Sep 10, 2013

LastPass and the NSA Controversy

With news that the United States National Security Agency has deliberately inserted weaknesses into security products and attempted to modify NIST standards, questions have been raised about how these actions affect LastPass and our customers. We want to directly address whether LastPass has been or could be weakened, and whether our users’ data remains secure.

In short, we have not weakened our product or introduced a backdoor, and haven’t been asked to do so. If we were forced by law to take these actions, we’d fight it. If we were unable to successfully fight it, we would consider shutting down the service. We will not break our commitment to our customers.

Although we are not currently in the position of having to consider closing the service, it is important to note that if LastPass had to be shut down, our users would be able to export their data or continue using LastPass in “offline” mode, although online login and syncing would no longer be possible.

We have consistently reiterated that LastPass cannot share what we cannot access. Sensitive user data is encrypted and decrypted locally with a key that is never shared with LastPass. As always, we encourage our users to create a strong master password to better protect themselves from brute-force attacks. Given our technology and lack of access to stored user data, it is more efficient for the NSA or others to try to circumnavigate LastPass and find other ways to obtain user information.

Ultimately, when you use an online service you’re trusting the people behind that service to have your best interests at heart and to fight on your behalf. We have built a tradition of being open and honest with our community, and continue to put the security and privacy of our customers first. We will continue to monitor the situation and change course as needed, with updates to our community when necessary.

Thank you to our community for your ongoing use and support of LastPass.

129 comments:

  1. "We have built a tradition of being open and honest with our community"

    So why isn't the binary component open source? I want to trust you guys, but this entire post is a moot point when you refuse to let us audit the code.

    ReplyDelete
    Replies
    1. There's something there. I love the service and I'm sure about your intentions and I trust you, LastPass but I would actually like it open source. Would be the ultimate expression of mutual trust.

      Delete
    2. I don't see why they should have to make their software open source. It's kind of like coke not releasing their ingredients. They are here to make money remember and spent a lot of it designing this software

      Delete
    3. Well, even if it were Open Source (as it ought to be!), the question would remain: can one trust, that the binaries offered are actually built from the Source code that is made available? People actually ask that correct question fit instance regarding TrueCrypt. This means, that such a concern is real - and also quite valid IMO.

      But, don't get me wrong - I also would like to have the Source to be (theoretically, in my case,...) Able to audit it.

      Delete
    4. Alexander brings up valid points - there are still problems with an open source approach. Currently, our website and some plugins can be audited as they're javascript-based. We appreciate the comments, we don't currently have plans to change our model but may revisit.

      Delete
    5. Open source is the gold standard for crypto. The principle is: If an enemy knew everything but the password, you system should still be just as secure. This principle, however, conflicts with business models sometimes, because these tend to prefer closed source. Since LastPass sells a service rather than a product, they could still make money if they made their product open source. But there would be the risk of copycat services using their code and making their own service to sell.

      Delete
    6. Thanks John, we appreciate this perspective.

      Delete
    7. Have you considered that releasing the source code might actually compromise LastPass, thus leaving your data unsecure?

      Delete
    8. Opensource is ok, like truecrypt and axcrypt, its source code is available for you to see and test if there are flaws etc etc in its coding and will still remain secure to use. but like john said if you put your source code out there its up for the copycats to grab it and make it their own thing and since lastpass use their code for business, its not a really good idea to release it. (sometimes you just need to trust them and if you can actually prove someday that there are backdoors in it you can sue them)

      Delete
    9. @5iN Security through obscurity is no security at all.

      Delete
    10. This is crypto. There is only open source when it comes to crypto, everything else is missing the point.

      Kerschoff's principal isn't new, guys. Catch up to the 1800's security revolution, people realized a LONG time ago that cryptography had to be open.

      Knowledge of a system does not degrade the security of said system.

      Open up your binary if you want to make claims about backdoors. Want me to trust you? Let me see what's under the hood.

      Delete
    11. But they do use open crypto. That's the important part, isn't it? Besides, being open doesn't guarantee a thing. There was a critical vulnerability in the Linux kernel for 8 years before it was found. Not exactly obscure code.

      Delete
    12. The algorithms are open, the implementation (in the binary) is not. You are far more likely to find errors in crypto in the implementation as opposed to the algorithm.

      The implementation is also the part accused (by some) of being backdoord in various applications.

      The Linux Kernel vuln isn't really relevant. Because Linux is open source it's allowed people to go in and discover vulnerabilities like that, improve security, etc.

      Delete
    13. To Amber, and other LastPass employees who may be reading, I think there is absolutely a discussion to be had here:

      You should reach out to the security community and ask them how to approach this. There are many people who have taken the open source route, there are many people who would love to help you make the transition to an open system.

      I'm not even super FLOSS-y, I'm fine with closed code. But this is one of those programs that really should be open.

      Delete
    14. Stop lecturing. It works and it's free,unless you upgrade to premium. In an ideal world Last Pass would have created an individualized program that meets everyone's specific needs and is everything to everyone.

      It works, and there is no such thing as an absolute guarantee in life. The internet only has as much information as you allow it to have. Put less out there, and you'll have less to worry about.

      Delete
    15. Open source would create back doors. Nothing wrong with the software as it is.

      Delete
    16. I agree that having the binary components (and maybe the whole LP platform) open source would be great, most companies aren't happy to just dump source code for public viewing - it becomes a responsibility, someone has to check bug reports, maybe look over pull requests, and of course it would be a significant target if there were any vulnerabilities because of the nature of LastPass. I did audit the Linux binary component and did not find any unusual behavior from it, and indeed LP works fine without it, but I'm not an expert.

