[Cryptography] Lastpass hacked.

Theodore Ts'o tytso at mit.edu
Tue Jun 16 23:39:33 EDT 2015


On Tue, Jun 16, 2015 at 10:34:03PM -0400, Jerry Leichter wrote:
> 
> I have no problem storing encrypted data even on publicly accessible
> systems if the key never leaves systems I control.

At least in theory, LastPass can be configured so this is true.  It is
*not* the default, since apparently users forget passwords and they
get seriously pissed when all of their encrypted data suddenly becomes
worthless.  LastPass can store the password recovery information on
their servers (in which case you are trusting them, seriously), and/or
in a hidden file on your local system (how many bets NSA has a module
that will steal said recovery secret from the user's Windows?), but at
least in theory you can tell them to configure all of the password
recovery features off.

Of course, then we are left with the problem that no one has audited
the LastPass extension to show that things really do work the way they
claim, such that if configured appropriately, the encryption key never
leaves your system.  Of course, if you haven't audited every line of
FireFox, and confirmed that the FireFox package which you downloaded
from your distribution matches the sources that hopefully *someone*
has bothered to audit, you're kind of screwed anyway....

(And I don't mean just audit for backdoors, but audit for stupid-sh*t
security bugs, as well, for which we've had entirely too many examples
lately.  So you need to keep a certain amount of context here.)

Personally, I **really** don't care if a hacker finds my New York
Times password, so such passwords I'm happy to store in LastPass.  But
for a much smaller set of critical passwords, I'll either memorize
them or use a manually encrypted file from which I'll refer to.

						- Ted


More information about the cryptography mailing list