LastPass and the NSA Controversy

By September 10, 2013 Security News 132 Comments

With news that the United States National Security Agency has deliberately inserted weaknesses into security products and attempted to modify NIST standards, questions have been raised about how these actions affect LastPass and our customers. We want to directly address whether LastPass has been or could be weakened, and whether our users’ data remains secure.

In short, we have not weakened our product or introduced a backdoor, and haven’t been asked to do so. If we were forced by law to take these actions, we’d fight it. If we were unable to successfully fight it, we would consider shutting down the service. We will not break our commitment to our customers.

Although we are not currently in the position of having to consider closing the service, it is important to note that if LastPass had to be shut down, our users would be able to export their data or continue using LastPass in “offline” mode, although online login and syncing would no longer be possible.

We have consistently reiterated that LastPass cannot share what we cannot access. Sensitive user data is encrypted and decrypted locally with a key that is never shared with LastPass. As always, we encourage our users to create a strong master password to better protect themselves from brute-force attacks. Given our technology and lack of access to stored user data, it is more efficient for the NSA or others to try to circumnavigate LastPass and find other ways to obtain user information.

Ultimately, when you use an online service you’re trusting the people behind that service to have your best interests at heart and to fight on your behalf. We have built a tradition of being open and honest with our community, and continue to put the security and privacy of our customers first. We will continue to monitor the situation and change course as needed, with updates to our community when necessary.

Thank you to our community for your ongoing use and support of LastPass.

132 Comments

  • Matthias says:

    Reading all the concerns about LastPass not disclosing all of their code and being a company under US legislation (with all the potential consequences) it seems that there now is serious alternative available where instead of complaining you may act and prove how much concerned you really are.

    Mitrio, which up to recently just has been a start-up company offering a service similar to LastPass, has released their entire source code (server and clients) under the GPL license on https://github.com/mitro-co/mitro)at the end of July 2014.

    As it seems they decided to close their business down and move on to work on different projects at Twitter instead. Read their announcement at http://labs.mitro.co/2014/07/31/mitro-is-joining-twitter/ and EFF’s announcement at https://www.eff.org/deeplinks/2014/07/mitro-a-new-free-password-manager.

    So if you you are truly concerned about LastPass’ legal situation and their refusal to disclose the full source code, but would like to continue to use a similar service, based on an fully disclosed code base that can be hosted by yourself or someone you fully trust, here is your chance to act.

    Join this open source project and help the mitrio community to audit the code, streamline server installation and maintenance as well as adjusting client configuration to an extent that will make it possible for average sysadmins and users to switch over to mitrio.

  • Anonymous says:

    If Lastpass would have received a NSL, they would be unable to talk about it. The only chance is moving to a country where freedon of speech exists.

  • Sally Oh says:

    I would love to see an update to this. Lots of new information in the past few months. I would like to know if you’ve received any security letters in the past few months. Thank you.

  • Anonymous says:

    Well, there are companies that act as independent neutral third parties, providing auditing, verification etc. services. LastPass could ask a few such companies from abroad (not so easily influencable by NSA) to perform an yearly audit of their software and live systems and give a verdict of whether they think LastPass does what it claims. Of course it’s easy to just switch to a “clean” version for auditing and back to “backdoored” afterwards, if that’s the case. Furthermore, LastPass could allow such a third party to supervise their operations continually, making surprise checks of anything, etc. etc.

  • Anonymous says:

    Open cryptography may not be perfect, but if cryptography is not open, it’s useless.

    There is not one shred of evidence to suppose that what you write above (i.e., that there is no NSA back door to your system) is true.

    Indeed, if it was not true, that is exactly what you would write.

  • Anonymous says:

    I just downloaded last pass. Personally, I liked the sentence in this article where they claimed:

    “In short, we have not weakened our product or introduced a backdoor, and haven’t been asked to do so. If we were forced by law to take these actions, we’d fight it. If we were unable to successfully fight it, we would consider shutting down the service. We will not break our commitment to our customers.”

    I, for one, am happy to see this and hope that the company would shut down if asked for back door support.

  • Anonymous says:

    Without Lastpass being open source I will have to trust the statements of a company that can be forced to comply with NSA requests and I assume, did so in the past: Why would it be otherwise necessary to start offering users keeping their data on European servers?! No need to escape from NSA jurisdiction if the data would be indeed secure on US servers (AFAIK the URLs are not even encrypted).
    Without Lastpass being open source, the true level of Lastpass security remains unknown – trust is no replacement for security.