      Delete
    17. Open Source != Licence to copy. They could make the source open *and* at the same time not allow copies to be used for any commercial or competing purposes

      Delete
    18. If you must have open source, go to a service that is! LastPass is doing a great job and I'm not just happy with it, I trust the people providing the service. Go get your own sandbox if you want to play that way.

      Delete
    19. I'd love to open source all that is LastPass - I'd just need a way to ensure I wasn't destroying jobs and much of the value we've created in the process. The only viable way I could come with was doing a record breaking kickstarter where if it's reached we'll commit to open source forever. If nothing else it would let people put money behind their desire for this to be fully open source.

      It seems highly unlikely that we could reach such a goal without millions of people committing money to it, so I'll cover the reasons why I see it as unnecessary:

      1) LastPass is open source primarily -- Firefox, Chrome, Safari, Opera and Maxthon extensions can all be utilized 'binary free' and are open source. If you wanted you can utilize these exclusively and only log-in from them. Disable updates and you're using _only_ open source and you could audit it and continue to use it forever, safely.

      2) We use only open source crypto which you could audit separately. In our binaries we utilize Crypto++
      http://www.cryptopp.com/ or openSSL in some phone binaries. Attacking us for not utilizing open source encryption doesn't make sense.

      3) Open source doesn't mean you can stop trusting people -- are you reading every patch, are you auditing the source, are you compiling the source? Are you packaging the binaries, are you signing your own binaries? If you said no to any of those you're trusting people involved with doing those things for you, just like you're trusting LastPass.

      4) Open sourcing everything has issues for us as a viable business. I don't want to send the 27 people who work for LastPass home because we've open sourced our product. Our competitors have utilized all that is open against us, opening more source more will only increase the copying we've seen.

      - Joe Siegrist CEO LastPass

      Delete
    20. Hey Joe,

      I really really appreciate this response. Thank you. I'm going to respond to each point individually.

      1)
      Yes, users are open to using the open source/ Javascript version. Unfortunately they lose out on certain security features, and, very significantly, speed.

      The speed is such an issue because you have to cut your PBKDF2 rounds in 1/5th when moving to the extension from the binary plugin. Essentially a bruteforce attack is going to be 5x faster.

      2) I didn't. And I am not attacking LastPass. I love LastPass, and use it myself.

      What I'm saying is that the implementation of LastPass (the use of those libraries, etc) is closed. That's the issue.

      3) It definitely is not a silver bullet. And in the end there has to be some trust of LastPass. But I think as much should be done to remove the necessity of that trust as possible, and having some independent researcher go "Hey, I reviewed this, here are snippets of the code I saw, here's the issues, here' swhat's awesome" etc is great.

      4) Definitely. And that's an issue that I get and something you need to consider. And to that I would say you should try to ask as many people in the security community as possible to help LastPass make that transition. Even if you don't end up transitioning just letting them know that you're working on it would make a lot of people take you guys seriously.

      Delete
    21. I'm confused why some people think Last Pass "should be" open source. Why? It's a private initiative and if it's a quality product that deserves to make an income (which it is), isn't it the owner's prerogative to make the code private if he/she wishes to do so? There's some merit in arguing for the code to be audited, I guess, but that doesn't mean going open source is the solution.

      Delete
    22. Greg,

      It is of course LastPass's decision whether to go open or not. But when it comes to crypto most people want open, because, for the last 200 years or so we've realized that it's for the best to do so.

      What other solution would you propose to allow auditing of the code?

      If they submitted their code to be audited by various organizations and they made it open and public that they were audited I think that would help many people.

      Delete
    23. Even if LastPass makes it opensource, 99.999% of all users wouldn't be able to analyze it anyways, but would instead have to rely on some "expert" to do the heavy lifting. So instead of trusting LastPass, you're now trusting the "expert".
      In regards to "experts" - they all come in various degrees of expertise - and there are some I don't trust one bit.. (no one mentioned, none forgotten)

      Delete
    24. "If they submitted their code to be audited by various organizations and they made it open and public that they were audited I think that would help many people."

      Just what I was thinking.
      The code could be audited by various reputable organizations with NDAs. A bit of compromise on both ends.

      Delete
    25. Open Source is just one way of establishing trust in the code (bugs and backdoors). More important to me -- and I would become a paying premium customer if Lastpass did so -- are independent audits on the code AND the build process.

      Both, however, increase just the trust. They do not prove security for every release generally.....

      Delete
    26. Hello Joe,
      You need a way to know that opening your source code wouldn't destroy the job's and value you have created? No problem!
      1) You have the first mover advantage! And you've had it for a looong time. This is one of the economic truths of capitalism: the first one to (sell a product in the) market usually wins. This is one of those big barriers to (market) entry preventing you from taking over someone elses, like say Amazon.com's, business.
      2) You have name recognition, a sterling reputation, an affordable working product, and even more importantly a customer base. Another economic truth about capitalism is that people like to go from the known to the known. And once there they don't like to leave without a good reason. Meaning more people are coming to you and using Lastpass because a lot of people already have come to you and are using Lastpass. This is another one of those big barriers to entry that support and protect you while simultaneously preventing you from taking over someone elses, say Apple's, business.
      And 3) Anyone able to take over your business by sucking your customers away *after* you open the source code could do it *now*. Google for example. Your code is not *that* complex. I am sure there are any number of programmers at Google who could hack a working prototype of Google Lastpass in the space of an afternoon. Or, if you are really unlucky, in a few minutes. After that, they roll out a full alternative to Lastpass in two weeks as a Beta and poof your business is gone.
      Having the sources closed is not what protects you from the giants in the playground like Google. It is their disinterest in being the world's secure crypto provider doing that.
      In fact the only economic business reason not to have the code open sourced would be if you had an exit plan of selling Lastpass to one of the big guys like Microsoft, Apple, or Google someday.
      Baring such an exit plan, economically you are better off opening the source as that will add to your already sterling reputation during a time of increased worry about security. And that will add to your revenues, not subtract from them.

