Until recently, I’ve been using Firefox Master Password to manage my passwords. This is reasonably convenient and secure. It falls down when you wish to use a different browser or a different computer. It is also limited to its stated purpose: Protecting saved Firefox passwords. Recently, I’ve started using the feature-rich LastPass instead. It has been praised by a wide range of security experts, it is free, and it is amazingly convenient.
A good introduction is their set of screencasts. LastPass is available for all the major browsers (Opera support is coming). Smartphones require the premium version of LastPass, which is 1$ per month.
LastPass lets you authenticate ONCE. and then gives access to all your websites and data. When you create an account at a new website, it will optionally generate a very secure password for you, use it to complete the site registration and remember it for you. It encrypts this new password, saves the encrypted version locally and saves the encrypted version to a LastPass server. Now that you have that new password, all your instances of LastPass will know about it so you will not have to remember that password. You will not have to write it down. You will not have to type it into a form ever again.
You do, however, have to remember your LastPass password.
While there is a stored hint to help you remember it, You can never “recover” your password or tell LastPass to issue a new one through your email. That said, in its initial versions, LastPass found that too many users where forgetting their LastPass master password. As a concession to human failings, LastPass has a one time password feature turned on by default. You can use the one-time password embedded in your installation to log in once and change your Master Password. For a truly secure LastPass, if you are sure you won’t forget your Master Password, you would disable this feature.
Let’s up the paranoia a bit. If you are concerned about a key logger, you can tell LastPass to give you a screen keyboard.
For the next level of paranoia, assume that somehow, someone has stolen your LastPass password. This would allow them to log into ALL your sites. To combat this threat, organizations often issue a second form of identification, usually an object that you carry around to prove that you are you. LastPass can issue a printable grid of characters. If you enable this feature, LastPass asks you to look at the grid and tell it the characters at certain coordinates. Watch the grid authentication screencast. You may then convert the computer itself into the second factor so that on that trusted computer, you will not be forced to use the grid each time you log in. In LastPass premium, 3rd party devices such as Yubikey can be used as the second factor of authentication.
Lets get more paranoid. What if there is a bad guy employed at LastPass? Host-Proof Hosting means that even if the host itself is compromised, your LastPass information is safe. LastPass has no way to recover your password or any of your other information from their servers because it is hashed and encrypted before it ever gets to their servers. When you log into their service, they never receive your actual password. Instead, their client uses the password and username to create a SHA-256 hash. It uses that hash as the cryptographic key to encrypt all communication with LastPass. I turned on Tamper Data in Firefox to watch this happen. The value that gets passed for my password is a hashed blob of nonsense. This is then sent out over SSL so that a Man in The Middle could not grab it. Then, when it gets to the LastPass servers, a “rogue” employee could perhaps look at the hashed, encrypted password, but could do nothing with it except retrieve the encrypted data that was going to be sent back to me.
As far as trusting LastPass, this forum thread does a pretty thorough job of showing you how to test that LastPass is doing what it says it is.
One concern everyone should have about a service like this is: What if LastPass vanishes as a company or their service crashes? No worries! LastPass Pocket is a small program that allows access to a local version of your LastPass “vault”. This allows export of all data. In addition, an option in the browser extension allows you, for kicks, to export the encrypted data to your hard drive.
In summary, if you do any of the following, then you should consider Last Pass:
- Use the same password on lots of web sites
- Use really simple passwords like the name of the site, your name, or “secret”
- Let your browser remember your passwords.
- constantly rely on the “forgot my password” links on your favorite web sites
- Avoid doing stuff online because you know it will be a pain to remember/recover/enter the passwords you need
- Worry that someone will guess or record your password or that your password will be stolen by a hacker
- Have multiple computers and/or browsers and have trouble managing passwords for all your websites between them.
- Wish you could use public computers but consider them a hostile environment
- Get sick of registering for websites
One interesting side effect of using LastPass is that LastPass becomes a player in handling your sessions. If your session times out but the LastPass session does not, it will log you in again immediately, overriding the session time-out settings for the web site you are visiting. I have to study this more.
Obviously, LastPass isn’t a magic bullet that will solve all of your security problems. If your system has been compromised, then, as they say, it is “game over”.
Consider the following scenario:
- Pre-existing malware programmed to recognize LastPass.
- User downloads LastPass.
- Malware replaces LastPass.exe with its own LastPass.exe which then eats your passwords.
This post was a result of listening to Security Now, reading the LastPass forums and using the service myself for a few weeks.