Jun 7, 2019 - LastPass Password Manager utilizes AES 256bit encryption implemented with salted hashing, along with PBKDF2 encryption keys. Lastpass is an online password manager and form filler that makes web browsing easier and more secure. Login Social Sharing. Tech news in your inbox. Get TechSpot's weekly newsletter.
It must be noted that the author of this article has a competing project, and in an article so deeply critical of LastPass, it seems like a disclaimer should be prominent. Wladimir does disclose this on the previous article:As a fairly happy LastPass user, I would certainly like to know what ongoing threats there are here, and what the real-world likelihood that I might be exposed to those threats. Would anyone care to summarize? The linked issues have been fixed, even in Firefox, and the claim that vulnerabilities still exist are unsourced.EDIT: disclaimer has been added! My comment is now out of date. Thank you for the reminder, I added the disclaimer noting that I develop Easy Passwords.The claim that vulnerabilities still exist was unsourced six months ago - now you have proof that they do.
It would be naive to assume that this was the last of them. As I explained several times already, the issue is a structural one. LastPass keeps the attack surface unnecessarily large and they are pretty bad at securing it.The recent vulnerability reported was particularly bad, launching an arbitrary external application is really as bad as it goes - this could have resulted in a malware infestation. But the typical threat is 'merely' losing all your LastPass data to a random website you are visiting (or a hacked ad script running on it).How likely it is that bad guys will actually try to target LastPass?
They seem to have at least 10 million users judging by AMO and Chrome Web Store numbers. I can clearly see that on some websites trying to exploit LastPass users can actually be lucrative. Whether it will happen to you personally, nobody can tell of course. Here's a question you should ask yourself: do you want malicious webpages or malvertising to have direct API access to your password manager?This is the case with all password manager browser extensions. A desktop-based password manager without the browser extension does not have this risk vector.
And, as we've seen with the dozens of extremely critical LastPass bugs, they're not even particularly good at securing said API. Other products may be less bug ridden, but they share the same risk vector.I use pass1, and I recommend it if you can stand copying and pasting.
It's really not much of an inconvenience for the dramatic increase in security you get.1. Here's another question to ask: 'Is everyone really going to open a separate application, unlock the vault every time they want to use it (due to timeout), Ctrl+F for the URL, and then Ctrl+C out the username and password every time they want to visit a site? Also, is everyone going to create a correlated entry every time they make a new account?' Good security is hard in practice because people are always going to default to the most convenient/simple way to accomplish their goal, and at this point, most of our security measures require someone to expend extra energy.
That means it's going to be very hard to get people to do it.We have decades of experience with this just with regard to one layer of passwords. 'Is everyone really going to open a separate application, unlock the vault every time they want to use it (due to timeout), Ctrl+F for the URL, and then Ctrl+C out the username and password every time they want to visit a site? Also, is everyone going to create a correlated entry every time they make a new account?' This is not how pass or KeePass work. I recommend you try them out and see if they're really that hard to use (hint: they're not).If you really like browser integration, I also sometimes recommend using the built-in Chrome or Firefox password managers with good master passwords.
They're actually easier to use than LastPass and its insecure ilk. Totally agree with you on the convenience factor. Still doesn't mean I'm going to use a browser extension to securely manage my passwords. Or something proprietary. And lets me decide how and where to store/sync the encrypted blob of my password DB.So I use KeepassX for Linux (and Keepass2Android on my mobile), which I frankly don't understand why it's not recommended way more often. It's open source, doesn't have those problems, nor does it have a company-ego-attached to it that has incentives to downplay security-issues to save face/profit.
Ego is a potential attack surface.Every time the password-manager discussion comes up, I scan the thread and check what possibly problems any of them have. And all of the other ones have at least some of those issues that I care about, even if only that the encrypted blob is stored somewhere out of your control. Except for KeepassX, for which the only 'serious' downside I've read is that some big security names on Twitter seem to really dislike the GUI for some reason.
