Is Lastpass really safe?

Lastpass is a password manager/form filler that has worked great for me for the past year. But I’m wondering how safe it really is.

They claim that all encryption/decryption is done on your own system, so only encrypted data is transmitted to their website, so that sounds fine. But it occurs to me that if somebody with really good programmers and funding, like the Russian Mafia, wanted to make a really beeg killing, they could offer this for free for a couple years, and then raid everybody’s accounts.

After all, if you use it for everything it’s designed to be used for, they have all your websites, passwords, CC numbers, etc. They also encourage you to store any sensitive documents you care to “keep safe” on their website, so who knows what all they might have – bank account numbers, challenge/response sequences, etc. It really sounds too good to be true that they offer one of the best form fillers, plus cloud storage, for free.

And as far as I know, their code is not open source. I imagine it would only take a few well-hidden bytes to check for a certain date, and then upload your master password the next time you log in. They could then decrypt at least a snapshot of everybody’s data as of that login, any time they wanted.

Is there anything in principle that would prevent them from doing this?

Very strange coincidence, I was logging into lastpass and every time I do, the vault pops up which is annoying so I started debating if I should ask someone here how to stop that and the very first text I see is “lastpass” in your title. Had to been a sign, so I’ll ask here…

How can I stop the vault from popping up after logging in everytime?

I’m using Firefox, so this may only work for that, but if I click on the Lastpass icon in the toolbar, and then Preferences, there’s a checkbox in the General section that says “Show the Vault after Login” or something similar. Mine is unchecked, and the vault doesn’t open.

The only thing preventing it is the hope that one of the more popular pieces of form filling software (probably the most popular) would probably be exposed by technically savvy people if it was doing this…eventually.

LastPass of course says that it only transmits encrypted data, but you’re correct that unless someone is actually looking at what packets are being sent you can’t be 100% sure of that, I guess.

This thread at the LastPass forums is an interaction between a LastPass user and someone who works for LastPass, the user in question verifies that his connection is sending hashed (encrypted) data to LastPass and nothing in plaintext or et cetera.

If you read the full thread you will see that he confirms that all of his credit card and password information is sent to LastPass encrypted (and the master password is part of the key that does the encrypting.) Even LastPass employees looking at their database would only see encrypted text and without knowing the actual master password of the end user it would be functionally impossible for them to decrypt it.

Now, of course it is entirely possible if this was an elaborate scam LastPass put all of this stuff in place and made it look legitimate for the purposes of lulling people into a false sense of security. Unless you are always looking at the packets all the time you can’t be 100% certain that the Russian Mafia that secretly runs LastPass hasn’t changed it so they’re getting your unencrypted data.

However, from everything I’ve seen is that LastPass is at least as trust worthy as any other service which has theoretical access to your credit card information. If you’re going to trust websites like PayPal, Overstock.com, Buy.com, Half.com and various other websites I see nothing intrinsically less safe about LastPass. It’s actually safer since you never transmit in plain text credit card information to LastPass, with LastPass that is all done locally. With many online merchants you’re typing in your CC number which is then sent directly to their system (typically to run a payment gateway you have to get an SSL certificate demonstrating that your secure connection is legitimate and thus relatively protected, though.)

I appreciate the response.

I don’t see how checking packets would help. All they have to do is encrypt your master password using their own password, and send it along with the rest of your information.

And I don’t see how checking their code would help. All they have to do is use clean code for the first two years, and then slip something into the next upgrade. In fact, the reason I’m posting this today is because I just read an article saying millions of people have downloaded Firefox 4 in the first couple days it’s been out. This would be an excellent time for Lastpass to say that a new version is required for FF4.

But a silent upgrade would probably be better. I was trying to find out what version of Lastpass I had, and I couldn’t find anywhere that told me. But I did find an item in the Tools menu that said “Update available,” so I clicked that, thinking it would check for updates. Instead, I almost instantly got a message informing me that a restart was required to complete installation of the update.

So obviously, it would not be difficult for them to add something to the software without my knowledge. Maybe some security experts would find it within a week or so, and maybe they wouldn’t, but that’s plenty of time to get a lot of stuff.

As for your point about giving CC info to online retailers, I agree, but that’s just one CC. Lastpass might have all your CCs, all your bank accounts, even all your porn websites for blackmail.

Not that I use any porn sites.

No, no.
Still, who they gonna tell ? Your mother ?

Article in yesterday’s* LifeHacker* mentions a discovered & corrected flaw in LastPass:

https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details

I do use LastPass.

I don’t know very much about encryption but the encryption happens on your local machine and the code that LastPass uses to do this was apparently the code the individual was looking at in the forum thread I posted. I’m not so sure they could do this trick given the code he was looking at.

Yes, I had said this already.

The point I was making is any company you give your personal information to you have entered a relationship of trust. If you open a bank account in real life, that’s a relationship of trust. If you open an investment account in real life, that’s a relationship of trust. If you open an account at Amazon.com, that’s a relationship of trust.

If you use online banking, that is a relationship of trust.

LastPass definitely aggregates as much personal information as you give it.

The only really unique thing about LastPass and your relationship with them is that yes, someone could get “everything” if they were the Russian mafia running LastPass.

But what’s to stop ScottTrade or an equivalent from doing the same? If you open an account like that you have to give them pretty much everything (bank accounts, RL address, birth date, social etc) with that information you’re more or less as fucked as you can be.

At the end of the day, it’s a relationship of trust.

Reasons to assume the relationship of trust with LastPass is warranted:

  1. LastPass is incorporated in the United States
  2. LastPass has a physical presence in the United States
  3. LastPass lists their staff with names, pictures, and personal biographies on their website. This information could easily be used to delve into their backgrounds.
  4. LastPass has functioned and operated as a legitimate business interest for some years now.

What this means is if the Russian Mafia has set up LastPass as a front they have had to do the following things:

  1. Go through the effort of creating a company that appears entirely legitimate here in the United States. This is a lot of paper work and would involve some creative obfuscation of the company’s ownership.

  2. Again, the physical presence would require effort to setup and maintain. Not to mention cost (cost would also come into play with setting up the phony ownership.)

  3. All those staff members either had fake identities created for them (which would need to be insanely in depth given all the different previous employers listed for all of the individuals) or, these people were planted by the Russian mafia 10-20 years ago here in the United States and they then worked for over a decade in “normal” jobs before launching this operation. Either option you’re talking about a huge expense and with the fake identity one high risk of getting caught very early on.

  4. The potential return on investment would seem low to me. The Russian Mafia is engaged in lots of very high margin crimes, his would be relatively low margin. Mainly because I suspect that LastPass still has a relatively small user base, and while it seems to be growing in popularity that is a slow process. Smuggling heroin or cocaine is much faster, much greater profit versus effort I would think. For each user of LastPass, how many will actually put credit card, bank, and et cetera information into the software? How many will just use it to store password. Of those who just use it to store passwords, how many will use it to store passwords that will make it so you can steal stuff from their bank account or commit identity fraud? Of those that you can use their information to steal from them or defraud them, how many will have significant assets you can take? How many will be penniless and/or have few credit card accounts and little money in their bank accounts? How much human time is involved in going through all the data and systematically trying to steal money from each person?

Realistically you’d probably just sell the whole data set much as criminals now will sell personal information they steal. It sells for fractions of a penny on the dollar because a lot of effort goes into using it and the chance of much return on a single record is low.