Jul 21, 2010

LastPass Gets the Green Light from Security Now!'s Steve Gibson

From the beginning we’ve touted LastPass as ‘secure password and data management.’ We’ve insisted that only you have access to your LastPass data, since only you hold the key that can decrypt your data. We’ve upheld that we employ localized, government-level encryption (256-bit AES implemented in C++ and JavaScript) with one-way salted hashes to give you complete security as you sync your passwords through the cloud.

But – what does that mean?

Well, it means that we developed the LastPass password manager so that the following three points hold true:

1. All encryption and decryption happens on your computer.

When you create your LastPass account, an encryption key is created on your computer (your Master Password, or MP, and email go through a complex, irreversible process known as hashing to form your encryption key). Any sensitive data you then save to your account is ‘locked up’ by the encryption key while still on your computer, then sent in encrypted form to LastPass’ server.

2. The sensitive data that is harbored on our servers is always encrypted before it’s sent to us, so all we receive is gibberish.

Since the encryption key is locally created each time you submit your MP and email, all that we store and have access to on our servers is your encrypted data. Without your unique encryption key, your sensitive data is meaningless gibberish. Even if someone were to mandate that we provide a copy of our database, the data would still be unreadable without your encryption key.

3. We never receive the key to decrypt that data.

The unique encryption key formed from the hashing of your email and MP is never sent to our servers. We never, for any reason, would ask you for your MP, so the key remains safely with you.

Not satisfied?

Well, don’t just take our word for it: industry expert Steve Gibson recently reviewed us on his Security Now! podcast. After an hour-long, in-depth analysis of what LastPass is, how it works, and what it can do, Steve applauded our security measures and gave us his seal of approval.

"This thing is secure every way you can imagine. And it's simple," Steve says at one point. "I've completely switched my entire solution for managing passwords, after spending days researching it and testing it and playing with it, over to LastPass."

He goes on to declare that we've "really nailed it. I mean, I don't see a single problem with this."

Thanks Steve! We've tried to cover every security angle we can think of - and we continue to add improvements based on user feedback.

There's also a follow-up episode where a few questions from listeners regarding LastPass are addressed in detail.

We’ve embedded the video below so you can listen to the discussion of LastPass, starting around the 50th minute.




45 comments:

  1. Steve is a funny guy. I still use Spin Rite, too.

    ReplyDelete
  2. Excellent to hear. I've been using last pass for a while now and I always wondering how some of the pros thought of last pass security.

    ReplyDelete
  3. Looked into LastPass a little more. It seems like a good product, but I don't like the idea of subscription payments. I only intend to use it with my iPod and home PC, and I already have KeePass set to sync with Dropbox which MyKeePass on the iPod will download from. It took about ten minutes to set up, but it is all automated now with Keepass Triggers and Dropbox automatic syncing.

    ReplyDelete
    Replies
    1. I have no idea why people would use something free for a purpose as important as guarding their most important information. You WANT these people to make money so they can stay in business and further develop the product. Besides, if somebody gives you something for free, you need to ask yourself why that is.

      Delete
    2. Because it's open source.

      Delete
    3. open source is basically opening it to being cracked. for something like this I'd want it to be closed source. if your know how it works internally, you can break it.

      Delete
  4. Are all data fields encrypted or just certain fields?

    ReplyDelete
  5. Nice try.Will never trust anything stored on line! How on earth do I know my master password is not sent to lastpass???Lastpass is indeed nice,covers all platforms but I do not trust any private company to store my passwords.Will stay with Roboform where all my info is encrypted on my PC.Do not even use their Online version.

    ReplyDelete
    Replies
    1. RF has a long history of screwing its users. Do the research…

      Delete
  6. Anonymous, this isn't the time or place, but did you even read this article or watch the review? Your master password is never sent to lastpass.. your passwords aren't stored online. An aes256-bit encrypted file is synced to your different PCs. Work on your reading comprehension, or just watch the video review of the security measures. This is VERY different than storing your passwords online.

    ReplyDelete
  7. lastpass stopped work in portable chrome!
    not even go to the site!

    ReplyDelete
  8. Chrome problems with recent builds can be attributed to this google bug.
    http://crbug.com/52096

    Hopefully they will fix soon.

    ReplyDelete
  9. Steve Gibson rocks and LastPass is the BEST! I am a security freak and this certainly covers all bases.

