Stories
Slash Boxes
Comments

SoylentNews is people

PSA: LastPass Does Not Encrypt Everything in Your Vault

posted by on Tuesday January 24 2017, @05:03AM   Printer-friendly
from the 1000-words-is-worth-a-picture dept.

Arthur T Knackerbracket has found the following story:

As a software engineer and long time LastPass user, I've always been an advocate of password managers. With data breaches becoming more and more common these days, it's critical that we take steps to protect ourselves online. However, over the past year LastPass has made some decisions that have made me question their motives and ultimately has recently caused them to lose my business.

Last year LastPass introduced a new redesign of their vault in which they added nice pretty logos of all the sites in your vault.

This got me wondering, if LastPass is encrypting all of my data before it goes to their servers (like they claim) how are they able to show these logos to me when rendering the vault webpage? I turned to my browser's developer tools to find out.

The rest of the story relies fairly heavily on graphics to show what the author is doing. Worth a read to see the process in tracking down the problem.

Original Submission

 
This discussion has been archived. No new comments can be posted.
PSA: LastPass Does Not Encrypt Everything in Your Vault | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Interesting) by zeigerpuppy on Tuesday January 24 2017, @07:13AM

    by zeigerpuppy (1298) on Tuesday January 24 2017, @07:13AM (#457987)

    An alternative is to store a keepass repository on a cloud service (I use the GreenAnt nextcloud service for this, they call it "Nest" for some inexplicable reason!).
    This works quite well, the passwords are available across multiple devices. It doesn't input passwords automatically, but I've always been a bit suspicious o how secure that mechanism can be anyway!

    Starting Score:    1  point
    Moderation   +2  
       Interesting=1, Informative=1, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 3, Interesting) by esperto123 on Tuesday January 24 2017, @10:48AM

    by esperto123 (4303) on Tuesday January 24 2017, @10:48AM (#458041)

    I also use keepass with the .kbd file in a cloud service (spideroak in this case) and a .key file on the local device, this way even if someone can access my cloud account it would be extremely hard to break the encryption.
    Other alternative is spidekoak password manager encrypter, which according to them is zero-knowledge and easier to use than the keepass/cloud service combination.

    • (Score: 0) by Anonymous Coward on Tuesday January 24 2017, @11:25PM

      by Anonymous Coward on Tuesday January 24 2017, @11:25PM (#458319)

      You can also use a counter based (OATH HOTP standard) authenticator with the otpkeyprov plugin in keepass. Then keep the recovery key on a couple thumb drives in a safe somewhere just in case something goes wrong with the setup.

  • (Score: 2) by CoolHand on Tuesday January 24 2017, @12:15PM

    by CoolHand (438) on Tuesday January 24 2017, @12:15PM (#458065) Journal
    I've been doing the same methodology.. Sharing my keepass across Linux/Windoze/Android.. Sometimes I have to watch that I don't have replication issues b/c things can't get out of sync. But Keepass does a nice job of merging the databases when I do have issues.
    --
    Anyone who is capable of getting themselves made President should on no account be allowed to do the job-Douglas Adams

  • (Score: 2, Interesting) by Anonymous Coward on Tuesday January 24 2017, @02:48PM

    by Anonymous Coward on Tuesday January 24 2017, @02:48PM (#458099)

    That's what I do. Right now, I'm using Google Drive to store it, but as soon as the makers of Titanium Backup release their cloud service in the next couple months, I'll be moving all my synced files there.

    It's a shame that companies feel that it's OK to lie about major selling points. I stopped using Lastpass quite a while ago for other reasons, but it's rather disturbing that they're apparently lying about what they're doing.