Which is a fine opinion, but not one where I'd consider their expertise to hold much value over anyone else's (and personally, I disagree with). Here's another question to ask: 'Is everyone really going to open a separate application, unlock the vault every time they want to use it (due to timeout), Ctrl+F for the URL, and then Ctrl+C out the username and password every time they want to visit a site? Also, is everyone going to create a correlated entry every time they make a new account?'
Okay, so here's how I use KeepassX for Linux:The application is small and lightweight and therefore already open (but locked) as an icon in my systray. I have to unlock the vault due to timeout0.
To find the entry, type a few characters in the search box, or select it from the appropriate category/folder, I put the few ones I use most in the default/top folder for even quicker access. Then I right-click the entry and select 'perform autotype'. Perform autotype' seems to basically send a bunch of keyboard events:, username, password,. This sequence works every login form I use.
There's probably exceptions, but iirc you can configure the autotype sequence. Otherwise for that one login form that is weird and annoying you can always right-click and use 'copy username/password to clipboard' (which is auto cleared after X seconds). Finally if the login form won't let you autotype AND doesn't let you paste, it becomes even easier: right-click, 'delete entry' and never use that service again because COME ON, really.edit to add: the Android app, Keepass2Android is slightly more cumbersome to use, but that's mainly because I find touch screen typing my master password a bit of a pain. After that it's actually easier, when you selected the entry, you select Keepass2Android as keyboard app, which only has these buttons: User, Pass, Next field, Submit.
At entering the master password there's also a checkbox 'allow quick unlock', which allows you to unlock using only the last 3 chars of your master password (for duration of a second, longer+configurable, timeout).0 Do other password managers get around this? I really don't see how, without getting the same exposure as I would get by disabling the timeout in KeepassX? Anecdotal and personal opinion, but I believe that it has. I've been a LastPass user since February 2014. I used to pay for the annual subscription because it was required to use their phone apps, but now that it isn't I find no benefit to the paid subscription, especially given how poorly some thing seem to be working.The user experience with extensions for different browsers (Chrome, Firefox, Safari) is inconsistent.
Menus look and behave differently. Some options are present (and turned on by default) in one browser's extension and absent in another. For example, Firefox's extension opens the vault every time you log in unless you uncheck a box, so if you're at a password field ready to login, LastPass decides to just get in your way.But by far the most infuriating part for me has been the iOS app.
I've always considered Lastpass to provide convenience at the cost of security, and as such am not concerned.To me, the point is managing the dozens of separate logins you have to manage to use the web. I often can't be bothered to remember which sites I've signed up for, let alone what the username and passwords are.For critical accounts (email, financial stuff, etc.) I'll always take the effort to memorize some high quality and unique usernames and passwords. I find this to be the best trade-off.
'Altogether it looks like LastPass is a lot better at PR than they are at security. Yes, that’s harsh but this is what I’ve seen so far.' No, it's not harsh enough for a program that knows the right password, shows it to you, but then inputs the wrong one in the password field. Of course, compared to these security issues, such UI issues are almost irrelevant. With such a simple UI to program, you'd think they'd at least get that right or fix it.
And if they don't, it's likely they have much bigger problems under the hood. Over and over.Unfortunately, all the reviews of Lastpass I read gave it 4-5 stars and it was often a recommended or editor's choice pick.
Clearly, those reviewers and their publications are just a bunch of shit words to attract advertising (that includes pretty much every article on password managers I managed to read). This is a pretty important part of security. If it takes someone with expert skills in computers almost a year to find a good password manager program, not to mention days worth of work importing into and testing various solutions, what chance does your everyday computer user stand?The way things stand with password managers right now, I'm not sure we're advising ordinary computer users correctly in telling them to use one. If it takes someone with expert skills in computers almost a year to find a good password manager program, not to mention days worth of work importing into and testing various solutions, what chance does your everyday computer user stand?The reason why I hate these kinds of threads in IT communities is that we usually don't seem to talk about the issue(s) the article is referring to.Take this one for example.