      Delete
    27. Hi there its nice that the company CEO took the time to actively participate on this discussion.

      I love LastPass and already saved me a lot of headaches. Maybe hiring the top 3 auditing companies sign an NDA and get their nice "certification" badge :)

      This should give some peace of mind to several undecided users ;)

      Just an idea :)

      Delete
    28. Joe, I'd like to engage with you a bit more about the benefits of open-sourcing the client bits (while maintaining a closed service environment). I'm a security engineer working for Red Hat and The Fedora Project and I believe I can help you understand where a certain amount of *controlled* opening of the source can enable you to actually reach a wider audience in two ways:

      1) You gain the ability to approach distributions such as Fedora, Red Hat Enterprise Linux and Ubuntu about distributing your solution directly as part of their comprehensive system, thereby increasing your user base and potential paid account upgrades.

      2) As an extension of 1), packages that are distributed in such distributions benefit from a peer-review and discrete bug-reporting policy, so if and when a weakness is discovered in the implementation, you will not be alone in trying to identify and resolve it. This will increase trust among potential users and who will therefore be more likely to recommend your solution over others.

      Additionally, by opening the client, you reduce the maintenance costs on it, since you will begin to receive patches from the wider community to help you fix bugs and add new features. This need not impact the structure of your core team, but it means in the future you may be able to redirect cash that would have been spent expanding your workforce into other areas, such as infrastructure. With an open-source community helping keep the bugs down (and therefore reducing disruptive fire-drills), you can also focus your team of experts on new features (on both the client and service) that will result in greater value for the company.

      If you would be interested in continuing this discussion more directly, I can be contacted directly by email at sgallagh [at] redhat (dot) com. I would be very pleased to work with you to deliver the LastPass client as an offering in Fedora and Red Hat Enterprise Linux.

      Delete
  2. So very glad to here this, well done LastPass :)

    ReplyDelete
  3. As much as i am happy to hear this, I too think like Colin above me - as long as the binary is closed source one cannot entirely put his trust in it

    ReplyDelete
    Replies
    1. The key here is trust. You always *have* to trust them. What would open source get you? How would you make sure that the binary is build from that source?

      Delete
  4. Being closed source only protects lastpass interests and not the users'.

    If you are trully open you would enable the comunity to audit the code. Unless your business model is not software as a service and is something else.

    ReplyDelete
  5. I am a long term (paid) LastPass user and trust LastPass and Steve Gibson's thorough technical review of LastPass. I trust no other. I use it on many platforms, PC, Mac, Android (phone and tablet), iPad, iPod and, in the past, Blackberry and Palm. It can be frustrating at times (bugs/quirks) but I hope LastPass lasts (pun intended) a long time!

    ReplyDelete
    Replies
    1. Where is the "Like" button...

      Delete
    2. Well said, Unknown. I'd trust Steve Gibson with my life.

      Delete
    3. What will open source mean to those of us who simply stumble along every day with no more knowledge than how to run our programs?

      Delete
  6. Ditto to Colin's above comment. I love LastPass, and I *want* to trust LastPass, but at this point, I can't. Without the ability for third parties to independently and publicly audit your client side code, it's nearly impossible to trust LastPass. Note that I'm not actually interested in open sourcing your clients, but just that the code is publicly auditable.

    Like I said, I *want* to trust LastPass, but I currently have no reason too. It's gotten to the point that although I love the service, I'm seriously considering other options.

    ReplyDelete
    Replies
    1. Thanks Joel - we appreciate the comments. There are challenges to open source, but we do agree with the points regarding security audits and will continue to take action to earn and maintain our community's trust.

      Delete
    2. This comment has been removed by the author.

      Delete
    3. Even if LastPass makes it opensource, 99.999% of all users wouldn't be able to analyze it anyways, but would instead have to rely on some "expert" to do the heavy lifting. So instead of trusting LastPass, you're now trusting the "expert".
      In regards to "experts" - they all come in various degrees of expertise - and there are some I don't trust one bit.. (no one mentioned, none forgotten)

      Delete
    4. @Lars: What you'd be trusting is a community of experts to compile, audit, and submit patches to improve the code. Unless you're suggesting a concerted conspiracy among a faction of the experts to submit poor and insecure code, which really doesn't sound practical or realistic from the conspirator's standpoint when they'd be called out by their peers and just generate controversy and profile that they wouldn't want. Incompetent 'experts' would be easily weeded out as well. Code is not so solipsistic that poor 'experts' could just decide to advocate it and have it incorporated without peer review. So maybe I'm not understanding you and you could better explain what you mean by not trusting 'experts'?

      Delete
  7. Dear LastPass team.

    You have no idea how I am glad to read this statement. Keep it up guys and girls.

    I love Your product. I would love it more if it was open-sourced but I give You my trust even in its current form. When I will finally get some cash flow running the donation will definitely be sent to support the project.

    Keep us posted. Keep the good stuff coming.

    Andrzej

    ReplyDelete
    Replies
    1. Thanks Andrzej, we appreciate the positive support.

