Menu Close

September 10, 2009

Would LastPass Stand Up to a Password Cracker?

lastpass Last week, Lifehacker posted an article detailing how to recover your Firefox master password using a freeware password recovery tool, Firemaster.  Firemaster generates password guesses on the fly, coupled with other procedures, to rapidly attempt to crack your password.  If you lose your master password, you lose access to ALL of your passwords, so being able to recover it is great, right?  Maybe not.  If you can use Firemaster to crack your password, so can anyone who has access to your computer.

A few months ago, we took a look at three password managers, and fell in love with LastPass.  How would LastPass hold up to tools like Firemaster?

One of the other tools we examined, KeePass, uses something called key transformation, which can dramatically slow a password cracker by in essence forcing “pauses” between each brute force attempt, to the point of rendering the cracker useless.  LastPass does not offer key transformation because it won’t work with JavaScript.  LastPass needs to use JavaScript in order to be able to support mobile devices via the LastPass website.  If you were to examine the LastPass bookmarklet you use on your mobile device to recall passwords, you would see a snippet of JavaScript code instead of a normal bookmark.  Even with native mobile apps (as opposed to access via a mobile web browser), key transformation is a drain on battery life.firemaster

LastPass does offer some additional protections, but all with some caveats.  LastPass has the ability for Premium Users to use a YubiKey, a USB authentication device, as a second factor in their LastPass login.  If the YubiKey is not plugged in, a user can’t recover his or her passwords.  This can be bypassed via mobile access, though, where obviously a YubiKey cannot be used and therefore is not required.  Premium LastPass users can also try out Sesame, which allows Multifactor authentication via standard USB thumb drives.  This is subject to the same limitations as YubiKey, however.  Both YubiKey and Sesame authentication are available to Premium users only.

LastPass also throttles password brute force attacks on the server side of things, locking out a user who guesses five times incorrectly within a certain period.  This doesn’t protect your locally stored encrypted database, though.

So, none of the LastPass additional protections are perfect.  But do we need perfect?  If you’re going to 1) use a weak password, 2) not use Sesame or YubiKey, and 3) use a computer that isn’t in a secure location, then KeePass might be the better choice for you.  But as the developers of LastPass point out, even adding one more character to your master password will provide as much protection as key transformation does, as that will add to the time it takes for a brute force cracker to work.  With a strong password, a cracker could be looking at years of work before it cracked a password.  Further, mobile devices aren’t good subjects of brute force attacks, so the lack of multifactor authentication (YubiKey or Sesame) on them doesn’t matter much in the real world.

The Bottom Line

The bottom line in all of this is twofold.  First, use a strong password-  pick a password with a combination of letters, numbers, and symbols, and make sure it is a long one.  If you do that, a password cracker will never be able to crack your password, regardless of which password manager you use.  Second, the choice also comes down to a balance of convenience versus security.  As noted in our initial review, LastPass was the one program that actually worked seamlessly, autofilling passwords. Since I use a strong password, that convenience is worth the microscopic (possibly non-existent) drop-off in security to me.

In short, I plan to stick with LastPass, since the security concerns are extremely remote, to the point of being virtually nonexistent, and the program works well.  How about you?  Do you use a password manager?  Are you concerned about programs like Firemaster?

September 10, 2009 7:15 am
LastPass, Security

Next post

Posterous Digest – Affordable GPS, and Google Voice Improvements

Previous post

Play High-End Games on Your Low-End Computer

Administrator

Hello, I'm Evan. I write about tech from my perspective – that of the average tech geek, sometimes with my lawyer glasses on. You can also find me on Twitter and at my real-life job as a lawyer.    MORE ABOUT ME.

14 Comments

Add yours →

  1. chilyn says:

    Honestly, though I use LastPass, I still do not use all of its features. I don;t store my credit card numbers, I don't store my banking passwords, etc etc. I figure, if I am going to be doing monetary transactions or things with my Social Insurance Number (social security for you yanks), I am much better off, overall, to actually be forced to do the extra steps of getting my card, manually typing in the number, etc. It gives me time to rethink whether I really want to make that purchase, etc. A little extra effort for things that truly need to be secure is usually a good thing.

