Main Area and Open Discussion > General Software Discussion

LastPass - What are your thoughts?

<< < (9/10) > >>

tomos:
Interesting comment to an ArsTechnica article about Lavabit -
http://arstechnica.com/security/2013/11/op-ed-a-critique-of-lavabit/?comments=1&post=25632941

Lachlan Hunt
BrianB_NY wrote:
mudlock wrote:
"Despite what anyone tells you, end to end encrypted e-mail is not possible in a webmail world."

Sure it is. Anything a stand-alone client can do, a browser can do....
--- End quote ---

Exactly. The author either doesn't understand that you can implement stuff client side (Javascript for example) or he is making the leap that because doing so could potentially be too slow (in execution cycles) to be usable equates to "not possible"
--- End quote ---


If you start doing the decryption with javascript, then there are a number of issues that make it impractical and not totally secure. The question of where the private key is stored still exists. For practical and usability reasons, it's most convenient for the service to maintain the keys on their servers. It's possible that those keys can be password protected to provide limited protection against snooping, but users are notoriously bad at picking good passwords. Alternatively, you have to find some way to let the user store the private key themselves, leaving them wholly responsible for keeping it secure and backed up.

But assuming you have a workable solution for private key storage, you also need a way for the browser to perform the decryption of the email content, which is separate from normal decryption performed as part of the SSL/TLS connection. If, as you suggest, this is done by some JavaScript in the page. Then that exposes a huge security hole.

If you give the JavaScript access to the key and the user's password for decrypting the key, then it is also possible for that script to send a copy of the password and/or decrypted key back to the server. You have to have a certain level of trust in the service provider that they won't do this. But, that is exactly what HushMail did, and they were forced to snoop the credentials of some specific users in order to turn over unencrypted emails to the authorities.

It's also, unfortunately, the approach taken by services like LastPass when you log in via the website, rather than the extention, or use their security check tool. Users have to trust that LastPass is never going to send any javascript for the purpose of stealing their credentials. But they could certainly do so if they were ordered to. They could theoretically even direct this malicious version of the script to a specific IP address or user account, so no-one else could possibly notice it.

[...]
--- End quote ---

(my emphasis)

Deozaan:
The latest LastPass extension version has an annoying feature enabled out of the gate, where it shows matching sites in the extension as if it were a number of notifications. Thankfully this is easily disabled from the options.

Unforunately, the latest mobile app version of LastPass has a similarly annoying feature which isn't so easily disabled. In the past, you were able to disable the built-in LastPass browser so that you could continue to use your device's preferred/default browser. The latest version has re-enabled the LastPass browser and adopted a "Tabbed" view. Interestingly, the tabbed view can be disabled on my phone, but not on my tablet. But the browser itself cannot be disabled. This results in annoying "what do you want to open this link in?" prompts. Even after selecting "Always" use my default browser, I still get prompted which one to use occasionally. But I think that's because of the way Android parses the links.

Overall I have been really happy with my LastPass experience and the service itself. That said, I don't want them to try to provide me with a browser on my mobile devices. I just want access to my password vault. That's all.

cyberdiva:
This results in annoying "what do you want to open this link in?" prompts. Even after selecting "Always" use my default browser, I still get prompted which one to use occasionally.
-Deozaan (November 07, 2013, 02:47 PM)
--- End quote ---
You've just solved a mystery for me.  I've never understood why LastPass appears along with my tablet's 3 browsers when I'm asked "What do you want to open this link in?"  I had no idea that LastPass had a browser.  Many thanks for clueing me in.

Like you, I'm quite pleased with LastPass, which I have used on my computers for five years or so and which I'm now also starting to use on my Nexus 7 tablet.  I do wish, though, that the LastPass folks had done more thinking and testing before they released the most recent update.  I suspect they now wish they had as well.

J-Mac:
My biggest annoyance with LastPass on an iPad is actually not their fault, but Apple's. On my Android phone I use the Dolphin browser and it allows extensions not unlike Firefox in Windows. Install the LastPass extension and it fills login fields automatically or by clicking on the LP icon. Very convenient. On the iPad though extensions aren't permitted and so LastPass is not allowed to fill login credentials in any browser other than its own. So I must copy and paste my usernames and passwords manually. Of course since you can't show multiple windows at once this means opening one over the other and then vice versa. Just a PITA!

Jim

lotra:
Just another thanks to IainB for info, :up: I'm usually thorough about stuff like this, but this one I overlooked. I'm using Lastpass without any problems since 2010 and My number of "Password Iterations" was only 1, and when I've changed it to 5000 I've noticed that Firefox Lastpass addon is a little slower to login now, but I can live with that. :)

LastPass also performs a large number of rounds of PBKDF2 server-side. This implementation of PBKDF2 client-side and server-side ensures that the two pieces of your data - the part that's stored offline locally and the part that's stored online on LastPass servers- are thoroughly protected:
     (screen capture image, not copied)

By default, the x number of rounds that LastPass uses is 5000. LastPass allows you to customize the number of rounds performed during the client-side encryption process. If you log in to LastPass, open your LastPass vault from the LastPass Icon, and launch Account Settings, you will see the "Password Iterations" field displaying the current number of rounds used for your account. Although 5000 is currently the default number of rounds, your number may be lower if your account is older.
-IainB (October 02, 2013, 05:39 PM)
--- End quote ---

Navigation

[0] Message Index

[#] Next page

[*] Previous page