      Delete
    2. Hi Amber.

      It would be hard not to support what You guys created for us. Thank You LastPass team for a great product.

      Regards.

      Andrzej

      Delete
  8. then don't use it.

    if you're asking for it to be open source, I assume you're using the free version, no? if you want something open source, build it yourself, and then figure out a way to run a profitably (or even floatable) business around it.

    ReplyDelete
    Replies
    1. Go be a troll somewhere else...

      Delete
    2. I work for a company that give out core product out for free, and we're traded on NYCE, and a billion dollar company. In S&P500. It is possible.

      I pay for LastPass, but I really wish it was open source. I would still pay for the service: I am not paying for the code.

      Delete
    3. Thanks for the comments - it'd be very interesting to hear more about your experience with your company if you're willing to reach out to marketing[at]lastpass[dot]com.

      Delete
    4. I too pay for LastPass. I appreciate the apps and Yubikey support. I would love LastPass all the more if it were open source.

      Delete
  9. I absolutely love Lastpass and I appreciate your openness about what you will and will not do. I am a paid subscriber and have been since day 1. I am not sure I understand those who clamor for "open source" products. Unless you compile it yourself you are trusting whomever supposedly vetted the code. So although I follow and love Steve Gibson it is impossible to trust "no one" and be on the internet. And even Steve himself doesn't adhere to that policy 100% as he is a Lastpass user and proponent.

    ReplyDelete
    Replies
    1. Hi there Jeff.

      First off all - be nice. It's nice to be nice. Word clamor has a negative bell attached to it and we (people that clamor about the open source...) are not trying to be negative. Open code is easier to maintain and inspect for weaknesses - community could help with that. Why is that very often met with negative response or even aggression? I have no idea... I agree it is easier to find a weakness in a open source code and by opening it LastPass would allow people with a moral compass pointed in the wrong direction to study the code without the needs to reverse engineer it - but in the same time it would allow security oriented white hats to do the same thing...

      Second of all as a Linux user I am well aware of the compilation process. As a person who is not fluent in any of the programming languages I can still inspect very basic code for errors. Now think about what an experienced programmer could do... I love this project. I use this project on a daily basis. Even tho I trust not very many people I still want to believe in LastPass developpers skills and intentions. As I wrote - I give them my trust. I would trust them even more if they were open sourced. I didn't say one negative thing about the project. I always defend it when being told that storing passwords by sharing them with a third party is a bad idea. I tried to memorize / understand what Steve Gibson was saying about how LastPass crypto works and I try to use that whenever there is a doubt about LastPass security / intentions (damn I just realized how geeky and nerdy that sounds...).

      Third - I am not trying to steal the LastPass code. Period. Actually... I would make 100% sure I would pay for their service (I will do that in the future anyway) and I would good about it. I am with them since Steve Gibson analyzed their crypto in one of the Security Now episodes (256 nice number). I have advertised LastPass to many friends and family members. I got them few users in the past.

      Like I said. Best regards to LastPass dev team.

      Cheers.

      Andrzej

      Delete
    2. Hi Andrzej,

      I didn't mean to send a flame. You could not "see" my inflection - I was smiling a friendly smile. Change the word clamor to pine. I stand by my remarks about open source however as 99% of the populous would not be able to compile the source code even if it was vetted by someone they trusted. I trust the authors of Lastpass until they give me a reason not to.

      Jeff

      Delete
    3. I also bought the full Lastpass version and give this company my trust. I trust Steve Gibson. I trust this LP. I don't trust the NSA. This is an acceptable risk.

      Delete
    4. As far as trustworthiness comes (on a scale from 1 to 10, 10 being ultimate trust), I give the NSA a 1, Steve Gibson a 5, Bruce Schneier an 8 and Joe Siegriest a 9.
      I absolutely love a company that takes its time to talk to the users, as much as LastPass do. They are very responsive indeed and open to most suggestions, but most importantly, they won't compromise security!!!

      Delete
  10. Awesome Lastpass!! I trust you and your motives! Lastpass does me a great great service for $12 per Year! so I am good...

    ReplyDelete
  11. sounds great, you tell us that NSA doesnt have a backdoor, but can that truly be verified? :p

    ReplyDelete
    Replies
    1. Well when they can one day neither confirm nor deny the existence of a back door or their receipt of information requests or court gag orders, then we'll know that they were compromised =P

      Delete
  12. LastPass is my greatest software find years ago that has my vote for years to come.

    ReplyDelete
  13. Would it not be easier and safer to move the servers and even the company (but not the people) out of the US and into somewhere with stronger privacy laws like in Europe?

    ReplyDelete
  14. Would it not be easier and safer to move the servers and even the company (but not the people) out of the US and into somewhere with stronger privacy laws like in Europe?

    ReplyDelete
  15. Open source does not equal secure. Very few people have the technical acumen to audit code for weaknesses. Most simply trust that if there were weaknesses someone else would find and report them. We know today that even well known open standards (like NIST's special publications) are vulnerable to subversive influence, and unlikely to be detected.

    ReplyDelete
    Replies
    1. At the very least open source software can be scrutinized. As opposed to closed-source where you must be a professional and have to sign non-disclosure agreements to even read some of the code. I am more secure knowing that I can read GPG source code (and I'm hardly a programmer) than Symantec's PGP.

      And I have already abandoned Lastpass because of trust issues, both because of closed-source issues and because of possible (but improbable) NSA tampering.

      Delete
    2. Open source does not equal secure. Open source does lend itself to the verification and validation process, which is critical for cryptography above all other types of software.

