On August 14 2011 07:54 deek wrote:
Your post shows the exact reason why Lastpass cant work, even if they only got 20 passwords.. Its 20 passwords to paypal/banks/battlenetaccounts etc, Last pass will store the info in their database with an ecryption key, but the problem is anyone else can get the encryption key as its in their program. Its like having a shop with everyones information for free if u can break into the shop, history has shown us even those in Internet Security have lax security
To attempt it with KeePass would require the hacker to break into your computer first, and thats very unlikely to happen unless you were personally targeted, because developing a worm that searched for users who ran KeePass and had an exploit available for them to access is too much time, when they could break into Lastpass and steal thousands of important user names and passwords
Your post shows the exact reason why Lastpass cant work, even if they only got 20 passwords.. Its 20 passwords to paypal/banks/battlenetaccounts etc, Last pass will store the info in their database with an ecryption key, but the problem is anyone else can get the encryption key as its in their program. Its like having a shop with everyones information for free if u can break into the shop, history has shown us even those in Internet Security have lax security
To attempt it with KeePass would require the hacker to break into your computer first, and thats very unlikely to happen unless you were personally targeted, because developing a worm that searched for users who ran KeePass and had an exploit available for them to access is too much time, when they could break into Lastpass and steal thousands of important user names and passwords
20 secure passwords that potentially could've been stolen. There was no evidence that anything was stolen, only that there was an unusual amount of bandwith at a weird hour.
I don't know much about the encryption algorithm they use at lastpass, but let's put it this way. This is not a college student project. They do not reuse the same exact encryption key on every user. I suspect the use something like rainbow encryption tables http://en.wikipedia.org/wiki/Rainbow_table. The hackers were not able to get the encryption key... and they can not get the encryption keys.
Lastpass can not access your passwords so hackers can't either.
Your Security Is Our Priority
LastPass is an evolved Host Proof hosted solution, which avoids the stated weakness of vulnerability to XSS as long as you're using the add-on. LastPass strongly believes in using local encryption, and locally created one way salted hashes to provide you with the best of both worlds for your sensitive information: Complete security, while still providing online accessibility and syncing capabilities. We've accomplished this by using 256-bit AES implemented in C++ and JavaScript (for the website) and exclusively encrypting and decrypting on your local PC. No one at LastPass can ever access your sensitive data. We've taken every step we can think of to ensure your security and privacy.
Availability
You need to always have access to your data, we've accomplished this in multiple ways, first we have 2 data-centers in production service, second we store your encrypted data on your local PC when you login, so that if LastPass.com can't be reached, you can still login to the add-on and get to your accounts. The website is usable without the add-on installed (the Encryption and Decryption happens in JavaScript which you can see happen on some forms), but we take advantage of faster encryption available in the add-ons if they're available. We also have a mobile site m.lastpass.com if you're on your phone.
Security
On Windows, LastPass helps find insecure passwords stored on your computer so you can store them securely in LastPass and remove the easy access by malicious software. LastPass uses SSL exclusively for data transfer even though the vast majority of data you're sending is already encrypted with 256-bit AES and unusable to both LastPass and any party listening in to the network traffic -- the amount of data is trivial so the extra encryption doesn't hurt. Our policy of never receiving private data that you haven't already locked down with your LastPass master password (which we never receive and will never ask for) radically reduces attack vectors. We use firewalls and best practices to protect the servers and service, but our best line of defense is simply not having access to data even if someone got in. If LastPass can't access it, hackers can't either.
https://lastpass.com/whylastpass_technology.php?fromwebsite=1
I think what the bolded part means is that lastpass uses private decryption keys on the client side. Like when the developer at lastpass looks at the passwords in their tables, they are all encrypted passwords. The developer doesn't know how to decrypt the passwords, only you have the decryption key.
In other words, if the passwords were secure enough (not a dictionary word), the encryption would've saved the users even if they were stolen. If they weren't, well then it'd be easier to just hack paypal or your bank account and these idiots should stop using "password" as their primary password for everything.
The passwords are all stored in huge gigabyte large files filled with garbage, and when 20 of them are transferred, the server automatically detects the hack and shuts down.
In addition, lastpass doesn't normally store information on banking accounts or paypal accounts because the paypal and banks sites tell lastpass not to.
I'll end my long post like this:
Lastpass probably isn't infinitely secure. The worst thing that could happen is that the primary developer is really evil. But it is more secure than just about anything else out there including your banks sites and paypal.
Keepass is open source. There are many concerns about open source being unsecure. http://www.internetnews.com/skerner/2010/03/is-open-source-software-more-s.html
You made the claim that someone could potentially create a worm to take passwords from keepass. Well someone could (and you say they wouldn't), but it'd be significantly easier to create keylogger malware or something similar. If someone gets access to your computer through a virus, your computer is no longer yours, so I seriously doubt keepass is any safer than lastpass in that respect.