LastPass Breach -- Comments?

2»

Comments

  • adihaya
    adihaya
    Community Member

    Basically what I see happening is people not understanding the difference between LastPass's and 1Password's respective ways of storing and securing data (a lot of repetitive questions are continuing in this thread!). LastPass has data servers owned by them, where they store your encrypted data. Your data usually is kept on those servers and isn't stored locally (in LastPass). This means that hackers can break into their servers and take encrypted data.

    1Password doesn't store your data in centralized servers or stations. It isn't communicated with Agilebits either. Instead with regular settings, the encrypted data is stored locally on your device. Hackers would have to specifically target your device and somehow get access to your files to reach the encrypted 1P data. But wait: this is encrypted data. It's not just plaintext. It's almost impossible for a hacker to get readable access to what you store in your 1P data without your master password.

    Another case is if you use a cloud service with 1P. This means the security of your encrypted data is put at your cloud service's disposal. This is why you should consider enabling two-step verification for Dropbox or iCloud (and 1P now has an intelligent way to manage two-step verification, making it all-the-while merrier). Even if your cloud service gets breached, your 1P data is encrypted using your master password, so they still have an incredibly low chance of getting through that. To avoid all of this, consider keeping data completely locally or using secure Wi-Fi Sync for 1P.

    All of your 1P data is securely encrypted and ciphered with your master password. Your master password, however, isn't stored anywhere and isn't transmitted to your cloud services at all.

    Lastly, hackers can't just hack "1Password" collectively. LastPass can be hacked because the data from all of their users is stored in one centralized location/repository. But 1Password stores data locally or gives the user more personalized options to sync securely. Even if hackers get to your encrypted data, knowledge of the Master Password is needed to see the actual data, which is why the security of every single thing you put into your 1P depends entirely on the security of your Master Password, being a good reason to make it hard to guess. But don't make it so hard to guess that you forget it, because if you lose your Master Password, your data is pretty much locked up without a key. There's absolutely no way to get back in, and since your Master Password doesn't get transmitted, there is no back-door to retrieve your data.

    So that's why 1Password is a great option (probably the best) to securely remember your passwords, though I don't mean to demean it's competitors in any way :smile: :chuffed:

  • hawkmoth
    hawkmoth
    Community Member

    That is a really useful account, @adihaya! I hope many confused users find it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Basically what I see happening is people not understanding the difference between LastPass's and 1Password's respective ways of storing and securing data (a lot of repetitive questions are continuing in this thread!).

    @adihaya: To be fair, I think that some folks had their questions merged here from separate threads. We like to keep discussions organized so that nobody has to look all over to find what they're looking for, but unfortunately that can confuse things a bit too sometimes! And not everyone necessarily reads the entire thread anyway — which is fine, as it's gotten pretty long.

    Thank you for your comprehensive summary! We definitely don't want to demean LastPass. They did the right thing by responding to the threat and being forthright. After all, there is no such thing as perfect security, and the more ways that the user is able to access their data, the more opportunities there are for something to go wrong.

    Anyway, I was going to quote parts of your post here, but I think that anyone just joining the discussion should simply read the whole thing. Cheers! :) :+1:

  • superegophobia
    superegophobia
    Community Member

    I was reading though the comments with people talking about the Lastpass hack:
    http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/?comments=1&start=0

    And a few comments talking about offline vs online caught my eye that I was hoping for some clarification regarding trojans/keyloggers:
    "Having an offline password manager is not a great idea. Without some server-side component to provide multi-factor that releases some part of the key from a third party, all the hackers have to do is (1) install a trojan on your computer, (2) search for KeePass files, (3) send them to China or Russia, (4) wait for you to type your password or (5) brute force it until they're blue in the face.

In my opinion, a cloud based solution is much more secure than an offline password manager because you have an additional way to rate-limit attacks, that doesn't exist with an offline file. LastPass doesn't store our passwords, only then encrypted blob, and with at least the very long non-pronouncable upper/lowercase/number/symbol phrases that we use, I'm not very fearful that any brute force attack will crack our passwords in any near future.
"

    And:
    "That's why we have 2-factor authentication to begin with. LastPass holds part of the encryption key that's released with successful 2FA. You have heavy rate-limit and IP limit on your decryption attempts. You spread the risk over several locks that must be broken at the same time, instead of a single lock.

Offline password managers are only safe on a machine that is absolutely, 100.00000% guaranteed to never, ever get a trojan. Once that happens, you're toast. As soon as you have two-factor auth, the trojan no longer has everything it needs to break in, even from having BOTH your encrypted database AND your encryption key."

    Still trying to understand all the pros/cons between online and offline managers so any help is appreciated regarding the posts they made. I know that using a strong Diceware password will render a brute force attack nearly impossible but so would using that on Lastpass right? So I guess it's a question about compromised local machine?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Still trying to understand all the pros/cons between online and offline managers so any help is appreciated regarding the posts they made. I know that using a strong Diceware password will render a brute force attack nearly impossible but so would using that on Lastpass right? So I guess it's a question about compromised local machine?

    @superegophobia: Indeed, you're onto something here! It's absolutely crucial to note one fact that renders these arguments moot: if your machine is compromised, an attacker could just easily capture information on the fly, regardless of whether you're using an "online" or "offline" password manager. After all, why bother trying to attack the database itself if you've already got the information the user is trying to store in it?

    Granted, this is a gross oversimplification, but then so is the "offline" versus "offline" argument in the first place. In the end, it's mostly a matter of the tradeoffs you're willing to make. If you use an "offline" app, you don't need a good internet connection at all times to access your data (and many of us store plenty of non-login information!), but there's no way to authenticate; whereas if you use an "online" app, you can authenticate, but you're out of luck if you don't have an internet connection (and if you can use it offline, then authentication isn't, really).

    No brute force attack is impossible, regardless; but using a long, strong, unique Master Password will ensure that it's infeasible enough to be secure. :)

  • RichardPayne
    RichardPayne
    Community Member
    edited July 2015

    @superegophobia

    "As soon as you have two-factor auth, the trojan no longer has everything it needs to break in, even from having BOTH your encrypted database AND your encryption key."

    The trouble is that at some point you have to actually decrypt something. As soon as you do, the full encryption key is in memory and available to be stolen. If your system is compromised enough to allow a key logger to be installed then it's compromised enough to allow cross-process memory scanning.

    You could do the decryption server side but then you have the same problem but on a mass scale. If the server environment is breached then the attacker could potentially steal the encryption keys for all users and by definition they already have the data.

    LastPass don't actually do this. They make a big deal about decrypted data never leaving your system which implies that they are decrypting localling which would require the full decryption key to available for malware to steal.

  • AGAlumB
    AGAlumB
    1Password Alumni

    The trouble is that at some point you have to actually decrypt something. As soon as you do, the full encryption key is in memory and available to be stolen. If your system is compromised enough to allow a key logger to be installed then it's compromised enough to allow cross-process memory scanning.

    @RichardPayne: Precisely. Thanks for saying this better than I could. ;)

This discussion has been closed.