16

According to the LastPass FAQ, employees of LastPass cannot see nor decrypt the stored passwords.

LastPass encrypts your Vault before it goes to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data!

However, there is an option to use SMS Recovery in case of a lost Master Password.

One method of gaining access to your account after you forget your Master Password is to use SMS recovery to reset the password. This method, however, requires that you enable SMS account recovery in LastPass before you forget your Master Password. If you have already enabled SMS recovery for Master Password retrieval, do the following:

  1. Navigate to https://lastpass.com/recover.php, enter your email address, then click Continue.
  2. The system texts your phone a numeric code. Enter this code into your browser, and click Verify.
  3. Click Press to Recover Account.
  4. If Multifactor Authentication is enabled, authenticate yourself, but you must type the authentication numbers in your web browser for this step.
  5. When the next window appears advising that Account Recovery has been detected and that you must immediately change your password, click OK to proceed.
  6. Enter a new Master Password and a password hint (optional), then click Confirm.
  7. When prompted with a message that your password has changed and advising you to log out manually (if you are not automatically logged out), click OK to proceed.
  8. Once you have been logged off of LastPass, you can log back in again using your new Master Password.

This suggests that the stored passwords are decrypted without knowing the original master password, and re-encrypts them with the new master password. This happens all server side.

To me, it seems like LastPass employees could abuse this method to decrypt users passwords.

Am i correct or am i missing something?

eKKiM
  • 285
  • 2
  • 9
  • If an employee can break the logic flow of the SMS recovery functions and obtain the code, then the answer appears to be "yes". But that's different from "abusing" the method. – schroeder Aug 30 '18 at 08:49
  • 3
    Besides breaking the logic flow of the SMS recovery system. How can 'the system' decrypt the original passwords without knowing the original master password? – eKKiM Aug 30 '18 at 08:55
  • 2
    That's a different question. It appears that if you enable this function, your vault is encrypted with two separate keys. Either could decrypt the vault. There is not enough info here to determine how that is done or what the vulnerabilities are in its implementation. – schroeder Aug 30 '18 at 08:57
  • 1
    And this second key must be stored server side to perform this recovery. Thus accessible by LastPass employees. – eKKiM Aug 30 '18 at 09:00
  • That's why I say that there is not enough detail to come to that conclusion. We do not know what the key is or if it is "stored". – schroeder Aug 30 '18 at 09:48
  • I think what you're missing is that the recovery isn't performed server-side. It is performed in-browser, the same way the encrypt/decrypt of your Vault using the Master Password is. The SMS flow simply adds a 2nd decryption token (by re-encrypting your Vault using both the SMS token and the Master Password when you configure/enable SMS recovery). But, as the instructions indicate, you can mitigate this risk by enabling 2FA along side, then you need the SMS recovery *plus* a valid 2nd factor. – Ruscal Jan 17 '19 at 22:37

2 Answers2

16

Yes, it is a slight security risk, for the reason Conor Mancone points out. But no, it does not mean that LastPass stores your master password on their servers, and would-be hackers need to do more than just obtain the recovery SMS.

To use SMS recovery, you must have access to a computer and browser where you have previously used LastPass. LastPass generates and stores a recovery one-time password (rOTP) on your computer when you log in the first time on a new computer/browser. This rOTP essentially works like a second master password and is only stored locally on your computer, but is disabled until you request account recovery. The recovery SMS just activates the rOTP, allowing you to access and decrypt your vault using it, after which you can reencrypt it using a new master password of your choice (the rOTP is disabled permanently after being used once).

Without access to a computer where you have previously used LastPass, SMS recovery won't work. This means that any hackers or LastPass employees that want to use it to access your vault would first have to get access to a computer where you previously logged into LastPass, and where you haven't taken steps to delete any traces it left behind.

More details are in the blog post announcing the SMS recovery feature. The LastPass help file you cite unfortunately is ambiguous and confusing on the rOTP part.

