Menu Close

Would LastPass Stand Up to a Password Cracker?

lastpass Last week, Lifehacker posted an article detailing how to recover your Firefox master password using a freeware password recovery tool, Firemaster.  Firemaster generates password guesses on the fly, coupled with other procedures, to rapidly attempt to crack your password.  If you lose your master password, you lose access to ALL of your passwords, so being able to recover it is great, right?  Maybe not.  If you can use Firemaster to crack your password, so can anyone who has access to your computer.

A few months ago, we took a look at three password managers, and fell in love with LastPass.  How would LastPass hold up to tools like Firemaster?

One of the other tools we examined, KeePass, uses something called key transformation, which can dramatically slow a password cracker by in essence forcing “pauses” between each brute force attempt, to the point of rendering the cracker useless.  LastPass does not offer key transformation because it won’t work with JavaScript.  LastPass needs to use JavaScript in order to be able to support mobile devices via the LastPass website.  If you were to examine the LastPass bookmarklet you use on your mobile device to recall passwords, you would see a snippet of JavaScript code instead of a normal bookmark.  Even with native mobile apps (as opposed to access via a mobile web browser), key transformation is a drain on battery life.firemaster

LastPass does offer some additional protections, but all with some caveats.  LastPass has the ability for Premium Users to use a YubiKey, a USB authentication device, as a second factor in their LastPass login.  If the YubiKey is not plugged in, a user can’t recover his or her passwords.  This can be bypassed via mobile access, though, where obviously a YubiKey cannot be used and therefore is not required.  Premium LastPass users can also try out Sesame, which allows Multifactor authentication via standard USB thumb drives.  This is subject to the same limitations as YubiKey, however.  Both YubiKey and Sesame authentication are available to Premium users only.

LastPass also throttles password brute force attacks on the server side of things, locking out a user who guesses five times incorrectly within a certain period.  This doesn’t protect your locally stored encrypted database, though.

So, none of the LastPass additional protections are perfect.  But do we need perfect?  If you’re going to 1) use a weak password, 2) not use Sesame or YubiKey, and 3) use a computer that isn’t in a secure location, then KeePass might be the better choice for you.  But as the developers of LastPass point out, even adding one more character to your master password will provide as much protection as key transformation does, as that will add to the time it takes for a brute force cracker to work.  With a strong password, a cracker could be looking at years of work before it cracked a password.  Further, mobile devices aren’t good subjects of brute force attacks, so the lack of multifactor authentication (YubiKey or Sesame) on them doesn’t matter much in the real world.

The Bottom Line

The bottom line in all of this is twofold.  First, use a strong password-  pick a password with a combination of letters, numbers, and symbols, and make sure it is a long one.  If you do that, a password cracker will never be able to crack your password, regardless of which password manager you use.  Second, the choice also comes down to a balance of convenience versus security.  As noted in our initial review, LastPass was the one program that actually worked seamlessly, autofilling passwords. Since I use a strong password, that convenience is worth the microscopic (possibly non-existent) drop-off in security to me.

In short, I plan to stick with LastPass, since the security concerns are extremely remote, to the point of being virtually nonexistent, and the program works well.  How about you?  Do you use a password manager?  Are you concerned about programs like Firemaster?