      Delete
  16. LastPass should consider putting a "Dead Man Switch" on their homepage and at the top of the LastPass Vault. They're not allowed to tell people if the FBI/NSA/ETC serves a national security letter on them, but they can stop telling people that they've never been asked to divulge information!
    http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch

    ReplyDelete
  17. Yeah man... Lastpass is like our Last line of defense for our password security, so if you break that trust. Geez I'm sure I'd be one of the people to sue you guys. I've been paying for the security not for the insecurity. so if they ask you do put a backdoor, Please close or shut down your business or atleast move to the country where you can still do your business right. just saying.

    ReplyDelete
  18. Love your service, LastPass, and was very proud to be one of your users after seeing how open you handled the last breach of our encrypted data, well done, thank you! Now, this is different; it's not you whom I distrust, it's your government and your laws. It's not your fault, it's your geography. Opening your binary could not even be enough at this stage (where NIST is compromised and its overly complex standards are a feature not a bug), but could be a start.

    Regarding your assurances of closure before selling us out, have you signed the Privacy Seppuku pledge yet? ( seppuku.cryptostorm.org )

    ReplyDelete
    Replies
    1. That's the most crucial point. Hosting data in one of the big militarist security States (China, the US, Russia) is a huge risk. I'd prefer LastPass offers hosting in a country where the rule of law is taken more seriously.

      Delete
    2. I feel the same. I'm cutting down on most US based services, because of NSA/privacy issues. I used to be a paid/premium user of evernote, dropbox and lastpass. Now i'm reverting to local or selfhosted solutions.

      Delete
  19. Has LastPass ever publicly responded to this? http://tobtu.com/lastpass.php

    I would like to know if the vulnerability that site documents is still a concern.

    Thank you.

    ReplyDelete
    Replies
    1. I would also be interested to hear a reply from LastPass to the points raised in the article you linked to on tobtu.com.

      Delete
    2. The team has recently been in contact directly. We hope the page will be updated to reflect recent conversations and changes.

      Delete
    3. Thanks for the response to my request. I was rather hoping to see something public from LastPass on LastPass' web presence rather than waiting for the tobtu.com page to potentially (and maybe never) be updated. Can we have that info directly from LastPass?

      Delete
    4. The issue has been fixed and he's confirmed he'll update the post to reflect our latest changes, we don't currently have plans to post but we're certainly happy to address further comments or concerns: security[at]lastpass[dot]com

      Delete
  20. "If you repeat a lie often enough, people will believe it, and you will even come to believe it yourself."


    "That is of course rather painful for those involved. One should not as a rule reveal one's secrets, since one does not know if and when one may need them again. The essential English leadership secret does not depend on particular intelligence. Rather, it depends on a remarkably stupid thick-headedness. The English follow the principle that when one lies, one should lie big, and stick to it. They keep up their lies, even at the risk of looking ridiculous."

    ReplyDelete
  21. Hello, I understand that LastPass hasn't been asked to weaken their service by external parties, however part of the NSA approach was to weaken commonly used encryption protocols via NIST standards.

    Has LastPass established that the crypto they are using has in itself not been weakened?

    ReplyDelete
    Replies
    1. Could you provide a link to where you "heard" this?

      Delete
    2. To the best of our knowledge it has not been, but we certainly welcome any sources / tips: security[at]lastpass[dot]com

      Delete
    3. @Anon sorry for the lateness of the reply (also, not who you asked) but I've been busy and not kept up with my RSS feeds. Only now do I see your questions, to which I have an answer: all over the Guardian, the New York Times, Pro Publica, and subsequently most major news outlets and tech journalism blogs/publications. Here's a relevant link: http://www.propublica.org/article/standards-agency-strongly-suggests-dropping-its-own-encryption-standard

      It was part of the Snowden leaks.

      Delete
  22. LastPass, if you ever close down, please inform us in advance so that we can retrieve the passwords

    ReplyDelete
  23. Nice to hear from Lastpass about this. I know nothing about programming so even if Lastpass was Open Source I still have to trust others. I choose to trust Lastpass until I feel I have no reason to.

    /Pentti

    ReplyDelete
  24. This is why Open Source would work for lastpass:

    1. Copycats:
    Lastpass was first, on a proven platform, trusted by millions. Sure, there will be copies, there will be a few hundreds or maybe a thousand that create their own version. Let them, i doubt anyone would trust them over Lastpass.

    2. Bugs & New features:
    The community could help you in a large way to make lastpass much better - and trust me, there are really skilled security experts out there that can't help but to lend a hand, just for the sport of squashing bugs.

    3. Users and new versions:
    Related to #2 is the fact that people don't trust anyone else to release 0-day fixes for bugs in the software, updates with new _reliable_ features that don't compromise security. People would feel obligated to continue to use the BEST service - and that is Lastpass.

    4. The FLOSS effect:
    People love transparency, it would be such a strong selling argument that you would attract a LARGE new crowd of users.

    Please consider these points, as i know they hold true.

    ReplyDelete
    Replies
    1. Your 1st point is not exactly accurate. There were/are other online password management systems that existed before LastPass.

      Delete
  25. Beside having an ability to independently verify integrity of our clients, I also want LastPass to voice their current situation to the legislature.

    How heartbreaking must it be to LastPass to either being forced to implement backdoors or being accused of such because the government made people overly paranoid.
    LastPass is one of many such businesses that can be/is financially hurt by the current atmosphere of mistrust created by the government spying on innocent people.

    Voice your concerns to elected officials!