There's much more discussion about what works for who than the actual content of the article. And then I followed an article linked in the comment here about getting 1Password to run on Linux. And at the bottom of the article there was a link to the HackerNews thread about that article. And the situation is exactly the same.Out of 57 comments in that thread , only four are actually related to running 1Password on Linux, and none of them is actually related to someone actually trying the method from the article and sharing his/her experience.
53/57 comments are basically 'I use X because of Y'. I would like to know this as well. I tried setting up keePass on iOS, but was never able to get it to work so it seamlessly kept things in sync between all my devices (two desktop computers, three laptops, two tablets and an iphone). I then tried LastPass and so far it was worked flawlessly for me across all devices. Now I read this and I'm not sure what to do.
Prior to LastPass I used the same six character password for everything. Now many of my passwords are 30+ characters long. That seems more secure, but if someone can just grab my passwords while I'm browsing then maybe it's time to go back to the same 6 character password that I can remember. Passwordstore.org is good if you're a nerd.
It's built on standard linux tools: pwgen, gnupg, git. QTPass is a QT based multi-platform desktop gui version. That helps if you're not in the mood to be a nerd today. Android Password Store is the mobile version and integrates with Android chrome/chromium.
Thanks to gnupg, pass also works in conjunction with smartcards like Yubikeys. Open Keychain on android allows you to use a Yubikey Neo with Android Password Store. PassFF is the Firefox plugin.Usage: It's a git repo with passwords stored in encrypted text files. Syncing is done by push/pull the git repo. Since it is git, you have a record of every password you ever generated. Unlocking a password with a Yubikey requires a pin entry and a physical touch.
Once entered, the key is available for further passwords without pin, but a Yubikey 4 can be configured to require a touch every time if you're worried about compromised hardware stealing your entire password database.There's no import from other managers that I'm aware of, but it might exist. Googling stuff about 'pass' is tedious.
Google for 'zx2c4 pass' and you'll have better results. Keepass imports from Lastpass 0. Not that meets the rest of your requirements, but Keepass + KeepassHttp + PassIFox work beautifully for me.Autofills my logins and fully integrates with Firefoxes password manager so that you don't get conflicts between the browser and your password manager trying to save the same password. Also doesn't add the stupid CSS hacking that LastPass does to add their logo into the password fields breaking various site's styles.0: http://keepass.info/help/base/importexport.html.
Keepass has lots of red flags for me:- No https on site- Update file hosted via http (not https)- Downloads via sourceforge which has injected adware in downloads before- FAQ downplays lack of constant time comparison instead of using constant time comparisons and being extra safe- You have to cobble together multiple apps from multiple developers to get a full working solution; means you have to trust lots of individual entitiesThat being said I can hardly defend staying on Lastpass anymore.I just wish 1Pass was crossplatform so there was a clear universal winner! Got a link to that FAQ thing?
I find downplaying of potential security issues a rather important red flag.The https thing is unfortunate and should be fixed, but I've always got my KeepassX from a signed repo.The cobbling together is also an important part of its strengths. In particular I want the sync of the encrypted DB to be decoupled from the app that decrypts and manages the password entry into forms (the latter being yet another entity, btw).I'm really curious to see that FAQ entry! Because I can't imagine a scenario where timing sidechannel attacks would be relevant to a password manager app (provided the sync is decoupled, which is one reason why that's so important). If you're gonna bruteforce the master key, you'll use an external program any way, so constant time comparisons in Keepass's routines shouldn't matter? Also it's not like you could remotely trigger Keepass to decrypt 1000s of times in order to glean info from timing data, because it's not a browser plugin.
Which is one of the reasons why we don't want our password manager to be a browser plugin. Again, decoupling is a strength. No https, agree, its a very old site, but it's not sensitive material that you're submitting. You can check the integrity of the download 0- Sourceforge, again not ideal but again it has very old beginnings from when Sourceforge was as respected as Github is. You can't blame the developer for the environment changing. Perhaps they're just a stickler for loyalty. I've never had any crapware with Keepass- FAQ - I could't find your reference in the FAQ page 1- You have one app + plugin with a browser extension from two developers, hardly a mishmash.