    ReplyDelete
  10. This is Steve Gibson we are talking about. Yes, he does a great service by trying to teach security concepts in layman's terms, but he really isn't a security expert. He is not respected in the security industry, and he gets things wrong all the time. He is not qualified to certify the security of a product. He simply just repeated what LastPass told him they do. It is still a great product, and I use it all the time. I am not worried about it. But if you really want to know if it's safe and acts the way it is supposed to, we still need to wait until it is verified by an independent and qualified 3rd party. Even if it was built with the best of intentions, it could still have unexpected memory leaks and improperly deployed encryption that create holes allowing hackers to steal all of your passwords. For example, look at WEP and WPA. WEP is rarely used anymore because it is vulnerable to hacks. It actually isn't because the encryption algorithm was flawed, but because it was implemented incorrectly. Getting these things correct is more difficult than it sounds, even if you are starting with trusted tools and resources.

    ReplyDelete
  11. The question is not whether Steve Gibson is right about everything - none of us are.

    Most security Now podcasts start with an errata section where he corrects misunderstandings and errors.

    For those who are concerned about your passwords being send out unencrypted it's not hard to analyze the traffic being sent out of your computer. I'm pretty sure that SG did something like that; I don't believe that he simply recycled LastPass's press releases as you suggest.

    ReplyDelete
  12. Hey everybody, I'm starting a new business called LastWallet. It has a big lock and key on it.. YOU control the key. Just stuff all of your money in it and I'LL hold it for you. It's a very strong wallet. I make them out of unobtainium and glue the locks in with superglue AND locktite. Oh, BTW .. you cannot use my wallets unless you let me hold them. I MUST HOLD THE WALLETS. But it's really secure.

    ReplyDelete
    Replies
    1. Well, I hope that your new bank does well, since you have successfully described banks and electronic funds transfers.

      Delete
  13. Good luck to your new endeavor with LastWallet! But please be sure that you offer it for free for everyone to use. Also be sure that if your superglue fails, that my money isn't at risk, and that if you or someone else happens to take my wallet and disappear that I won't have lost any money. Lastly, please have other people verify that your wallet is really as good as you say it is. Make sure it works well and that it solves a problem that nearly every Internet user faces today. If your product (and the people behind your product) are half as good as that other product LastPass, then I'm sure it will gain support and do incredibly well.

    ReplyDelete
  14. Further to the discussion above, maybe they could do a hacking competition at a black hat event to test the security.

    Steve Gibson is a windows man, I'd like to see someone from the linux community test it.

    Great product though, I'm using it

    ReplyDelete
  15. I totally agree with the above comment. LastPass would be a very interesting target, and a black hat competition would be the best place to find someone with the skills to crack it, and the decency to report their findings.

    ReplyDelete
  16. Tekzilla (Revision 3) mentioned Lastpass in last Thursday's weekly ep (23rd Sept) and are supposed to be doing a review in Next Thursday's. Don't suppose they will do a full security investigation though. Like Patrick I am used an encrypted text file! Tried Roboform a while back but it crashed and I couldn't use it on W764 will have to give this one some thought, but it sounds ok.

    ReplyDelete
  17. It's good to see this affirmation of LastPass security. All the same, I would like to see an in-depth and thorough report from a recognized industry body confirming the robustness of the various security features.

    ReplyDelete
  18. It,s a great tool.

    ReplyDelete
  19. @Anonymous

    See this technical analysis of LastPass' hashing and sending functions:
    http://tinisles.blogspot.com/2010/01/should-you-trust-lastpasscom.html

    Using Fiddler (as the above blogger did), you yourself can verify exactly what is being sent (and not sent) to LastPass.com from your browser.

    ReplyDelete
  20. Steve Gibson's the man, if he gives the green light then Im on board. well done lastpass

    ReplyDelete
  21. This comment has been removed by the author.

    ReplyDelete
  22. If you enable the free multi-factor authentication in Lastpass, then even if a hacker gets a hold of your password he will not be able to enter your account.
    Unfortunately this feature is not advertised very well right now and you have to enable it in your account settings first. Using the generated table to authenticate your account and lock down logins from unauthorized computers will make your LP account extremely secure. The only way someone could get in then is if they steal your computer AND know the password. We're talking kidnapping or blackmail level of criminality here, quite unlikely for 99.9% of us... (hopefully)

    ReplyDelete
  23. I've used Lastpass for Chrome and like it. However, an odd thing happened this weekend, Friday night I had no problem reaching any websites, but on Saturday every site and only those specific sites that were in my Lastpass were blocked by some type of malware on my PC in both IE and Chrome, and only on that one PC (3 others on the LAN OK). Norton and SpyBot and a anti key-logger found no problem and Chrome is set to clear itself on session close, so I don't know it was. The fix was to uninstall and reinstall Chrome, but it bugs me that what ever caused this specifically blocked me from getting to 21 specific sites only known within Lastpass. Many of the sites in Password had never been accessed from this PC, so they would not have been stored any place on the PC outside of Lastpass, yet they where still found and blocked on the PC. Not saying anything is wrong on Lastpass's side, just saying there are hackers currently interested in banging on it at the local level.