    ReplyDelete
  26. do you have a canry
    like http://www.rsync.net/resources/notices/canary.txt

    ReplyDelete
  27. "Sensitive user data is encrypted and decrypted locally with a key that is never shared with LastPass"

    does this mean you hold some user data you don't consider sensitive & that isn't encrypted in such a way, or, as i would hope, is everything you hold about me considered sensitive?

    ReplyDelete
  28. I really like LastPass and have been using it as a paying customer for a while. I've also recommended it to a lot of my friends.

    However, reading your blog post I feel like there is a lot missing here. [citation needed] is what comes to mind. If you do not provide positive proof for your words then you cannot expect us to trust you completely.

    You write "we have not weakened our product or introduced a backdoor" - as other before me have pointed out if you do not allow independent review of you code (like providing source) these are just words.

    I think you really need to strongly consider (in light of recent relevations with NSA) what ACTIONS you will take to reassure your paying customers.

    Words on a blog are sadly not enough.

    ReplyDelete
    Replies
    1. Thanks for the comments, these are great points and ones we anticipate addressing in the months ahead.

      Delete
  29. Well, regardless of NSA having backdoor at LastPass or not, one can adjust the risk level by choosing where to use LastPass. I have never put my most important passwords to LastPass (email, ecommerce sites, banking). Still LastPass helps my daily life by simplifying number of less mission-critical logins.

    Paranoids can check KeePass + DropBox

    ReplyDelete
    Replies
    1. Keepass + Dropbox is no more secure. Keepass alone is my default. While I am comfortable with Lastpass's security protections at the end of the day the data is in the cloud. If the NSA was to capture data it would not be via warrant but setting up a prism outside Lastpass servers. Backdoors are so yesterday. I assume my encrypted Lastpass data is being captured by the NSA, and I act accordingly by not putting any website identifiable information in Lastpass.

      Delete
  30. Those of you who don't want to trust LastPass can write their own code and share it with the world if they like.

    ReplyDelete
  31. Everyone seems to have missed the big picture. Lastpass MIGHT SHUT DOWN? NOOOOOOOOOOOOO. I can pay more if it will help.

    ReplyDelete
  32. Hi, I wondered if you could answer a follow-up question: If LastPass were forced to shut down suddenly rather than violate this ethical stance, would export still be a viable option?

    ReplyDelete
  33. If your online, your not secure. Security is relative. Deal with it!

    ReplyDelete
  34. Thank you for the statement. Quite reconforting.

    ReplyDelete
  35. Hello,

    first and foremost, thank you for officially making a statement regarding the recent revelations. It shows that you are dedicated to your customers & users. This is re-assuring in troubling tech-times.

    I too, would be interested in an open-source route, but I wholeheartedly understand some possible worries in regard to going this route.

    http://opensource.org/licenses/gpl-license

    Most people associate freedom with cost, but on the contrary, you can sale a binary under the GPL. You need to equally recognize that under the GPL, people who have paid for your binary are free to modify the code and re-distribute it under the GPL, even for free.

    You could still offer the LastPass service with a fee, which is almost mutually exclusive to the binary itself, as you can use LastPass in offline mode. In fact, you could probably even double your fee and people would still happily pay for your service, ESPECIALLY if it was opensource. Most people, especially those who are savvy enough in tech related fields, understand the costs, resources, and hard work associated with such products and services. I know that I, for one, would be more than happy to pay double the fee for LastPass premium, especially if it were opensource.

    ReplyDelete
  36. Hello,

    first and foremost, thank you for officially making a statement regarding the recent revelations. It shows that you are dedicated to your customers & users. This is re-assuring in troubling tech-times.

    I too, would be interested in an open-source route, but I wholeheartedly understand some possible worries in regard to going this route.

    http://opensource.org/licenses/gpl-license

    Most people associate freedom with cost, but on the contrary, you can sale a binary under the GPL. You need to equally recognize that under the GPL, people who have paid for your binary are free to modify the code and re-distribute it under the GPL, even for free.

    You could still offer the LastPass service with a fee, which is almost mutually exclusive to the binary itself, as you can use LastPass in offline mode. In fact, you could probably even double your fee and people would still happily pay for your service, ESPECIALLY if it was opensource. Most people, especially those who are savvy enough in tech related fields, understand the costs, resources, and hard work associated with such products and services. I know that I, for one, would be more than happy to pay double the fee for LastPass premium, especially if it were opensource.

    Making the binary opensource would allow you to expand your business model and offer "reseller" plans with an API to expand your profits and user base. Offering affiliations to smaller businesses who wish to use the opensource model could potentially boost profits and traffic.

    Because LastPass would be open and other people could theoretically mimic the service, the NSA may be less inclined to specifically target LastPass as a company. The NSA can partner up with big tech companies and the ISP, but they can't partner up with everybody.

    In conclusion, I believe that it is in the best interest of LastPass and its community to make the software opensource. As cloud companies based in the United States are projected to lose over $35 billion dollars due to privacy/security concerns, privacy and security are going to play a big role in the future. LastPass could very well be the face of the "AIO-Password solution", especially in the future, if its next step were an opensource route.

    Kind regards,
    --cwade12c



    ReplyDelete
  37. "Given our technology and lack of access to stored user data, it is more efficient for the NSA or others to try to circumnavigate LastPass and find other ways to obtain user information."

    This is the key point to me. The NSA already has access to the information you are trying to protect in LastPass. This is why I continue to use LastPass; it is better than anything else I can do and remain reasonable in the number of hoops I must jump through to use the logins.

