Monday, April 13, 2009

LastPass - Answering Security Questions The Right Way

I was recently asked to take a look at LastPass. LastPass is an interesting solution to portable secure passwords - it works as a browser plugin, and works with IE and Firefox on MacOS, Linux, and Windows. It supports one time passwords, central synchronization, and a host of other features.

What impressed me the most, however, was the level of detail that the developers provide in their forum. These former eStara staffers give some great responses, as seen in this forum discussion which is a great example of how to answer questions about a password safe program effectively.

A user asks:

"You say you never receive and you never ask but when I access to your website I do send my password...
This is even more true when I don't have the lastpass plugin installed in FF and I just log to your site."
And Joe Siegrist, one of the founding developers responds:
You don't send your master password in either case, you may want to try it yourself to convince yourself: https://lastpass.com/faq.php#howcanilook

What's done is that password field is blanked out and the value is used to make a SHA-256 hash along with your email using JavaScript, locally on your computer.
As the discussion continues, further internal technical detail is explained:
We understand your concern and would like to help you verify. The data is base64'd AES encrypted data with the 256-bit key being made up by a SHA256(username+password) username is lowecased and has whitespace removed, password is untouched. m.lastpass.com is by far the simplest version to follow this logic. I can probably make an extremely simple page that just takes username+password and encrypts and decrypts data in JavaScript if needed.
I'll continue to look at LastPass for a while, but it looks like it may well be on my list of regular recommendations in the near future.

6 comments:

Siegfried said...

I would love to read more about lastpass - quite interesting IMHO.
Regards

David said...

Siegfried, I've got LastPass on my long term review pile right now, and I'm working on a followup article. Stay tuned...

Jason said...

http://www.ez-login.com seems to work even better with all confidential data kept within the bookmarklet.

Jonno said...

Any follow-up, now that it's 2010?

David said...

Jonno,

Good question. LastPass has continued to be a reliable way to store passwords for a number of people I work with. I myself returned to Password Safe, largely because I use it offline frequently, and had a large password file to convert over if I moved.

I'm comfortable recommending LastPass, and think that they're doing a good job.

3v said...

What I am concerned about isn't really if some Lastpass guy might or might not discover py password(s), as much as about what happens when lastpass website goes down for a definite or (even worse) indefinite time. Losing all of my passwords might be a disaster, and keeping a local backup woud render all the lastpass system, well... Just worthless.

I'm not that confident with this remotely-store-your-passwords thing: are you?