lastpass – the last password you will need to remember

22 07 2010

So, thats the tagline, but does it really work – I was pretty skeptical.

I had previously used a combination of (for the cloud) – secured by a yubikey usb one time password token. This was great, I could log into mashedlife, using my otp token, then when I needed to log into a secure website, I would just click on a bookmarklet – and the username & password would automagically be transferred via ssl into the page. This works great, but I always wondered about security etc etc. It was secured by my one time password & a pin number, so there was really no option for replaying if I logged on via a net cafe with a keylogger – but in my ever increasing need for change & “projects” – I wanted something else.

Enter lastpass. I was having a poke around on their site, being pretty impressed with what I saw – but without knowing all the details, was reluctant to try it out. I then found a review by Steve Gibson aka Security Now Podcast aka here. Some of the highlights for me were:

“at no point does LastPass receive anything other than what looks like a block of pseudorandom noise. We’ve talked about how, when you take so-called plaintext, the normal readable, human readable, your username as an email address and your actual password, and you encrypt it with a good cipher, it turns it into, under the influence of a key, which is the key to the whole process, under the influence of the key, it turns it into noise, absolute pseudorandom bits that mean nothing. “

“So the idea is that when you log in, when you give your system your LastPass username and password, the first thing it does is it runs it through this SHA – it lowercases the email address, removes the white space, adds the password, and then it does this hash to it, turning it into a 256-bit blob which tells the blob holder nothing about your username and password. It’s just like it’s been digested into this thing. In fact, hashes are called “digests,” also, for that reason.

What that is, is that is your cryptographic key. That’s the key which your system will use, both to encrypt your data which is being shared with LastPass Corporate, and also to decrypt it when LastPass Corporate sends this back to you. They’re holding the encrypted results of your own personal database, just because that’s what they do. That’s the service they provide, essentially, that and creating all these amazing plug-ins for everything anyone’s ever heard of. So but what they’re holding, they have no ability to decrypt. They never get the key. That never leaves your system. “

“So the whole concept here is that we establish a database of domains that we’re logging into, and usernames and passwords for those domains. And this is our personal database. And the beauty of this, and I’ve been playing with this now for about a week, is that, for example, I did change a couple passwords because I’d been a little lazy, too. And I thought, okay, now’s the time. So I changed those passwords here at home on my system in Firefox, and changed them in the website. And LastPass watched me change them. I said, okay, remember this. And LastPass remembered it.”

After digesting Steve’s review, I gave it a go. I had previously been using keepass, but keeping it synced was beginning to be a PITA – which version of my keepass database was correct, was it the one on my USB stick, the one I had copied to Google Docs, the one I had in Dropbox or the one on my laptop. If I want to change a password, which database do I change it in & then have to scratch my head about which one I copy over the other one ….. messy.

I create my lastpass account, upload the accounts from my keepass database & start to play. It allows me to do a security check, checking out how secure my passwords are, multiple uses etc. It works on Firefox / IE / safari on either my mac or windows or work pc (generic windows browser plugins installed) all seamlessly.

The sites I usually have to bust out my keypass database or mashedlife account from the cloud – I just log into the lastpass browser plugin, it downloads & decrypts the account database and for the rest of my browsing session – whenever I open a page that requires logging into, lastpass just enters the username & password automagically for me – kind of like browser password remembering – except its not stored in clear text like the browsers do.

So back to the whole cyber cafe in the back streets of some dingy city – you need to log into a site but are worried about keyloggers. Lastpass has you covered for this – for starters, you have an on screen keyboard, this way the malware infected machine you are on cannot capture the keystrokes. Not for you ? then how about single use passwords – without a dongle. You login in advance, go to their one time password section & print out a list of them. Or maybe you prefer a second factor on your standard login – you can use their grid system, where you login & then it prompts you for a 4 characters from a printed grid sheet (think battleship).

Anyway – im sold on it. Its secure, it is truly cloud based & accessible from any platform at any time. If you use keepass or one of those, do yourself a favour & check out lastpass.