A more technical (and less ambiguous) description can be found in the LastPass Technical Whitepaper (I'm not sure that link is stable, so click "Technical White Paper" at the bottom of the Overview of LastPass Enterprise if it's broken). See page 10, under "Recovery".

korsbakken
  • 176
  • 1
  • 3
  • 1
    This should be the accepted answer as it more directly relates to the OP's question on whether or not LastPass and its employees can decrypt the password vault (regardless of how strong their internal security measures are). However, it also raises a new point. If LastPass stores an rOTP on each browser that it has been used, then it reasons that someone might be able to use this rOTP independent of SMS or email. The article doesn't mention, but I imagine that this rOTP is itself encrypted with a key that is fully or partially stored on LastPass's server, unlocked via SMS or email recovery. – BrianHVB Dec 28 '18 at 15:47
  • The rOTP doesn't necessarily need to be encrypted. The only way to use it, is with the SMS or email, *or* by breaching LastPass servers. – korsbakken Dec 30 '18 at 06:13
  • LastPass servers store a AES256-encrypted copy of your vault, along with a copy of the key that has been encrypted using your master password, and additional copies encrypted with the OTPs. During recovery you get a link that allows you to download the rOTP-encrypted copy of the key. Without entering recovery, and getting the link from the recovery SMS or email, you can't download the rOTP-encrypted copy of the key. The rOTP is only stored locally on your computer, and the rOTP-encrypted key only on LastPass servers, and you need both. I have added a link to more documentation in the OP. – korsbakken Dec 30 '18 at 06:36
  • @BrianHVB agreed. Unfortunately of course only the OP can make that change. However, I did edit my answer to direct readers first and foremost to this question. – Conor Mancone Dec 31 '18 at 17:27
7

Note

This answer discusses some important caveats to keep in mind for systems like this in general, but misses relevant details about the implementation of LastPass' recovery system. For more details specific to LastPass, see @korsbakken's excellent answer.

The real risk

Yes, it is a security risk, and it doesn't have to have anything to do with how they make password recovery possible on their end. It has to do with the simple fact that SMS is not a secure channel for 2FA or account recovery, a fact that has been making a lot of waves in the news recently. Here is an article where security researchers intercept SMS travelling in the mobile networks:

https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin

But another common (and relatively easy) attack method is something called SIM swapping:

https://www.digitaltrends.com/mobile/sim-swap-fraud-explained/

There are more options I'm sure, but they all have the same effect: a determined attacker has many ways to intercept the text messages of a target for a long enough time period to intercept account recovery in cases like this. In practice if an attacker wanted access to your account, knew that you had SMS recovery on your LastPass account, and also knew your phone number then they would execute one of the above attacks against your cell phone carrier, request a reset from LastPass, and immediately reset your LastPass master password to something of their choosing. They now have full access to all your passwords. If they are feeling especially vindictive they can probably even permanently shut you out of all your accounts (by turning off account recovery and then changing your master password once again).

LastPass Employees

Of course your primary concern was LastPass employees. That question, however, is much more difficult to answer. The answer depends on what sort of access controls they have internally inside their own systems. Certainly your general suspicion is correct: if a password reset is possible then they must in some way have access to your master password file (probably only if you turn on account recovery though, since they say it only works if you turn on account recovery first). This does mean that the LastPass system can potentially decrypt your passwords. However, this does not mean that employees can abuse it. Many companies, especially those storing sensitive data for end users, have many internal access controls that stop employees from gaining direct access to data from end-users. However, I doubt anyone here can tell you whether or not that is the case for LastPass.

In practice I would be far more concerned about the risks associated with account recovery over SMS than I would be over malicious LastPass employees. Either way LastPass says that account recovery is only possible if you have enabled it, so if you turn it off you should have nothing to worry about at all (unless you don't trust LastPass to be honest, in which case you need to figure out how to run a password manager yourself). Just don't forget your master password.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96