You know directly who those two developers are. You've no idea who was working on LastPass. I'd say it was more in the bazaar philosophy vs the LastPass cathedral.0: http://keepass.info/help/base/faqtech.html. LastPass is a Cloud password program + browser pluginSo the extra layer is the plugin that is written by the same developer as the browser plugin. Which is a drop in plugin.It's all open source so it's much easier for people to check the vulnerabilities.
It's also easier to raise issues and other people to help fix them.Separately Keepass is an offline database, so you have total control over access to it. The overhead of course is using something like Dropbox, plus probably Boxcryptor to ensure it's encrypted before it gets to Dropbox.I've commented elsewhere here - it's similar to the Keepass bazaar vs the LastPass cathedral. Keepass might look uglier, but I trust it more.
Yeah, the two weak points pointed out have always been weak points. It's unfortunate, but disabling autofill has always been my recommendation. Altogether it looks like LastPass is a lot better at PR than they are at security. Yes, that’s harsh but this is what I’ve seen so far. In particular, security vulnerabilities have been addressed punctually, only the exact scenario reported has been tested by the developers.This seems unfair.LastPass fixes the initial vulnerability punctually - we do not know what they will do in the future.
Is it better for them to wait, come out with a defense in depth approach, and then patch? Seems silly.Of course, how long do we wait? Historically, I would argue, LastPass has down defense in depth fairly well - when their was a breach they were quick to not only address the vulnerabilities immediately but soon after they rolled out Content Security Policy and HSTS, two technologies that were rarely deployed in the wild at the time (and are still sadly too rare).My suggestion to LastPass users is to:1) Enable 2FA2) Up your PBKDF2 Rounds3) Disable as many browser integration features as possibleI don't recommend dropping LastPass and trying to roll your own key-sync store with KeyPass/Dropbox as some have done. I don't know of any other browser-based password manager that isn't equally weak to attacks based on browser-integration.Alternatively, don't use a browser-based solution.
This is less convenient but you'll avoid by far the largest area of attack surface. whereas the 1Password extension merely communicates with the app.wait. The communication goes what way?? You make it sound like the 1Password extension (that doesn't handle encryption, therefore is not authenticated) can request password and credential data from the 1Password app, like it's pulling data from it?How does the 1Password app know that whatever process is making that request is in fact made by that particular browser extension, prompted by user-action on the extension that is the same user as the one that unlocked the encrypted password vault in the app? And if it doesn't why are you storing your passwords in it:)Are we all clear on what a password manager is? Maybe we should start with a good definition, such as:A password manager is an application that manages an encrypted database, that when unlocked by the user, can be prompted by the user, to decrypt an entry from the database, and send one or more fields of that entry to a specified receiving application's input/login field(s).
Communication only flows from the user prompting, to the password manager, to the receiving application. Not the other way around.Ok that's not a full definition yet, it also needs a bit about how to store the encrypted database, how not to sync it, not keeping any keys or plaintext in memory any longer than strictly necessary, etc etc.But it's good if we'd have a definition like that, something that is waterproof by definition. I would love to switch to a different password manager, but nothing else I've tried has quite managed to nail the usability aspect. Specifically, Lastpass's app fill functionality on Android is a huge benefit that I haven't seen in others.
It also has a browser extension that works without a separate program running on your computer; I didn't even realize that was a plus until I started trying to use other apps that did that.I guess for now I'll just turn off all of the automatic features like this I can find. Why wouldn't the average user? The entire idea is that you'll just have to remember two passwords: your computer account, and your password manager. At least for most users, the idea that some password shouldn't be stored just opens the door to bad practices and password reuse.For someone working on a password manager, I think the default assumption has to be that a screwup on your part will-literally-impact pretty much every aspect of a user's life. You can't assume that some passwords won't be stored. My email accounts' passwords are far more important than that of my bank account, and there's no way I could put up with typing them in every 15 minutes.On top of that, chances are that a bank login saved in a password database, which has 2FA and other sensible precautions, is probably kept safer for any one individual than the bank's systems themselves, what with the huge legacy cruft they suffer from.
