Hacker News new | ask | show | jobs
by stungeye 4454 days ago
My understanding is that even with their web login process your password isn't sent to their servers in plaintext. From the comments on their heartbleed blog post: "We only use one-way salted hashes (after going through PBKDF2 rounds) to send to the server for authentication."

So their servers get a hashed version of your password, but not the password itself. Their servers likely also store a hashed version of your password so that they can authenticate you. This style of auth is also used when you use the "show me the password" feature.
1 comments
IgorPartola 4454 days ago
This cannot be. Your passwords (the ones you are trying to protect) must be encrypted using your master password. LastPass needs to decrypt them somewhere using your master password. What you are describing is how their browser extension seems to work. However, their website does not require the extension to work. So either they implement security in JavaScript that's running within the page (cannot by definition be done securely), or they store all your passwords in a way that they can decrypt them (invalidates the use case for LastPass).
link
pwman 4454 days ago
We implement everything in JavaScript on that page if you're trying to login from the website -- which is as secure as that page load -- LastPass recommends people utilize the extensions to mitigate this risk.

Our choice could be to not allow people to utilize the website but it seems like educating people of the risks and letting them decide is the best policy.

link
IgorPartola 4453 days ago
Very happy to get a reply from someone from LastPass!

So then what would prevent someone from using the Heartbleed attack to obtain your private key that use used to secure the HTTPS connection from me to your servers, then inject malicious JavaScript into the page where I enter my password? This is the attack I am worried about outside of Heartbleed as well, since any CA can issue a valid certificate for lastpass.com and I would not know that I am being MITM'ed.

From a strict security point of view, disabling website access seems like the best policy. From a usability standpoint, I understand the tradeoff you made. Perhaps an option at the account level that disabled website access might be a good idea.

Also, how are the share/give functions handled? I know what "share" is not really keeping my password from being seen by the other person (there are a variety of techniques they can use to get at it), but how is the encryption handled on your end?

Lastly, how do I know that the browser extension I download from you is secure? Is there a way for me to verify it somehow?

Having said all that, I absolutely love your product and recommend it to everyone I know. It's a huge net win in terms of security.

link
stungeye 4454 days ago
The passwords are decrypted locally on your machine using javascript not on the lastpass servers.
link