  • The argument, “why are you using a hosted service anyway?” is flawed. If the security implementation is without flaw, it does not matter where the data resides. You can give it to your enemies and they will not be able to extract the data. LastPass would then be something like Dropbox; a bit-based diff-merge utility.

    Without open source. This requires 100% trust of what LastPass says; 100% trust of programmers who have access to the code. 100% trust the owner can keep the integrity of the code (preventing malicious, intended or otherwise, inserts), and 100% trust they themselves audit the code.

    With open source, you still have these issues. However, you can take advantage of crowd-sourcing. Anyone can take the code and compile it from source.

    As a non-premium user, I would absolutely pay for a minimum 10 premium accounts for life if the source code was open source. I understand this would allow copycats, but hopefully LastPass can build a development model that supports open source code.

  • Unknown says:

    Seriously…?

    All these people complaining about the code and if it should or shouldnt be available and the inability to trust lastpass etc.

    Why are you using a hosted service anyway?

    If you are concerned, truely, about your security then remember them and dont store them anywhere.

    If you want an open source product then go and get it.

    Keep up the great work Lastpass.

    Nat

  • L. Simon says:

    Thank you for addressing this question directly. I am much less trusting of Google Chrome these days than in the past, and I was curious if Chrome could access my plugin information. Obviously it can, but then I was curious if there was any information out there concerning Lastpass and the Snowden leaks.

    A quick search brought me to this page. It’s quite refreshing to see a company approach issues like this in a direct and matter-of-fact way.

  • “we would consider shutting down the service” – This statement means nothing, nada zero.

    I would consider Christmas on Mars.

    Liam

  • Anonymous says:

    Total lies. First, when you start the latest version it opens a second browser window to Google. Why? Because Google browser cookie’s are being used to circumvent your security. Don’t believe me do a week search for “NSA Google Cookies”. There is no reason for that second browser window to automatically open on first run and while you can turn it off, by then the damage is done if you opened the window once and it download the Google cookie.

    Second, it has always been suspicious that when you type your last pass master password the letter you type is not obfuscated for a half a second. Both 3rd party hackers and the NSA use screen grab technology through browser hacks (last pass is now all browser oriented) and thus they have your master password by screen grabbing it as you type. Plenty of other apps do not show the letter or number you just typed before putting the * over each so one must assume they did it intentionally to allow for screen grabs. There are several other intentionally built in vulnerabilities which are present that all lead to one conclusion: Lastpass may of not intentionally built in back doors, but there is enough evidence to make a reasonable conclusion they left Lastpass vulnerable intentionally to allow for interception of your master password.

    Adding to the suspicion it’s not open source, the location of its HQ is next to the NSA HQ building, and the founders background. I am done with paying for Last pass. This last update to a complete browser base including your refusal to hide passwords as people type leaving a master password susceptible to screen grabbing is way too suspicious. It’s bad enough the spying is going on but I am not going to pay for it to be done.

    Don’t believe me? Proof is on the way but for now just watch; they will delete this post and never fix the exploit where it shows the password characters as you type. Just because they didn’t put a back door doesn’t mean they didn’t cooperate.

    Double talking. It’s what they do best at; half truths.

  • Anonymous says:

    Open Source is Over-Rated, LastPass doesn’t need to be opensource, it’s fine the way it is. So what if you can’t see the code, why should you? When you buy a happy meal at McDonalds, do you tell them, you want to see the ingredients?

    • L. Simon says:

      No one buys a Happy Meal expecting top-shelf, quality ingredients.

      Further, the nutritional information is indeed listed.

      For crypto, Open Source is essential, as it means the user need not trust the publisher. As it is, while I believe LastPass is acting in the best interests of its customers, the strength of that belief is bounded by how much I trust the company to continue to do so.

  • Anonymous says:

    As a former paying customer of both LastPass & Xmarks, just want to let you know like so many others here that this blog post is not enough to alleviate the concerns of LP customers. Not when you’re headquartered in NSA’s backyard in Virginia.

    Having access to the data in the “cloud” is the first step to decryption. Like the Unknown poster above (Nov. 5) said, LP could very well have been an NSA-decoy since Day #1. I’d like to trust you as well since the universal sync feature, especially when one’s mobile is very useful. However, until and unless you provide more guarantees I’m switching over to local and wishing well for your future endeavors.

Get LastPass Now! Download