    However, I still see a need for the NSA to get into LastPass. LastPass can be used as a sort of chat/email channel. Two users sharing the same LP account could share communications via Secure Notes. Or, users could share a secure note between LP accounts and when the note is updated the other users will receive notification that a new communication is available.

    I would hate to see LastPass shutdown, but I appreciate the stance by the company toward NSA, and others like them. My remaining concern is how the NSA appears to be going after the owner of Lavabit because they did shutdown. That is a scary amount of pressure to remain open and lie.

    Again, I love LastPass and the LP Team and wish you all the success you deserve. I will continue to use LP because the NSA probably already knows my secrets that I keep in LP.

    It's a sad day when we see our own government as the enemy. They have become the terrorists they claim to fight. They are terrorizing our right to privacy.

    ReplyDelete
  38. What bothers me about people that profess to like Open Source, and I know several, they have patented what they have and kept what they have profited closed source. Sort of like they are saying do as I say, not as I do! I can't accept that!

    ReplyDelete
    Replies
    1. The original intent of patents was to provide innovators with a limited time during which no copycats could profit from their invention, giving them time to recuperate the heavy investment that usually goes into R&D. -- This is not at all at odds with open source: patents are not closed source by definition, you just are not allowed to profit off the invention. And they are (supposed to be) effective only for a limited time, before they enter the public domain, at which point the technology is open for anyone to use.

      The current perversion of patent laws that has taken over the tech industry is a different topic... but patents as they were originally intended are not antithetic to open source principles.

      Delete
  39. This is bs, we live what is called a "free" country, you should be able to run your company without government harassment. This focus on terrorism is 1984.

    ReplyDelete
  40. Your service, and your adherence to putting the customer first are EXACTLY why I would pay ten times the price for LastPass than what you currently charge.
    Thanks for a great product!

    ReplyDelete
  41. Is lastpass an American company? I actually pay for the product and really don't have anything I'd worry about the NSA seeing but don't like the idea of them having access in the first place.

    ReplyDelete
  42. Sadly! There's no way to validate this statement by lastpass. They could have very well been hit with a non disclosure agreement facing jail time if they disclosed if there was a back door or not in it's software etc. :(

    BUT! even if there isn't a backdoor in it's software.. there is in windows and mac so that point is mute.

    ReplyDelete
  43. I’m not so worried about specific OS back-doors. At that point I would be under specific investigation. It’s the complete indexing / profiling program that scares me. I think of mass-profiling as filling cups on everyone. More content could result in a higher ‘hit-rate’. I plan to keep my cup as empty as possible and thereby hopefully never be a suspect for further investigation on whatever imaginary grounds.

    Regarding to LastPass; I am worried about the disclosure of my personal and complete directory listing of every BBS, forum, website , shop, service, etc, i have an registered account with. Perhaps even more then losing a password.

    So.. perhaps I’m wearing a aluminum foil hat on this topic, and in the end i don’t have really anything to hide; I’m just an average Joe. But i do like to keep the door closed when going to the restroom, just like anyone else.

    ReplyDelete
  44. IMO it should not be open source. Lastpass should rather provide a parallel testing-platform to allow a broad testing for vulnerably and back doors and whatever may compromise security.
    This could be used as a good base for "lessons-learned" for future release-management.
    Of-course, upon 1st hack of this "test-platform" the productive-environment had to be shut-down for security-reasons.


    ReplyDelete
  45. "Sensitive user data is encrypted and decrypted locally with a key that is never shared with LastPass."

    Which encryption does it use?

    ReplyDelete
    Replies
    1. Seriously?? It's all over their website.

      Delete
  46. Thank you for the good job Lastpass.
    As a non US resident, paying, satisfied customer I have to say goodbye and good luck.
    A closed source US service for my security? Today? Are you kinning?

    ReplyDelete
  47. I appreciate the note as this is something that has worried me. Saying you would rather shut down shows your commitment and I am comfortable with that commitment. I will stay a loyal customer!

    I have nothing to hide but hate the fact that NSA is looking over your shoulder. It's a shame that civil liberties and rights are gone for American's and now other nations too! I don't think I could have had the guts to show the world the wrongdoing.

    After losing rights as a free country via the Patriot act is one thing, but having big brother watching over your shoulder is another.
    I have greater trust for China and Russia providers than US ones it seems.

    Kudo's to Snowden, Google, Lastpass and others for fighting for true freedom!

    ReplyDelete
  48. Unfortunally this is not going to make me stop looking for a non-US based alternative.

    Can't trust anything an American company says anymore because the way your legal system works it seems.

    ReplyDelete
  49. I just want to share that +lastpass 2.5.2(1571) is compromised. To get access to all the passwords of the premium android app. Just install version 3.00.2(3002) and you will have access to all the unencrypted passwords WITHOUT entering the master password the first time you run the app.

    What is really disturbing in this story is that this means that lastpass is lying when saying that the user is the only one who can decrypt the encrypted passwords.

    If this was true then there is no way whatsoever that someone could decrypt your encrypted passwords without entering your master password. Well, this shows that somehow, even though I have never and would never store my master password, lastpass has used either a cached version of it to decrypt my files, or they have direct access to my unencrypted master password.

    With all the news hitting our papers that the NSA is pouring millions into companies to spy on everyone, it is hard not to shake the feeling of lastpass being the brainchild of NSA.
    -Why not? Thats how I would go about fooling people into giving my passwords away. Just show some white papers detailing that this decryption by lastpass is impossible and then sit back and deliver a cheap service for security minded people.
    Of course no one can verify their lies because lastpass uses proprietary software license.

