Has LastPass had a security breach?

by

I recommend LastPass because of their transparency and security model: even LastPass cannot recover your login!
Question:

I recently installed LastPass on my desktop PC. However, through one
of my other newsletters, or Googling, I caught an article regarding a suspected
security breach on LastPass fairly recently and I started reconsider the whole
cloud storage approach for specifically my password information. The
alternative I’m considering is Roboform. Now, I know from past newsletters
you’ve praised both software and I understand it’s also personal preference, but
what is your take on the breach and storing passwords away from your own
system? I look forward to your response.

Important update: What to Do About the LastPass Breach

In this excerpt from
Answercast #17, I look at the proactive nature of LastPass’s security
practices, including their high levels of encryption.

]]>
<![CDATA[

LastPass security breach

Well, I’ll put it this way. I’m a heavy LastPass user.

So there are two things going one here:

1) If it’s the security breach that I’m thinking of, it wasn’t a breach at
all.

The LastPass people saw what they considered ‘suspicious activity’ on their
network. There was never any confirmation that any kind of a breach had
actually happened. They took some proactive steps at that point to notify
everybody to say basically, you know, this probably isn’t a problem but you may
want to change your password.

In other words, they were being abundantly over cautious which I really
appreciate.

Server-side encryption

Now, the thing I like about LastPass is that your information is encrypted
on their servers. In fact:

2) It’s encrypted in a way that even they cannot recover:
you lose your password, you lose your LastPass.

The only time that LastPass information is decrypted is when it’s on your PC
and you’ve specified the correct password to perform that decryption. It’s one
of the things that really draws me to LastPass because that’s the level of
security I really appreciate.

Cloud storage

Now, you’re thinking of replacing it with RoboForm. To be honest, it’s kind
of funny because RoboForm is a cloud solution, too.

RoboForm stores all of your information up in the cloud, so if it’s the cloud
that has you nervous, LastPass to RoboForm doesn’t really change anything.
RoboForm, like I said, is a cloud-based solution that is really similar to
LastPass.

I do not know their encryption strategy. I’m sure it’s good. I don’t know,
for example, if they were faced with a court order, “could” they decrypt stuff.
I really don’t know. I don’t think LastPass can, I honestly don’t know about
RoboForm.

In terms of the features and the functionality of the two tools, I used
RoboForm for many years. I switched to LastPass a couple of years ago because I
really appreciate the openness of their security model and the security model
itself.

I don’t have a problem using either of them and, like I said, I’m not aware
of a security breach, a true security breach, for LastPass that would have me
concerned at all. So I’d use them both.

Keep using LastPass if you like it.

End of Answercast #17 Back to – Audio Segment

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

9 comments on “Has LastPass had a security breach?”

  1. I converted from Roboform to LastPass and trust them implicitly. I explain why here: http://bit.ly/pcrLastPass but I recommend you listen to Steve Gibson’s in-depth analysis during his SecurityNow video podcast: http://www.youtube.com/watch?v=r9Q_anb7pwg&feature=related The coverage of LastPass starts at minute 50. He has subsequently commented on the ‘breach’ rumour and says just the same as Leo – they did exactly the right thing and, if anything, were over-cautious.
    Here is a link to Steve’s website for the audio version: http://www.grc.com/securitynow.htm {Search for ‘lastpass’}

    It was Steve Gibson’s analysis of Lastpass that prompted me to look into it originally. You do have to take responsibility for remembering your own password, but with that comes a great deal of security/

    Leo
    15-May-2012
    Reply

  2. My “problem” with Last Pass is this: After installing a new Verizon broadband “air card” that’s 4G capable no matter what we did, IE-9 would not give reliable or many times no internet connection. Reluctantly had to switch to Firefox.
    If anyone has a fix for me I’d love it. (IE-9 did work but only if Last Pass was disables.)

    Reply

  3. My IE9 x64 works fine with Lastpass. But, I don’t use IE. I use Firefox. It’s much, much better and I’d be happy to here your relunctancy to switch over, especially when IE doesn’t work and Firefox does work.

    Reply

  4. Since LastPass is used and recommended by Leo, Steve Gibson, and Leo LaPorte I consider it a no-brainer. Highly secure, highly effective, login available from any PC. Data is encrypted on the host machine and then transmitted to the cloud.

    I have no worries about password theft and have only one password to remember. I love it.

    Reply

  5. I love lastpass been using it ever since it came out never had any problems. It’s great to remember only one password.

    Reply

  6. I use LastPass because Steve Gibson vetted it & uses it. Also love secure notes that give me a place for keeping reference notes available from anywhere you have network access. LP appears to act responsibly & is improving their product. Thanks for covering this Love..

    Reply

  7. I installed LastPass only to discover that the free version won’t work with their iPhone app. Sort of disappointing. I guess I’ll have to try RoboForm

    Correct – the free version of Lastpass does not include mobile device support. $12/year gets you premium and in my mind it’s worth every penny.

    Leo
    10-Aug-2012
    Reply

  8. I don’t believe lastpass is that secure. I use it for firefox and it supposedly encrypts the password locally and then stores that value on the server. HOWEVER – I then logged into my lastpass.com account in safari and was able to see all my passwords. SO they absolutely can decrypt your data on their server, I used no plugin in Safari. I think its totally possible they could get hacked, or be compelled to release passwords w/ a court order.

    They did NOT decrypt on the server. The encrypted information was downloaded into Safari, and decrypted there, on your PC. Lastpass remains safe.

    Leo
    19-Jan-2013
    Reply

  9. Welcome back Leo,
    I use Norton 360 as my Anti-Virus program & it has Norton Identity Safe password manager built in. They also have an app for Android Tablets & phones. Can you compare this product to Lastpass as far as encryption in the cloud. I want to know if I’m at risk to decryption in the cloud using the Norton identity safe & should I dump it for Lastpass?
    Thanks,
    Randy

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Additional information is available at https://askleo.com/creative-commons-license/.