Update: LastPass has quickly patched the vulnerability reported by Tavis Ormandy and pushed an update with fix for all Firefox users using LastPass 4.
“The recent report only affects Firefox users. If you are a Firefox user running LastPass 4.0 or later, an update will be pushed via your browser with the fix in version 4.1.21a.” LastPass said in a blog post.
I would never trust any cloud service that I didn’t control with my passwords. Even Google, which I do trust with certain passwords, but I don’t trust them with all of my passwords.
If you want to save a remote backup password file, best option is a printout in a safety deposit box (unless your biggest fear is your own government); second-best option is to strong-encrypt the file yourself, first, then upload it to a zero-knowledge cloud service.
Ramin Honary yeah, well, I suppose LastPass is going to secure that vector better now. And it’s really the only attack vector for hackers.
The passwords are encrypted and decrypted locally; what LastPass stores on their servers is a blob. They don’t have a key[citation needed] for breaking the encryption so any government agency would have to employ a key logger to get all your passwords. There’s some reverse engineering into how LastPass is *crypting the passwords here: http://blog.tinisles.com/2010/01/should-you-trust-lastpass-com/
Malthe Høj-Sunesen well, if your browser is doing the encrypting and LastPass is only storing the encrypted file, that is much less objectionable. Then it is only a matter of making sure the JavaScript that does the encrypting is trustworthy, which isn’t too different from what I do, which use the GPG binary blob that I installed from a repository I trust (Ubuntu). If I were paranoid I’d compile GPG from source code.
It could just be superstition, but the browser just seems to me an inherently less secure computing environment than the Ubuntu user land. Maybe your right, and once this attack vector is subverted, LastPass may be no less secure than using Ubuntu’s GPG and copying the encrypted file to Google Drive or DropBox or whatever.
Ramin Honary the browser plugin method is way less secure than much else, indeed. But LastPass I believe has done what they can, and it is for the masses. Your GPG method is more cumbersome; LastPass just works on almost all platforms.
John Hardy Developer 
Update: LastPass has quickly patched the vulnerability reported by Tavis Ormandy and pushed an update with fix for all Firefox users using LastPass 4.
“The recent report only affects Firefox users. If you are a Firefox user running LastPass 4.0 or later, an update will be pushed via your browser with the fix in version 4.1.21a.” LastPass said in a blog post.
LikeLike
I would never trust any cloud service that I didn’t control with my passwords. Even Google, which I do trust with certain passwords, but I don’t trust them with all of my passwords.
LikeLike
Ramin Honary Ditto.
LikeLike
If you want to save a remote backup password file, best option is a printout in a safety deposit box (unless your biggest fear is your own government); second-best option is to strong-encrypt the file yourself, first, then upload it to a zero-knowledge cloud service.
LikeLike
Ramin Honary yeah, well, I suppose LastPass is going to secure that vector better now. And it’s really the only attack vector for hackers.
The passwords are encrypted and decrypted locally; what LastPass stores on their servers is a blob. They don’t have a key[citation needed] for breaking the encryption so any government agency would have to employ a key logger to get all your passwords. There’s some reverse engineering into how LastPass is *crypting the passwords here: http://blog.tinisles.com/2010/01/should-you-trust-lastpass-com/
LikeLike
Malthe Høj-Sunesen well, if your browser is doing the encrypting and LastPass is only storing the encrypted file, that is much less objectionable. Then it is only a matter of making sure the JavaScript that does the encrypting is trustworthy, which isn’t too different from what I do, which use the GPG binary blob that I installed from a repository I trust (Ubuntu). If I were paranoid I’d compile GPG from source code.
It could just be superstition, but the browser just seems to me an inherently less secure computing environment than the Ubuntu user land. Maybe your right, and once this attack vector is subverted, LastPass may be no less secure than using Ubuntu’s GPG and copying the encrypted file to Google Drive or DropBox or whatever.
LikeLike
Ramin Honary the browser plugin method is way less secure than much else, indeed. But LastPass I believe has done what they can, and it is for the masses. Your GPG method is more cumbersome; LastPass just works on almost all platforms.
LikeLike