Aug 23, 2010

Another Glowing Review for LastPass

LastPass was recently the topic of discussion on WHTC's Computer Talk, as part of an episode focusing on passwords and computer security. For anyone who listened to Steve Gibson's overview of LastPass, the content and message of this show will be familiar; the hosts generally agree that LastPass is the best valued password manager currently on the market. Where this clip differs is that the CEO of LastPass, Joe Siegrist, is interviewed live and answers several common questions regarding our software and philosophy. Definitely worth a listen!

17 comments:

  1. I looked into LastPass after hearing Steve Gibson's overview on Twit TV, Security Now show. Having used it for around a month now, I can see that I am beginning to wonder how I managed before. The effect is to make my internet activities feel like a seemless part of my own internal computer usage. Thanks for producing the most useful internet facility to date.

    ReplyDelete
  2. LastPass is an amazing solution to managing passwords. All the ideas and philosophies behind it are very sound and secure, but don't confuse the philosophy with the actual product. Most likely it was built right, but without actual testing by a third party you can't be sure they have actually done in their software and servers what they claim. Even the best programmers can accidentally leave bugs that will leak out your passwords. All these security interviews just say the idea is secure, they cannot tell you whether the product is actually safe to use. Then again, I personally love LastPass and I use it all the time. For me, it is worth the risk.

    ReplyDelete
  3. Jon, by that logic you shouldn't use any piece of software you haven't written yourself.

    ReplyDelete
  4. > Jon, by that logic you shouldn't use any piece of software you haven't written yourself.

    Not exactly. Jon's point is valid. This is about security and whether you want to store your bank password, medical site password etc on their server. Lastpass is not open source. They are probably great programmers, but at the end of the day, we just done know whether we can trust it to that extent.

    ReplyDelete
  5. If it is really secure, why does most of your marketing consist of trying to convince people that it is secure?

    How does LastPass get paid? How does LastPass pay its programmers? How does having an encrypted block of data sitting on one of LastPass's servers get LastPass paid? How does creating and maintaining a form fill plugin get LastPass paid? How does one to many computers accessing an encrypted block of data on one of LastPass's servers get LastPass paid? How does LastPass pay for that bandwidth?

    ReplyDelete
  6. In truth, we have very little marketing - we simply have outstanding technology that solves a problem that every Internet user experiences on a daily basis. If you doubt the security model, we welcome you to analyze our traffic and code yourself - please search our forums as others have done exactly this. Regarding your 6 questions on how we make money: please read our FAQ: http://lastpass.com/support_faqs.php
    And yes, we are a profitable company with no debt.

    ReplyDelete
  7. I've been using LastPass since June (2010) and my confidence in the product remains high. I am a Premium user, with YubiKey authentication and use the LastPass app and Dolphin HD plugin on my Android phone.

    You (LastPass guys) would do yourselves a _huge_ favour if you could get a recognized corporate security firm to do an in-depth study of the product architecture. I've watched Steve Gibson's review of LastPass on TWiT, and it's reassuring to hear his positive comments, but one person's views are not enough.

    I do intend to continue to use LastPass but, please, give us more independent verification of the security model. Thanks.

    ReplyDelete
  8. Enough said :-O

    http://www.hackthissite.org/forums/viewtopic.php?f=29&t=5495&start=0

    "LastPass is a password manager where all decryption is local, but is synced to a server with AES encryption. It runs as a browser-plugin. That part is fine.

    The issue I'm having is that even though they allow Multi-Factor Authentication, such as YubiKey, you can disable YubiKey simply by clicking in an email that is sent to your main email address. Unfortunately, they refuse to allow this email to be sent to another address, and since you need to have LastPass associated with an email account that you actively use for billing reasons, it means that if you're compromised, I believe that the hacker already has everything he needs to bypass Multi-Factor Authentication, and take over your LastPass account.

    When you log into LastPass, you use an email address, which is already printed on the screen, and a password, which you type. It then prompts you for Multi-Factor Authentication (YubiKey), which is checked with the Yubikey servers.

    What I'm saying is that if you use a webmail account such as GMail, and you for whatever reason have malware running on your computer, chances are high that you've both had your email account compromised, as well as your LastPass login compromised, since a screencapturing keylogger can easily capture your LassPass credentials, and a man-in-the-browser or some other mechanism can easily take over your email account.

    What I'm trying to make them do is either (1) do as eBay, and never print the full email address on the screen, or (2) send the reset-email to another email account than your main one, or via SMS, or via some other channel. Because again, the assumption is that if you have malware on your system, your email will also have been compromised, and then the attacker has everything he needs to disable Multi-Factor Authentication, and then log into your account using the credentials he already has captured.

    This is catastrophic, since a LastPass account is likely to hold bank logins, credit cards, server logins, social security numbers, basically your entire life. Given that this attack is untargeted, i.e. the hacker doesn't even have to be looking for LastPass in particular, it could be very devastating.

    The arguments coming back from LastPass include:

    1.) We're small, we won't be attacked.
    2.) Hackers give up after 2 minutes, they won't persevere.
    3.) It's just an unrealistic attack, it won't happen.
    4.) It's impossible to get anything installed in the browser that will capture your webmail login if the login is done by the password manager, i.e. it's impossible to capture the form submission.
    5.) Your firewall will detect the upload of the capture feed.
    6.) Your antivirus will catch the install of the malware.

    I find that each of these arguments represent enormous denial about reality.