    ReplyDelete
  24. I hope that the "anonymous" below who doesn't trust LastPass also doesn't have any plugins installed in his browser(s). From the fact that LastPass works at all one can deduce that any browser plugin is able to capture any ID/password you enter and do whatever it wants with it. In fact, "anonymous" shouldn't use browsers for accessing sensitive data - who knows whether Mozilla, Microsoft, or Google are collecting our data?

    I'm afraid you have to trust someone sometime.

    That said, I would still like to see another professional security review.

    ReplyDelete
  25. Hi as mentioned above i would like to have a 3rd party independant do a full review on last pass its probebly secure but nothing is 100% secure some who had their banking details stollen acounts card i dont trust this app or plugins that capture your sensitiuve inforomation

    ReplyDelete
  26. @Wes...Dropbox has dropped off the face of the planet...

    ReplyDelete
  27. Good! I just did a 2k "you should be ashamed" to "Windows Secrets" prompted in-part by the inherent weaknesses mentioned here. Also avoid "VLC media player" if you have midi files, "PC Decrapifier" if you're reasonably competent, and "MSE" UNLESS you're reasonably competent w/ anti-malware. And so on.

    ReplyDelete
  28. LastPass it has been very well built and I trust it. there are easier ways to get your personal info then hacking LastPass ..like your online banking site. from the comment made" maybe they could do a hacking competition at a black hat event to test the security.". No hacker is going to say I will hack your site..that is just hanging your ass out there. NOTHING IS HACKER PROOF. With lastPass you have nothing to worry about.

    ReplyDelete
  29. So while your data is completely secure at LastPass, what about your data that the LastPass addin is sending to the various websites in order to log in? Doesn't the LastPass addin have to decrypt the passwords before it can do that? Can't it then just send the unencrypted data to anywhere it wants? Not just your web browser/html form? Just wondering...

    ReplyDelete
  30. What is that cool stuff flickering in the background of Gibson's studio?

    ReplyDelete
  31. @Anonymous -- I think it's a PDP-11

    ReplyDelete
    Replies
    1. It's a couple PDP-8 clones

      Delete
  32. I believe the comment by Brian Stanton hit the nail on the head. The weak point must be the LastPass browser add-in. Of course, I know the browser security for passwords really sucked, so any improvement is welcome. There have been many programs to reap your passwords from the browsers. So, I welcome any attempt to shore up the password storage department and I think LastPass makes an attempt to do that.

    ReplyDelete
  33. I love LastPass. Upgraded the premium version last year after using it for a good 6+ months and finding it absolutely incredible. Enabled 2-factor authentication recently to add some extra security as well. Great product.

    ReplyDelete
  34. I'll try it very soon, thank you for the post.

    ReplyDelete
  35. This guy is dangerous. He makes himself sound like a security expert when all he does is analyze things from one limited perspective without any serious inspection or analysis. Look what he missed...a common cross-site scripting vulnerability (which has since been fixed):

    https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details

    The guy sounds like a paid shill.

    ReplyDelete
  36. Oh -- and he missed this one too:

    http://www.informationweek.com/news/231300157

    ReplyDelete
  37. I REALLY think LastPass MUST make public an audit report from a 3rd party or independent researcher, as a matter of some urgency.

    Issues like the one noted at grepular.com are very serious for a tool like this.

    In addition to the auditor selection, what they do is important. I've spent a LOT of time on the latter question while negotiating with TD Ameritrade regarding what sort of auditing they would get.
    Here's what I would find acceptable:
    Lastpass must be certified by a 3rd party auditor as having PASSED an audit. The audit should be to the Massachusetts Data Privacy Regulations that by law LastPass has to be in compliance with already (with the minor modifications I've listed on my blog). Anything less than a PUBLIC CERTIFICATION that the audit was PASSED isn't good enough. The auditor needs to be a large enough company that its certification means something. (Passing an audit means the auditor can write an unqualified opinion letter.) See my blog post, "Audit", here: https://caringaboutsecurity.wordpress.com/2010/03/29/audit/

    ReplyDelete
  38. Lastpass deserves an at-a-boy for volunterily exposing a cross site scripting vulnerability that potentially could have allowed someone to download a copy of my encrypted file of hashed password codes. Oh my... Maybe I'm crazy but that's not even a small security problem.

    ReplyDelete