    I have saved the versions of the android app and have verified this. If you want the app versions to verify this, email me and I will post them.

    ReplyDelete
  50. As a former paying customer of both LastPass & Xmarks, just want to let you know like so many others here that this blog post is not enough to alleviate the concerns of LP customers. Not when you're headquartered in NSA's backyard in Virginia.

    Having access to the data in the "cloud" is the first step to decryption. Like the Unknown poster above (Nov. 5) said, LP could very well have been an NSA-decoy since Day #1. I'd like to trust you as well since the universal sync feature, especially when one's mobile is very useful. However, until and unless you provide more guarantees I'm switching over to local and wishing well for your future endeavors.

    ReplyDelete
  51. Open Source is Over-Rated, LastPass doesn't need to be opensource, it's fine the way it is. So what if you can't see the code, why should you? When you buy a happy meal at McDonalds, do you tell them, you want to see the ingredients?

    ReplyDelete
    Replies
    1. No one buys a Happy Meal expecting top-shelf, quality ingredients.

      Further, the nutritional information is indeed listed.

      For crypto, Open Source is essential, as it means the user need not trust the publisher. As it is, while I believe LastPass is acting in the best interests of its customers, the strength of that belief is bounded by how much I trust the company to continue to do so.

      Delete
  52. Total lies. First, when you start the latest version it opens a second browser window to Google. Why? Because Google browser cookie's are being used to circumvent your security. Don't believe me do a week search for "NSA Google Cookies". There is no reason for that second browser window to automatically open on first run and while you can turn it off, by then the damage is done if you opened the window once and it download the Google cookie.

    Second, it has always been suspicious that when you type your last pass master password the letter you type is not obfuscated for a half a second. Both 3rd party hackers and the NSA use screen grab technology through browser hacks (last pass is now all browser oriented) and thus they have your master password by screen grabbing it as you type. Plenty of other apps do not show the letter or number you just typed before putting the * over each so one must assume they did it intentionally to allow for screen grabs. There are several other intentionally built in vulnerabilities which are present that all lead to one conclusion: Lastpass may of not intentionally built in back doors, but there is enough evidence to make a reasonable conclusion they left Lastpass vulnerable intentionally to allow for interception of your master password.

    Adding to the suspicion it's not open source, the location of its HQ is next to the NSA HQ building, and the founders background. I am done with paying for Last pass. This last update to a complete browser base including your refusal to hide passwords as people type leaving a master password susceptible to screen grabbing is way too suspicious. It's bad enough the spying is going on but I am not going to pay for it to be done.

    Don't believe me? Proof is on the way but for now just watch; they will delete this post and never fix the exploit where it shows the password characters as you type. Just because they didn't put a back door doesn't mean they didn't cooperate.

    Double talking. It's what they do best at; half truths.

    ReplyDelete
  53. "we would consider shutting down the service" - This statement means nothing, nada zero.

    I would consider Christmas on Mars.

    Liam

    ReplyDelete
  54. Thank you for addressing this question directly. I am much less trusting of Google Chrome these days than in the past, and I was curious if Chrome could access my plugin information. Obviously it can, but then I was curious if there was any information out there concerning Lastpass and the Snowden leaks.

    A quick search brought me to this page. It's quite refreshing to see a company approach issues like this in a direct and matter-of-fact way.

    ReplyDelete
  55. Seriously...?

    All these people complaining about the code and if it should or shouldnt be available and the inability to trust lastpass etc.

    Why are you using a hosted service anyway?

    If you are concerned, truely, about your security then remember them and dont store them anywhere.

    If you want an open source product then go and get it.

    Keep up the great work Lastpass.

    Nat

    ReplyDelete
  56. The argument, "why are you using a hosted service anyway?" is flawed. If the security implementation is without flaw, it does not matter where the data resides. You can give it to your enemies and they will not be able to extract the data. LastPass would then be something like Dropbox; a bit-based diff-merge utility.

    Without open source. This requires 100% trust of what LastPass says; 100% trust of programmers who have access to the code. 100% trust the owner can keep the integrity of the code (preventing malicious, intended or otherwise, inserts), and 100% trust they themselves audit the code.

    With open source, you still have these issues. However, you can take advantage of crowd-sourcing. Anyone can take the code and compile it from source.

    As a non-premium user, I would absolutely pay for a minimum 10 premium accounts for life if the source code was open source. I understand this would allow copycats, but hopefully LastPass can build a development model that supports open source code.

    ReplyDelete
  57. Without Lastpass being open source I will have to trust the statements of a company that can be forced to comply with NSA requests and I assume, did so in the past: Why would it be otherwise necessary to start offering users keeping their data on European servers?! No need to escape from NSA jurisdiction if the data would be indeed secure on US servers (AFAIK the URLs are not even encrypted).
    Without Lastpass being open source, the true level of Lastpass security remains unknown - trust is no replacement for security.

    ReplyDelete
  58. I just downloaded last pass. Personally, I liked the sentence in this article where they claimed:

    "In short, we have not weakened our product or introduced a backdoor, and haven’t been asked to do so. If we were forced by law to take these actions, we’d fight it. If we were unable to successfully fight it, we would consider shutting down the service. We will not break our commitment to our customers."

    I, for one, am happy to see this and hope that the company would shut down if asked for back door support.

    ReplyDelete
  59. Open cryptography may not be perfect, but if cryptography is not open, it's useless.

    There is not one shred of evidence to suppose that what you write above (i.e., that there is no NSA back door to your system) is true.

    Indeed, if it was not true, that is exactly what you would write.

    ReplyDelete