No-one would be able to walk into my computer, or call it, with some faked documents and social engineer themselves into my password database. I've been using LastPass for a few months and have loved it, but maybe I'll consider switching to 1Password.However, can I just rant for a second about how these security assessments and blog posts fold out? The beginning of my career was spent thinking I was going to go into this field (one of my degrees is in Information Assurance) and the #1 thing that persuaded me to switch to building software instead was the attitude and approach of the security field.If it's not 100% secure and we all agree that it's the 100% best way to do something, it's the end of the world and anyone using LastPass is an idiot who will have all of their passwords hacked and their life ruined. (Remember when the draft for client side storage was announced? You would have thought armageddon was upon us based on the reaction of the security industry.)Big picture here - most people re-use a short, simple password on all of their sites. Using a password manager, even one with a few things that it can and should improve, is a HUGE step in consumer behavior. Bickering amongst ourselves and boasting for crapping on someone's company is not the right approach to increasing our entire society's security stance.Want to actually help?1.
Create more resources to help consumers pick, use, and adopt a password manager with super simple setup process. Even the current methods that all password managers use of generating, saving, and autofilling passwords are too complex and cumbersome for the average consumer. Heck, even MFA is seen as a huge waste of time and barrier to logging into people's accounts by the majority of people right now.2. Create more resource to educate developers of these services, helping them to see what they should do and how they should do it, not bragging about your ability to tear down a service they spent hours slaving over. Get over yourself and actually help society. ( is a great example of this)Looking for an example? Apple's iTouch.
Yes - it's not the most secure option. People leave their fingerprints all over the place and they can be lifted and used to unlock a phone. But look at the other option - using no passcode, or a 4 digit passcode that's easy to guess or look over a shoulder. Is it the most secure option? Does it raise the level of security for our society as a whole by providing a realistic security barrier that the average consumer can use? I've used 1Password on Mac / iPhone / iPad for years and it's one of my few must have apps.
It's been great, other than a few annoyances with mobile app and upgrade pricing (sorted now, in a logical way). Syncing has always been solid and I've never had any corruption issues.I've been tempted to do away with the extra clicks and just use iCloud Keychain and encrypted Notes, but 1Password feels like less of a black box at this point (maybe just because I've been using it longer). It also seems smarter about filling out forms than the browser-native options in Chrome and Safari — not perfect, but better.
I don't use their subscription service, just the desktop and mobile app. Not sure how people like online password managers. The consequence will be far worse than selling your online attitude to Google by using their online services in case of a security breach. It pretty much gives your online self up to hackers.With that said, I only use offline managers and this is only for Mac but Locko by Binarynights is clean and easy to use. The downside is that it's browser extension can't remember basic auth credentials but other than that I like it.I can also back up the encrypted database easily with a script.(Seems the link is gone from their site with the release of forklift3 but the page still exists. Here is how I think about it: It is a spectrum.You can have high accessibility / ease of use or you can have high security. You can't have both.By storing your info on a remote server, you are trusting they will protect your data.
Maybe they will, maybe they won't.It is just a matter of finding a balance you feel comfortable with. Personally, I don't store my passwords on any cloud service, carry them on a thumb drive and don't use services that expose them to the browser. Could I lose a thumb drive? I rate the chances of someone picking it up and knowing how to exploit it as very low. I've been a LastPass user for a few years and I use the browser extension everyday. As an admin of several websites, the the extension has been a time saver.I thought I had no illusions about the inherent insecurity in using LastPass, but I guess I was wrong. I use Yubikey and disabled autofill long ago, but I was still vulnerable.
