1

@Bob Hi, I have pointed in my blog post one fundamental flaw of your service. How do you plan to address that flaw?

1

What if browser is not secure? I mean if somebody installed an extension that starts working when I get logged-in in browser. See my tweak on Android here

How is it "encrypted locally" and "key is never sent to you" if I can view my passwords from multiple computers or even the website? – Greg – 2013-04-15T13:32:41.247

1@Greg They store the encrypted credentials. Encryption happens client-side, using your master password and any other authentication mechanism you've activated in addition, and the encrypted data is sent to them for storage. Even if this data were compromised, decrypting it without your master password (and additional measures) is not realistically feasible. Because it's a cloud solution, you can access your data anywhere, but decryption is still only done client-side. Even when accessing your vault using the website instead of using a plugin (client scripts are used in this case). – G_H – 2013-05-21T08:39:34.200

@G_H: The "key" (i.e. master password) is never sent to you, but an locally-encrypted version of it is? I think I was assuming that "key is never sent to you" meant somehow you didn't store any representation of the master password, which is obviously impossible. – Greg – 2013-05-21T13:51:20.090

2@Greg Your master password isn't stored. Neither locally or on their servers. It is merely used to encrypt and decrypt data. Which is why you need to remember it! Suppose I've got some clever encryption scheme that requires a password for both encryption and decryption. I encrypt a file and send that to you for safekeeping. You keep it for me, but can't decrypt it. When you send it back to me, I can decrypt it with the password, that only I know. This is how it works. – G_H – 2013-05-26T14:38:21.633

9i do appreciate the sincere integrity of your service, yet the old paranoia dies hard. and the fact that your company is based in the US of A (not too far from Washington) doesn't help much either. if agents of Homeland Security or other less-existent agencies show up, flashing credentials and reminding you of your patriotic duty i think your best intentions aren't worth much. i hope you don't mind that i prefer a local solution. – None – 2010-01-02T19:48:45.673

21Actually, molly, it sounds like everything is encrypted and decrypted client-side - as in, they can't access anything by themselves. If that's true, I don't see why this is any less secure than having something locally. – Phoshi – 2010-01-02T21:26:30.030

10Yes, everything is encrypted locally. We frankly don't want the liability of being able to access your sensitive data, it is an unnecessary risk that we do not want to take.

FWIW, we were ranked in pcmag's top 100 products of 2009, ranked in pcworld's best security products of 2009 and are currently being featured on google chrome's extension site as their top picks. – Bob from LastPass – 2010-01-02T22:08:17.997

2fair enough (although Google may not be my preference to rate privacy-related products given their track record), but the fact remains that my passwords are ultimately no longer exclusively accessible by myself when they are stored online, regardless the sophistication of protective measures. – None – 2010-01-02T23:28:23.530

3It's nice to hear from a first-party. +1 for your "Grid" technology, that's a really smart idea. :) – Sasha Chedygov – 2010-01-03T00:28:13.943

There are also android and windows mobile versions of KeePass, and probably others. – TREE – 2011-01-24T17:23:28.830

2I'm using it, but the trick is to keep the key store file up to date and backed up. This is the tradeoff with the online password keepers. – Maarten Bodewes – 2011-12-31T01:42:32.257

2I used to use KeePass. Thinking it is more secure than LastPass AND reaping the same benefits is an illusion. How are you gonna backup your KeePass database and keep all copies up-to-date? Either manually, with the risk of a carrier (like HDD, USB stick, smartphone) being stolen or breaking, or you keep it on something like Dropbox. And guess what, then you're right back to keeping stuff in the cloud. Minus the advantages of LastPass' features. – G_H – 2013-05-21T08:47:24.803

@G_H, not necessarily. What I do is use Keepass to create a database and key file + password. I setup the app so that it stores the database in a local store of an owncloud instance, and the key file in another owncloud instance (or a USB key). The password of course would be a 35+ bit secure known only to me. The owncloud files are stored encrypted on my own VPS/Dedicated server. Granted, an agency can have a warrant against the DC that provides me the server. But they will need in addition, my key file and my password. Being in the cloud does not necessarily mean it's unsafe. – Joel G Mathew – 2013-08-02T02:24:44.687

2KeePass has Unix (KeePassX) and Windows versions, and works from a USB drive (perfect for passwords for sites like SuperUser). – None – 2010-01-02T19:04:33.170

@Molly - nicely put. – Rook – 2010-01-02T19:15:42.383

6@Molly It appears that the LastPass info is encrypted locally, not "in the cloud". – phoebus – 2010-01-02T23:19:24.140

quite so, yet the information is no longer exclusively accessible by myself when stored on an external server. it's a trade-off, convenience for exclusiveness, a risk i'm not willing to take. – None – 2010-01-02T23:49:01.163

That's a good point.. most people reuse their password.. or have two or three that cover all bases – jsj – 2011-10-18T12:02:01.020

The Lastpass service doesn't work like that as explained in Bob's comment. What people seem to be missing nowadays is that the most insecure way to store your sensitive data and passwords is at the pc side. Many people use the insecure password features of Firefox, Chrome etc. while that is a wrong feeling of security. A good hacker, smart thief or trojan only needs a minute to get all your passwords, access your mail and other data. Lastpass doesn't have any information then encrypted rubbish on their side. How can a security agency compromise that? The key is on the pc side. – Rick Steven – 2010-01-03T02:12:09.683

If you run the LastPass windows installer, we pull all of your passwords from IE, FF and Chrome (btw...if we can do it, any program can) and then offer you the ability to delete them. We definitely feel we are much more secure than this status quo way of remembering your passwords in the browser and we are much more convenient as well. – Bob from LastPass – 2010-01-03T04:13:55.830

You seem to be trying to show why LastPass is not secure by showing that Javascript code running in a web page can see passwords entered into forms on that page. This is true, but it is still true even without LastPass running. And it does not allow the page to get passwords out of LastPass for other sites, so you're no worse off than without it. – Kevin Panko – 2014-09-22T19:02:48.517

You are right, and I probably wasn't clear enough.

I was not trying to claim that any webpage you visit can steal your passwords with javascript. I was trying to claim that someone with access to your computer (ie. evil friend or malware on a public computer) can pull your saved passwords from LastPass, even with 2-factor and password protection on viewing passwords.

The javascript example was just one easy way of demonstrating that. – dschlyter – 2014-09-24T14:26:11.917

@dschlyter I'm not sure what you're saying here. LastPass gives you the option to either automatically fill in a password, or require you to re-authenticate yourself before filling it in. The autofill option is always opt-in, and I never select it for sites that provide financial, email, or cloud storage services. This means that someone who tried to use the JS trick you show would at most only get my passwords for Stack Exchange, etc. And I'm not sure your trick is as easy to pull off as you seem to think. – samwyse – 2015-03-24T17:47:12.347