full screen background image
Saturday 27 May 2017
  • :
  • :

LastPass Password Manager

LastPass was founded in April of 2008. The name is based on their slogan, “The last password you have to remember.” The program is available for download at the  LastPass website. It is available in free and premium versions. The premium version is $1 per month with no minimum required. A premium subscription adds the following features:

  • remove ads
  • access to faster support
  • use of all of the mobile clients from one account
  • additional multifactor authentication options
  • LastPass for Applications: allows log in to non-web applications such as Skype
  • IE anywhere: use with Internet Explorer from a USB drive on any computer, no install to that computer needed

Extra sharing features: manage and synchronize sharing with up to 5 other LastPass users.

An enterprise version of LastPass is also available.

The Windows version downloaded and installed to a Vista 64 bit computer very easily. The installer puts browser extensions into Firefox, Chrome, and Internet Explorer. On the next run of each browser, one click got the extension activated. During the account creation an option was given to keep a history of logins and form fills. The location where this history is kept was not specified.

On Mac OS X, taking a browser to the LastPass site will offer an install of the extension for that browser. Firefox and Chrome had one click activations. Safari required a download. Clicking on “show all downloads for this platform” shows a universal OS X installer that installs for Safari, Chrome, Firefox, and Opera. All were activated with one click.

LastPass is cross-platform and multi-browser. Windows, Mac OS X, and Linux are all supported. Mobile apps are available for iOS, Android, Blackberry, Windows Phone, and Windows Surface. Internet Explorer, Firefox, Safari, and Google Chrome are fully supported with browser plugins Opera and  Konqueror use “bookmarklets,” with reduced functioning. The database is stored encrypted on the LastPass server, so data is available from any device with an internet connection.

A checkbox option to “replace password manager” for Firefox, Chrome, and Internet Explorer was given during the install. If this is deselected, later an option is given to “detect insecure items,” meaning the passwords in the browsers. There is an option to import them from the browser and a separate option to erase them from the browser.

LastPass imports from other password managers. This was incorrectly reported as a premium only feature in one review. The process involves exporting from the other manager into a supported format. Support for 24 other managers is listed as well as generic csv files. The import from Roboform has been complicated by changes to Roboform 7. A prior version must be installed to fully transfer the logins. Import of a database from KeePass worked flawlessly. Note that exported databases from any program are not encrypted. The file should be securely erased after being used for an export-import operation.

When LastPass is installed in a browser, it can be accessed through a small icon in the address bar. Once you are signed in, any site in the database will have the same icon in its username or password field. A simple click on this icon is all it takes to populate the field and get you in to the site.

If the site is not in the database, a small window appears with the login, with the option to save that site. You will have to enter your credentials one last time. LastPass will capture them and remember them from then on.

LastPass can fill forms online. You can create profiles for each type of form you are likely to encounter. Lastpass also features encrypted storage of notes and attachments.

LastPass has multi-user capabilities. There can be multiple users on same machine, each with their own database. More significantly, it is possible to share one or more passwords with other LastPass users. There is an option to send them only the encrypted version and not let it be shown in plain text. This is the “share” versus the “give” option, where the recipient can see the actual password. LastPass does warn that an adept recipient can use the capture techniques in LastPass and possibly be able to see a “shared” password.

The premium version allows sharing and syncing of passwords with up to 5 others with a shared family folder. Only the creator of the folder has to be a premium member. It is not specified how the syncing is done, whether it is record-level or not.

The Lastpass website states that encryption is AES 256 bit with increased PBKDF2 iterations. The data is encrypted and decrypted locally before leaving the device to sync with the LastPass server. The encryption key never leaves the device. LastPass warns you that there is no way they can recover for you if you lose your master password.

Several multifactor authentication options are available. The free version supports Google Authenticator, Microsoft Authenticator App, Toopher, Duo Security, or Transakt. It also supports a custom method called Grid Multifactor Authentication. This is a wallet-sized card with a grid of random numbers. Lastpass will ask for numbers from certain positions of the card during the login. The premium version adds fingerprint, Sesame, smart card, and Yubikey multifactor authentication methods.

Other security features include automatic logoffs, virtual keyboards to thwart keyloggers, the ability to disable logins by country, the ability to disable logins from Tor networks, and a feature that notifies you of changes to your credit status. There is a security check that evaluates your existing passwords and can check online to see if there have been breaches where your passwords are used.

LastPass has a secure password generator so that a unique random password can be given for each site. It includes a security challenge that evaluates existing passwords both by strength and whether they are reused. The master password is evaluated by a bar display as you enter it. A 14 character password with one uppercase letter, 4 numbers, one special character, and one letter repeated 3 times was given a full bar display and rated as extremely secure.

The website has details about the encryption methods, but they are  buried in the online user manual. AES 256 is an open-standard encryption method, and PBKDF2 is a well-known key derivation function from RSA technologies.  LastPass was given a highly favorable review by Steve Gibson in 2010. The process he described is summarized as follows:

“The goal for LastPass is to store an identifier on their server that is derived from your master password, but has arrived at their server in an unrecoverable state. First, on your device, the cryptographic key is derived from your master password. It combines your username, email address, and password and runs that through a one-way hashing function, creating the 256-bit key. This stays on your device. The key is then (still on your device) combined again with your password and again sent through the one-way hashing function, so the key is now not recoverable from this new hashed blob.” At the time of Gibson’s review the hashing function was SHA-256. The LastPass site does not specify the hashing function used now. Gibson does not explain how he determined all of these details.

It is this hashed blob that goes to the LastPass server. At the server, a random number generator is hashed into a 256-bit token that is saved with your account. This is then combined with the hashed blob that came from your device, hashed again, and stored. Every time you log in, a disguised token is generated from the password you enter, sent to the server, where it is re-combined with the random number, the token is re-computed, and compared with what is on file. If you got the password correct, the results will match. Your key and password cannot be recovered on the server, because what is stored there is the result of 3 one-way hashing operations.

This was put to the test in an incident in early May of 2011. Lastpass noticed anomalous traffic on one of their servers, and after they could not explain the traffic they assumed that data could have been stolen. They alerted users in a blog post. In an interview with PCWorld, LastPass CEO Joe Siegrist reported that the amount of data that was potentially lost would amount to a few hundred accounts. The company forced some users to change passwords, but advised anyone who used non-dictionary passwords that their data was safe. They enacted precautions such as requiring email verification if the user was logging in from a previously unused IP address. They never determined that data definitely was stolen, but acted as if it were since the network traffic was unexplained.

Other commentators, such as Steve Gibson’s follow-up comments Robert L Mitchell at Computerworld, agreed with the assessment that strong passwords were safe. The data, if it was indeed stolen, would need to be attacked with brute-force guessing methods, which would be impractical on strong passwords. The reporting by the company seems fairly open; they initially reported the problem themselves and their blog post describes several areas where they judged themselves in need of improvement.

This incident shows the risk of having important data stored at a remote server. It also shows that individuals must take responsibility for fundamentals of secure practices, such as using secure passwords. Each individual must weigh the potential risks and the convenience of online storage when considering this product.

Sean Comeau is a computer security and cryptography enthusiast based in Vancouver, BC, Canada.