Their response to these exploits is maddening.' Our investigation to date has not indicated that any sensitive user data was lost or compromised.' This when they can't verify if passwords were compromised as LastPass servers weren't involved in this exploit.So I guess I need to switch to a different service. Any suggestions?
I've struggled with this too.I love how I can share passwords with a team using LastPass (share just access, share ability to view, share ability to edit). It's more about getting the team using the right tool than individuals. There are probably better individual solutions than LastPass, but I don't know of any that are better for teams. I know that having a tool that lets you share passwords is inherently risky. But I still think LastPass is less risky than people sharing via PostIt, or sharing via emails. Or less risky than not sharing passwords in that 'hit by a bus' scenario we always talk about.I tried Enpass, 1Password, and KeePass for individual use. None of them were horrible (I liked 1Password the most).
Enpass let you sync your vault with the storage option of your choice. So you could sort of do team passwords that way. Typically I don't want to share all my passwords, just a few. And like I would want to share different subsets with different people. So that 'share your vault' option wasn't ideal for me.Usability-wise, I love how LastPass fills in my credit card info and address on forms I tell it to. And how LastPass can automatically update passwords for many common sites.
And gives me a report of passwords that are weak, old, and duplicate - the 'global rank' on LastPass is a game and I want to get a high score. (Full disclosure, I tried each casually for less than a week. There may have been things I missed.)Been on LastPass for a long time, generally happy with them and haven't found anything that better fit my needs, but clearly these reports that they aren't taking security as seriously as they should be are troubling.EDIT: Going to look at in the next week or so. I don't think this option existed last time I looked at 1Password. From a strict security standpoint, maybe all of this is true.
But I see strong PR as a feature, not a bug.at least until password manager market penetration is closer to 100% than it is to 0%.Once you've adopted a password manager, you've limited the scope of potential abuse, and you've decreased the pain of recovering from abuse that does happen. Being forced to change passwords used to be a stressful problem for me, and now it is not. Before, I would procrastinate changing passwords after a breach, because I knew how hard it would be. With lastpass, I literally changed every password in my vault in less than a half hour.The PR matters because it's too easy to hear some bad news and give up on trying to be secure. If the PR prevents people from giving up, I'm all for it. My black hat method is much easier than that, and it doesn't even require a black hat skillset.1) Download two datasets from different massive breaches. You can find plenty of them with plaintext passwords on any torrent tracker.2) Correlate email and password combos across datasets.
Don't worry, you'll find 10s of millions of people who don't use password managers and reuse passwords.3) profitIf you have reason to believe you're being targeted, any breach is a problem. But until my method no longer produces results, theres no reason to believe black hats will go through any additional effort to obtain the average person's creds. I am almost ready to file a lawsuit.Context:What I am after is a password manager that has the option to NOT store anything in the cloud at all. I want encrypted storage to be stored locally. No exposure outside my network.
Inter-device synchronization done manually or automatically within the confines of said private network.I would also like to store data beyond uid's and pwd's. For example: secret questions and their answers, account and pin numbers, company tax id's, bank account numbers, passport numbers, etc. In other words, data you might need handy that should be encrypted.I've been using a program for a number of years. The program started exactly as I described above: Network only synchronization.Over the years they have mutated the program to cloud based storage.
And, over the years, they have done this without warning to users or seeking any kind of authorization.Imagine if you are using software that only stores data locally and syncs over your network only to wake up one day to discover that the latest update uploaded all of your secret data to their cloud-based system WITHOUT your permission. And, to make things even worst, they progressively eliminated the network sync option.The current version doesn't even ask, the minute you edit a record or create a new one it shoots it up to the cloud. Unbelievable.Years ago I asked about this. I have an email from the support assuring me the data would never be stored on the cloud. Time to file a lawsuit?Anyhow. Is there a tool fitting my description above? I don't care if it's free or paid.
I simply want my data to never move outside my network unless I want it to.