    September 10, 2009 — 1:33 pm

    Reply

  2. Oscar says:

    I only use 1password now to generate and keep my passwords. I feel pretty secure with it, although I think the biggest risk it's social engineering when we talk about passwords.

    September 10, 2009 — 3:07 pm

    Reply

  3. Evan says:

    I'm the same way, in that I don't put my credit card info or bank info into LastPass. I wouldn't do that with ANY password manager, just to be supersafe.

    September 10, 2009 — 3:08 pm

    Reply

  4. Evan says:

    I'm not too familiar with 1password (I have the iPhone version, but haven't really used it), but I imagine it is pretty similar. Social engineering is a big danger. I think that just comes down to users being aware of what they're doing.

    September 10, 2009 — 3:09 pm

    Reply

  5. miscbytes says:

    I haven't used a password manager yet. I'm not sure why – probably the fear that I'd forget that master password. For now I'm just doing it the old fashioned way, using long, complex passwords and changing them up now and then.

    September 10, 2009 — 10:54 pm

    Reply

  6. Evan says:

    I'm a fairly recent convert to password managers myself. Now that I see how easy LastPass is, I wish I had used it sooner. LastPass does allow you to set up a password hint. I set one up that would only make sense to me, to tell me what all the giberish that makes up my password means.

    September 11, 2009 — 9:48 am

    Reply

  7. Sue says:

    Yubikey, and now UmiKey, has been long supported by MashedLife.com. Definitely that's the way to go!

    September 14, 2009 — 2:57 pm

    Reply

  8. Quoc-Huy says:

    A friend of mine suggested me to use 1password but I felt in love with LastPass as I can use it securely on any computer not just mine. I can setup a portable Firefox/Chrome with LastPass add-on.
    The free version allowed me to use a grid as 2nd factor auth, but I’m now using YubiKey. All my online accounts are now 20 characters long and my master password very secure but memorable so is my main email account just in case I need to disable the 2nd factor auth if I lose my YubiKey (should get another one).

    March 26, 2010 — 7:36 pm

    Reply

  9. Miguel Febres says:

    You can use the following script to test the security of your truecrypt container:

    http://www.q-protex.com/software/password-recovery/truecrypt-self-bruteforce

    May 7, 2010 — 12:41 pm

    Reply

  10. Miguel Febres says:

    You can use the following script to test the security of your keepass database:

    http://www.q-protex.com/software/password-recovery/keepass-self-bruteforce

    May 7, 2010 — 12:41 pm

    Reply

  11. gggirlgeek says:

    I seem to be the only one in the world who actually feels more secure saving my passwords on a server INSTEAD of my computer. I came to Lastpass after using some general system info software and seeing how easily it found the passwords “hidden” on my computer. I am much more nervous about my smartphone or computer being stolen, and hacked, than worrying about whether someone can hack a remote server with 256 bit encryption.

    It is sooooo easy to dump the contents of a hard drive and scan the insecure text files for passwords. Trying to crack encrypted messages over the internet, not so much.

    So now, if my phone or computer is stolen, all I have to do is log on to Lastpass, change my password, and send my phone a text message to reformat everything (using F-secure or Kapersky) Easy as pie!

    I’m a Lastpass Firefox addon fan. That’s all I use.

    July 12, 2010 — 11:19 pm

    Reply

    • Evan Kline says:

      I think that is a good point in general, with information stored in the cloud. Online data (for example, in Google Docs) is probably more secure than the average user’s PC sitting in his or her home.

      July 13, 2010 — 9:12 am

      Reply

  12. Slim Boom says:

    Ditto. Physical computing device security is just as important as password security. I have put everything into lastpass figuring a keylogger is much more of a problem than someone brute forcing the password. And with two factor authentication, even keyloggers will be challenged by lastpass. Some type of social engineering will have to be involved to get into lastpass (knock on wood). I don’t even try to dream up passwords anymore, I just have lastpass create them for me and store them. God help me if I ever loose my ability to log into lastpass.

    November 16, 2012 — 11:54 pm

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

RSS Feeds

RSS Posts – Main (no micro.blog posts)

RSS Posts – micro.blog posts only

RSS Posts – all posts (including micro.blog posts)

Comments