Rich Freeman on 5 Jan 2016 09:35:55 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] password safe |
On Tue, Jan 5, 2016 at 11:56 AM, Keith C. Perry <kperry@daotechnologies.com> wrote: > Wait... if passwords can be "skimmed" then are you saying that the communication between the the lastpass client and their servers is NOT encrypted? > No. The server stores an encrypted password database. The client authenticates to the server (I'm not sure what the details of this are - it is based on your master password but I'm pretty sure the master password itself isn't sent). The server sends the client the encrypted password database over SSL or such (so, double-encrypted at that point). Then the client uses your password to decrypt the database and use it. Their server never sees the plaintext passwords. However, this all depends on the client behaving as advertised. The client is just a browser extension. I'm not sure what if any code is loaded from the server at runtime. Presumably if the servers are compromises they could just update your client to not behave in a secure fashion, such as having it transmit your master password to the server, allowing the server to decrypt your local password database. It is no different than sticking a cracked package on Debian's servers that transmits your Keepass database in plaintext to some random server when you use it. If you compromise the client and the client has access to the plaintext, then you can get the plaintext. However, if the chrome extension doesn't download any code at runtime but instead relies on the Chrome Store for updates then it would be harder to crack, since the company could keep their credentials for the chrome store offline so that the clients are not easy to compromise. I don't know exactly how they do things. For the most part my sense is that Lastpass is doing things the right way, but as with any service outside your control there is really no way to be certain. The fact is that when they have had compromises in the past they've been limited in scope which suggests that they compartmentalize their systems, which is a good way to protect against attacks. As long as the client isn't tampered with somebody can in theory have full access to all of Lastpass's servers and not be able to get your passwords, short of brute forcing your master password. I don't know how many rounds they use either, and how easy it would be to brute force as a result. But, they'd have to brute force everybody's keys independently most likely. On this front the biggest question I'd have is how they authenticate since the client only prompts for a single password which is used both to authenticate to their servers and encrypt local keys. Depending on how this is implemented it might make it easier to brute-force the password if you had all the server-side data. With proper salting/etc it might not be any easier. And on a side note as you might guess from my email address on my posts, I also use distinct email addresses for every service. Useful for filtering, and also to see who is selling addresses to who. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug