Dear Lifehacker, You recommend LastPass to avoid problems when services get hacked, but what happens if (or when) LastPass gets hacked? Wouldn’t that just give hackers access to all of my accounts? Is LastPass safe to use? Thanks, Password Protector
Dear PP,
Your worry is a common one: if LastPass stores all your passwords in the cloud, what’s to stop someone from hacking them and then getting into all your other accounts? Thankfully, it’s not so simple. Nothing is 100 per cent secure, but we think you can feel safe with LastPass.
First of all, let’s remember that LastPass — as a security-focused app — is dedicated to security in a way many services are not. Even when LastPass thought it might have been hacked back in 2011, it notified users immediately, and forced a master password change if you tried to access it from a new computer.
Furthermore, like any other service, you should be using two-factor authentication with LastPass. If you do, someone with your master password still will not be able to access your account, even in the event of a breach. If you want to take it to the next level, you can put together this awesome thumb drive-based system and enable these features for extra two-factor security.
Lastly, remember that the only secure password is one you can’t remember. If you can remember it, it’s probably more easily hacked and more easily usable on your other accounts. Using a password manager is still the most secure way to use your accounts, and it makes things very easy to audit an update when someone does get hacked (which sadly is a common occurrence these days).
If you don’t like the idea of storing your passwords in the cloud, there are alternatives, like the awesome KeePass. These keep your data out of the cloud, but make it more difficult to access your passwords on anything but your main computer — which is a huge blow to convenience. Unless, of course, you sync them with Dropbox, which defeats the whole purpose of using a local password manager (though you could encrypt the database with something like TrueCrypt first). And remember, if someone has physical access to your computer, they can still get your password database that way.
At the end of the day, it’s up to you to use what makes you feel safe. But remember: nothing is 100 per cent secure. We still think LastPass is the best option around, as long as you use it correctly.
Cheers
Lifehacker
Got your own question you want to put to Lifehacker? Send it using our [contact text=”contact form”].
Comments
2 responses to “Ask LH: Is LastPass Secure? What Happens If It Gets Hacked?”
LastPass only receives and stores encrypted data, ever. They never receive your master password, they never receive unencrypted data, and they don’t store anything that isn’t encrypted. They use multiple-pass AES256 encryption which makes it extremely difficult to break – the fastest option to break a single encryption requires 3.8e+76 cycles, which is about 4 trillion trillion trillion trillion cycles.
Basically, even if LastPass gets hacked and all their data is captured, it takes a prohibitively huge amount of processing time to break just one AES256 encryption pass on just one account.
You’re right, unless someone is able to hack LastPass and deploy a hacked browser plugin/app which incorporates password capture.
(Note: not saying this incredibly marginal risk ‘problem’ is limited to LastPass. An equivalent problem would occur if someone hacked the KeePass hosting and swapped out hacked versions of the binaries).
“Basically, even if LastPass gets hacked and all their data is captured, it takes a prohibitively huge amount of processing time to break just one AES256 encryption pass on just one account.”
Correct – remember the point of encryption is to make it so that by the time the protection has been broken, the data being protected is redundant.
“… there are alternatives, like the awesome KeePass. … Unless, of course, you sync them with Dropbox, which defeats the whole purpose of using a local password manager (though you could encrypt the database with something like TrueCrypt first). And remember, if someone has physical access to your computer, they can still get your password database that way.”
KeePass encrypts the password database anyway, so even if they got hold of the *.kdbx file, they’d still have to crack it open to get at your data.
EDIT: http://keepass.info/help/base/security.html
The main vulnerability of LastPass (and similar services) is a rogue attach from within. That is, a disgruntled employee, or an employee looking to make extra money on the black market, or someone that gets employment with the intention of hijacking the client, or remote attackers that gain access to the internal source-code systems. Anyone with this level of access may be able to sneak in some vulnerability in the client code that a remote attacker can then carefully exploit.
For example, push an update to the Chrome Extension or the Android client, which leaves a back-door open, so that anyone who then visits a particular website, has the local unencrypted vault from local memory exposed to that site.
This type of attack requires a bit of engineering to pull off, but it’s not impossible. And given that LastPass is the most popular password vault, the value from an attacker cracking these vaults is immense… that is, I’m more than certain it’s already a prime target.
The thing is, you will never know if and when it gets compromised in this way. And if it does, depending on how much you store in your vault… you could be really super screwed.
I think all services of a similar nature suffer from this same exploit angle. Your risk is much bigger if you enable all the mobile advanced features (like accessibility access so it can auto-fill all forms on mobile apps, or Chrome Extension that requires access to all websites to do the same).
There is no truly safe method to put all your eggs in one basket. Even something like KeyPass, if the device which you open it from is infected, you’re still screwed.
With this in mind, another alternative is to create a separate gmail.com account, which you will only use to store your sensitive information (e.g. in a trix). Put a strong password on this and enable 2FA. Then make sure to only login to this account from a trusted clean device in incognito mode. Login only when you need to access a password, and logout immediately after. The weakness here is that your information is stored in the cloud unencrypted. So a rogue Google employee with sufficient access could in theory destroy you. The counter to this is that perhaps it would be harder for a Google employee to gain this level of access, and find your account out of billions of accounts. Otherwise from a client-side perspective this approach is probably safest.