    1.) In reality, you'll be attacked no matter what your size.
    2.) Hackers don't give up. Many of them are highly paid by organized crime to do this exact work.
    3.) It's fully realistic, and is already being done. CitiBank recently suffered great losses from this exact attack.
    4.) It seems that if you control the computer, you can install anything anywhere without the user knowing.
    5.) The firewall will not capture regular port 80 POSTs. You can easily evacuate data from the computer without triggering a firewall.
    6.) Many threats are undetectable when they're new."

    ReplyDelete
  9. Enough said :-O

    http://www.hackthissite.org/forums/viewtopic.php?f=29&t=5495&start=0

    "LastPass is a password manager where all decryption is local, but is synced to a server with AES encryption. It runs as a browser-plugin. That part is fine.

    The issue I'm having is that even though they allow Multi-Factor Authentication, such as YubiKey, you can disable YubiKey simply by clicking in an email that is sent to your main email address. Unfortunately, they refuse to allow this email to be sent to another address, and since you need to have LastPass associated with an email account that you actively use for billing reasons, it means that if you're compromised, I believe that the hacker already has everything he needs to bypass Multi-Factor Authentication, and take over your LastPass account.

    When you log into LastPass, you use an email address, which is already printed on the screen, and a password, which you type. It then prompts you for Multi-Factor Authentication (YubiKey), which is checked with the Yubikey servers.

    What I'm saying is that if you use a webmail account such as GMail, and you for whatever reason have malware running on your computer, chances are high that you've both had your email account compromised, as well as your LastPass login compromised, since a screencapturing keylogger can easily capture your LassPass credentials, and a man-in-the-browser or some other mechanism can easily take over your email account.

    What I'm trying to make them do is either (1) do as eBay, and never print the full email address on the screen, or (2) send the reset-email to another email account than your main one, or via SMS, or via some other channel. Because again, the assumption is that if you have malware on your system, your email will also have been compromised, and then the attacker has everything he needs to disable Multi-Factor Authentication, and then log into your account using the credentials he already has captured.

    This is catastrophic, since a LastPass account is likely to hold bank logins, credit cards, server logins, social security numbers, basically your entire life. Given that this attack is untargeted, i.e. the hacker doesn't even have to be looking for LastPass in particular, it could be very devastating.

    The arguments coming back from LastPass include:

    1.) We're small, we won't be attacked.
    2.) Hackers give up after 2 minutes, they won't persevere.
    3.) It's just an unrealistic attack, it won't happen.
    4.) It's impossible to get anything installed in the browser that will capture your webmail login if the login is done by the password manager, i.e. it's impossible to capture the form submission.
    5.) Your firewall will detect the upload of the capture feed.
    6.) Your antivirus will catch the install of the malware.

    I find that each of these arguments represent enormous denial about reality.

    1.) In reality, you'll be attacked no matter what your size.
    2.) Hackers don't give up. Many of them are highly paid by organized crime to do this exact work.
    3.) It's fully realistic, and is already being done. CitiBank recently suffered great losses from this exact attack.
    4.) It seems that if you control the computer, you can install anything anywhere without the user knowing.
    5.) The firewall will not capture regular port 80 POSTs. You can easily evacuate data from the computer without triggering a firewall.
    6.) Many threats are undetectable when they're new."

    ReplyDelete
  10. It seems all legitimate technical comment and criticism here is just deleted.... i was considering looking at and testing this sw but now i cant recommend this.

    ReplyDelete
  11. I've got last pass on my iPhone, iPad, and iMac. I have not been able to figure out how to sync my iMac passwords with my iPad passwords. They just don't show up on my iPad and I have to drop what I'm doing and go do data forensics on my iMac every time I travel to a well worn site from my iMac.
    Secondly, on my iMac, I have some accounts like PayPal that have two different log-ins, where I have to choose to turn off LASTPASS or it will overide whatever I enter for the "other" log-in. Maybe, I'm missing something obvious, as I have ADHD and it wouldn't be the first time.

    ReplyDelete
  12. @Anonymous --

    We didn't remove the post, it was Google's automatic spam detection. I have since readded it.

    To address your concern, we do allow a separate email address for multifactor, etc. It is discussed here:

    http://helpdesk.lastpass.com/account-settings/security/

    ReplyDelete
  13. @armpit you must use the LastPass for Premium customers application (available in the app store) to access your passwords (and login to your websites) on the iPad/iPhone

    ReplyDelete
  14. Yubikey and sesame are good ideas. If it could be set so that the authentication via Yubikey/sesame could not be changed in settings, especially via email, like the one comment above mentions, it would be a lot more secure. I would get the premium if they added this feature.

    ReplyDelete
  15. Then what do you do if you lose the yubikey and want access? the best solution is to have it sent to a separate security email address not stored in LP itself. Which you are able to do - as Joe said.

    ReplyDelete
  16. I would like YubiKey to be used on a per-site basis too! I would have become a premium member and gotten a YubiKey if I could do this. I don't want to use the YubiKey on every single one of my sites that I need to login to. I just want to use it on certain sites, like banking, etc... Please add this feature!

    ReplyDelete
  17. I travel extensively in Asia and use lots of public computers in Internet cafes, hotel business centers, etc. LastPasst works well on my home PC, where I've downloaded the plugin. Here's my question: In order to use LastPass on public computers in Asia, do I have to download the plugin each time I go to a new computer, or can I use LastPass by just logging into the LastPass website? If I have to install the plugin on each public computer I use, LastPass is impractical for me.

    ReplyDelete