A few months ago my life became easier. I used to have dozens, maybe hundreds of passwords, which I remembered with a simple phrase based system to generate unforgettable but unique passwords or phrases for all the sites and services I use. I had a password safe (I don’t use the browser pwd manager), just in case, but only had to delve into it when logging into rarely visited or always authenticated sites.
Then I discovered LastPass and decided to give it a try.
I’m not easily convinced on security matters, so I only stored the basic web page passwords to start with. But after hearing Steve Gibson’s review on Security Now, I am convinced that these guys know what they’re doing and have done it right.
So lets start with why its secure.
The problem with password storage is this: “If you save it locally, it’s not very useful. But if you store it in the cloud then someone has access to it.”
Lastpass tackles this problem by encrypting the data locally. The local client makes a key derived from your email and password by concatenating these together and hashing the result. This key is unique to you, and is not stored on the Lastpass servers. It never leaves your system. This is the key used to encrypt your passwords, and that encrypted blob is what gets stored on the lastpass servers, so all they have is a blob of text which is useless to anyone without the 256 character key. To get that key a bad guy would need your username and password and the lastpass algorithm.
However Lastpass do need to be able to authenticate you to login to the client. And for this they take the key that was generated, add your password to the end and hash it once more. Now you have another useless data blob that is unique to your user account, and since you had to use your username and password to generate this, it can be used for authentication. But Lastpass don’t just store that ID to authenticate you. When they set up your account, they generated a 256bit number, which they store, then add to the ID and hash it one more time, this is the value they store for authentication.
Lastpass now have on their server a blob of useless authentication data, a random ID number and some encrypted passwords (also useless blobs of data). This is all they ever store. They can authenticate the user, and decrypt the password blobs on the client without ever storing the username and password or sending identifiable data to the server.
If you are interested in this stuff, you should read or listen to the Security Now podcast, or read through the FAQs or the blog.
Usability
The second thing that makes this so much better than the other password managers is that it plugs in to all your browsers (except Opera for now) and works on your smart phone (for $12 a year) too. Although it works in Chrome, Safari, IE, iPad and many other browsers, Firefox is my main browser, and this is where Lastpass really shines. Installed as a add-on, it watches for known activity that it can react to. This might be a stored URL or known fields that it can fill automatically, or it could be a password change screen which will prompt you to generate a new secure password, then replace your current stored password.
If you give it enough information, it can fill just about any form – requiring re-authentication if its secure data that you want to keep under raps, and supporting multiple profiles so your work data and personal data and secure data can be kept separate and given different security levels.
After 6 months, I now couldn’t tell you most of my passwords as they are now auto-generated random strings of 12-32 characters. My LastPass vault is auto logged out after a set period of time, or if my browser closes, and I’m prompted to reauthenticate to view or edit my passwords, or to use my secure data anywhere. Life on the web has become simple again, without my security being compromised.
So this is what good security feels like.