
In the case of LastPass and other cloud-based password managers, the attack surfaces and associated threats are much larger. Their systems are always on, and are very high-profile and high-value targets. If someone ever totally pwns LastPass, there's no telling what sort of systems they might find access to. While I'm sure they take their site security very seriously, they are likely subject to just as many attacks as any of the other user-trusted services that have been hacked recently. As the saying goes, it's not a question of if they will be hacked - just a matter of when. On top of that, you still have to worry about the security of your own system(s) which synchronize with LastPass.
Are LastPass or other clould-based solutions a tradeoff of security for usability, compared to locally-managed options such as KeePass? Absolutely. Is it worth it? That's for you to decide.
EDIT: To clarify on the issue of what is stored on LastPass' server...
They don't just store data for hashing/salting your master password on their server. Though that is an important, key piece of information to be worried about, the real concern should be that they need to store everything that you want synchronized between your devices on their systems. That is, if someone ever does hack LastPass and cracks your master password from their database, they will be able to access all passwords and other details that you have synchronizing between your devices without ever having to actually touch your own devices.
With a locally stored database, like KeePass uses, you don't have to worry so much about such attacks. That is not to say it would be impossible for someone to break into your KeePass database over the Internet. It's just much less likely they will be trying to, and it is a much easier threat for you to mitigate yourself. (Besides, if an attacker across the Internet can crack open your KeePass database - and you use the same system to log into the things for which the database holds passwords - you're probably pwned enough already that it wouldn't matter anyway.)
- 26,997
- 18
- 98
- 163
-
Thanks. How about the specific security issue I asked about? – Dan Aug 24 '12 at 16:44
-
@Dan I'm not sure what part of your question is left unanswered. Could you clarify? – Iszi Aug 24 '12 at 17:40
-
Sorry, I guess you did in fact answer, my mistake. Thank you kindly. :) – Dan Aug 24 '12 at 17:49
Against a one-time compromise of their database, LastPass is safer than losers like LinkedIn because they use an appropriate password hash (PBKDF2). This means each password attempt has a certain cost in CPU time, e.g. 1 second on a certain CPU. (They actually let you tune this cost yourself). It would then take roughly 5 CPU-days to guess a 20-character "fully random english" passphrase... and 1.5 CPU-years to guess a 30-character one.
If I understand their system correctly, a persistent compromise of LastPass would be no worse. Which is nice.
Source: http://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/
If the alternative is to use the same password across a large number of sites, in order to have a hope of remembering it, then LastPass is much better. At least one of those sites will be as clueless as LinkedIn or Blizzard, and can be expected to leak the password at some point.
- 609
- 4
- 14
Using LastPass across multiple devices doesn't necessarily make it weaker, although you do not have access to some two-factor authentication methods with some devices. For example, I can't (easily) use my yubikey with my phone. However, there are some countermeasures that help, such as the ability to restrict login only from certain mobile devices or trusted computers.
As for salts, they state that they use a 256-bit salt on the server as well as client-side salts that are stored locally, although they don't clearly state how those are synchronized across devices. Most likely each device has it's own local salt. This could easily be verified as the client side code is all visible in javascript.
Furthermore, as for PBKDF2, they perform a number of rounds locally (using PBKDF2 and SHA256) before sending the hash to the server, where more rounds are performed on the server side. You could argue that the process of splitting this up could make the encryption stronger than local-only solutions. In other words, if someone compromised either your local database or their master database, there would be elements of the hash (for example, the salt or the derived hash of the password) that would not be available. In the case of a server compromise, they would not know the salts or the number of rounds used to create the SHA256 hash sent to the server.
- 2,810
- 13
- 16
-
Looking in to this a bit more, it appears that the client-side salt is actually SHA256(username+password). Here is a page that reveals quite a bit about how the client-side encryption works: https://lastpass.com/js/enc.php – Mark Burnett Aug 25 '12 at 00:49
For example, the salt element of the password derivation algorithm presumably must reside on their server rather than on my own computer/device
LastPass uses PBKDF2 with SHA-256 for their password hashing. Your data key is calculated as follows:
DK = sha256("foo@example.com" + password)
This is not sent directly to LastPass, it is hashed first:
key = sha256(DK + password)
and they store this value hashed with a salt on their server:
stored_value = sha256(key + 256 bit salt)
See here for further details on how LastPass secures your data.
The trade-off from a password manager that is local only, such as KeePass is that your data is "in the cloud" rather than on your local machine only. However, many people like to have portability so they will put their KeePass database on Dropbox. However, the difference here is that when you unlock your password database you do not give your key to Dropbox.
With LastPass, you give your key to the local LastPass application that stretches and hashes it and then sends it to the LastPass server. LastPass also offer a browser extension and allow you to log into the website directly. In each case the hash is calculated in the same way. Now, if LastPass was compromised in such a way that they could push out some new client-side code to send the unhashed password to the attacker instead, this is a type of attack that would be possible on LastPass but not KeePass. The risk of such an attack is very low, assuming LastPass have a secure, monitored network with intrusion detection systems in place. This is your risk to judge when using the software, which is the price you pay for convenience.
As you say in your question, having your database synced on multiple devices increases the risk that they are subject to attack. Having a strong key for your account is critical to the security of your database. The mobile app also allows you to remain logged in, and to secure the app from access via a PIN or fingerprint. Of course this is a lower security level than that of your master password in terms of access, however there is also less chance of someone else seeing you type your master password when out in public. The fingerprint option also means that if someone steals your phone they cannot enter any PIN. They would need to execute a memory attack on the phone to read your database, and whether that is feasible or not is unknown.
Also, having the application installed on many devices increases the chance of malware compromising your password or the database itself. You can protect against any password sniffing by using a Yubikey or other two factor authentication tool, such as Google Authenticator. LastPass also allow you to protect your offline databases with the Yubikey, by encrypting the local version with the public identifier as well as your password.
In my opinion LastPass offer good security with reasonable convenience. For most end users, convenience is key (see what I did there?) when using a security product. I think there's more chance of getting regular users on board with security with the extra convenience of accessing their password from anywhere, rather than only allowing access from their main PC (or memory stick they may forget, or cloud that they may never be bothered to setup). For others, the extra risk of their vault being held by a third party is unacceptable and will go down the KeePass route.
- 33,408
- 6
- 67
- 178
-
"if LastPass was compromised in such a way that they could push out some new client-side code to send the unhashed password to the attacker instead, this is a type of attack that would be possible on LastPass but not KeePass" Unfortunately incorrect. KeePass establishes an outbound network connection to check for new versions, a compromised client could exfiltrate secrets via that connection that normally carries no secrets just as easily as a compromised LastPass could reveal secrets over a connection that normally carries only a hash of the secrets. – Ben Voigt Apr 04 '22 at 22:00