2014-08-18

LastPass is a popular cloud-based password manager that has quickly become popular for those looking for an easy solution to create and keep their passwords safe. There are many software and cloud-based solutions available for managing passwords, such as RoboForm and KeePass, but for many users – myself included – LastPass is what they prefer.

Of course, as with any software that stores personal information, the question on how secure LastPass really is has come up in many discussions online. The “Trust No One” mentality has led many to believe that unless they can see the source, they won’t trust the software. This is one reason many prefer KeePass over LastPass. KeePass is open source (can be reviewed/fixed by anyone), while LastPass is closed (can only be reviewed and modified by the developers)

I endorse and use LastPass for all my passwords, but haven’t really looked into how LastPass manages my personal information, from the time I enter it into their browser add-in. I was curious at what is sent to LastPass, and the software does exactly what the developer says it does to secure my personal information. The good news is that there are ways of finding out, and in this post I will share my findings so you can make an informed decision, not just a decision based on what others say on the Internet. I am hoping that my tests will answer the question – is LastPass secure?



Looking into How LastPass Manages Your Data

The biggest concern about the security-conscious is that LastPass is closed, and that the code used to secure the data stored within the LastPass service cannot be reviewed. While the development of the software is closed, the code isn’t 100% hidden from the user.

LastPass has said many times, that the code used to secure the personal information that is stored within their service is written in JavaScript. Now, for those that aren’t Web developers, JavaScript is a scripting language that executes within the browser on your computer. The one thing about JavaScript is that it can be opened and read on your computer.

The LastPass code isn’t any different.

Anyone with knowledge of JavaScript, unfortunately I am not such a person, can easily review the JavaScript used by LastPass that secures the passwords and other information sent to the LastPass servers. Since I am not a JavaScript-knowledgeable person, I won’t review the code created by LastPass, but will instead look at the LastPass security from another perspective – what is sent from my computer to LastPass.

This is where a free tool called Fiddler comes in handy. Fiddler allows me to monitor the requests sent from my computer to the LastPass server. With the Fiddler tool I can see what is sent to LastPass in those requests, and what the LastPass server sends in response to the requests.

I have many years of experience with monitoring network traffic because of being involved in performance testing, that I feel confident in finding out what LastPass actually sends to its servers from my computer.

Before I continue, however, let me explain my testing approach:

Create a new account using a test email:

Email: testing@technicallyeasy.net

Password: Password12345678

Add a new site to the account.

Add a secure note to the account.

Add a profile to the account.

Login through the LastPass website.

Note:

The password I am using for the test account is very weak, but it is for testing purposes only, always choose a long and strong password as your master password for LastPass. The LastPass account and email address have been deleted, so they are no longer active.

Now that I have listed the scenarios I will be testing, lets look at the data to see if LastPass is secure.

Test 1: Creating a New Account

For this test I will be creating a new account from within the Web browser (Firefox) add-in. To create the account I just click the LastPass add-in icon and then click the “Create an Account” link.

I follow the instructions on their forms, filling in the information requested, with the email and password being what I described above.

1. Verify Email Does Not Exist in LastPass

When you enter your email address, LastPass sends a request to their server to verify the email address doesn’t already exist in their system. This request occurs after you leave the email field when you create the account and the request includes the following querystring:

Name

Value

check

avail

username

testing@technicallyeasy.net

lang

en-GB

mistype

1

Bascially the email is sent to their server and the system replies with a simple “ok” message if the email doesn’t exist, or “no” if the account exists.

Note:

One thing I should mention is that all requests sent to the LastPass server from within the Web browser add-in are sent over a secure SSL connection. This means all requests are encrypted when they are sent to the LastPass server.

2. Create the Account

Once the rest of the form is completed, LastPass sends your account information to their server so your new account can be created. This is the first request that will help prove if LastPass is secure, as it occurs after you have entered your master password that will be used by LastPass for the security of your account. Lets look at the request sent to LastPass to create your account:

Name

Value

sentms

1408151690427

username

testing@technicallyeasy.net

email

testing@technicallyeasy.net

hash

ef6513d537ecd4d328d87e1e7760bcd447022779444bc3e0950b0941e393493a

password_hint

Test password 18

improve

1

loglogins

1

timezone2

-05:00,1

iterations

5000

xml 1

language2

en-GB

amo

1

requesthash

crunknown1

requestsrc

cr

encuser

hasplugin

3.1.50

By reviewing the request above, I can see that LastPass does not encrypt my email address or password hint, which does seem unusual, but at least the request is sent over a secure SSL connection. You will notice that the password I created for the account (Password12345678) is not sent in the request, which is very interesting. I checked all requests before the account is created, and some of the requests after, and the password is not included in any of those requests, as well. The really important value in the above request, however, is the “hash” value.

As LastPass has said many times – it does not receive your master password. Instead it uses a hash value, derived from your master password. LastPass uses a function called Password-Based Key Derivation Function (PBKDF2) that uses SHA256 (a hashing algorithm). LastPass combines your email, password, and a specified number of iterations (in my case, the default 5000 iterations), with PBKDF2 to generate an encryption key (256-bit) associated with your LastPass account.

Your encryption key is not the hash you see above. The encryption is not in the above request, which means your encryption key is not sent to LastPass. This encryption key has a few purposes – it is used to encrypt your data, and it is also used to generate the hash above. The encryption key is only generated, and used on your computer.

The hash above is called your “authentication hash”, and is what is used to authenticate your credentials with LastPass. The authentication hash is generated by performing another iteration of PBKDF2 using your encryption key and your password. This is the hash you see in the request above being sent to LastPass.

Note:

At the end of this post you can download an application I created that will allow you to create an encryption key and an authentication hash for various email and password combinations. The source is included, so you can see how LastPass calculates both values using PBKDF2 and SHA256.

The most important thing about the above request is that your master password is also not sent to LastPass. This is one point that LastPass has been stating from the beginning, and I’m sure many people have questioned that statement. The fact that none of the requests that have been sent to LastPass include the master password, proves LastPass’ statement about never receiving your master password.

3. Log Into LastPass

Once your account is created, LastPass automatically logs you in with the following request:

Name

Value

sentms

1408151692871

xml

2

username

testing@technicallyeasy.net

method

ff

hash

ef6513d537ecd4d328d87e1e7760bcd447022779444bc3e0950b0941e393493a

version

3.1.50

hp

0

encrypted_username

BfU+7h76a9q+n7ggVy0bspgVPhObPoc1lKVPP5dFG0o=

uuid

YZ#USjxD^a5k&cs6k&bCDY@4ZewrRa!^

lang

en-GB

iterations

5000

lostpwotphash

otp

sesameotp

gridresponse

multifactorresponse

outofbandsupported

1

requesthash

BfU+7h76a9q+n7ggVy0bspgVPhObPoc1lKVPP5dFG0o=

requestsrc

cr

encuser

hasplugin

3.1.50

What is interesting with this request is that the username is sent as both plain text and encrypted text. I am not sure why, but LastPass must have a reason. Once again you can see that the authentication hash is sent also. Still no password is sent or the encryption key.

At this point, the account has been created and I have been logged into LastPass. Any request at this point will not have any knowledge of my master password, as it is too late to have it sent to LastPass. If you would like proof, continue reading to see what is sent in the next few requests I will be testing.

Test 2: Add a Website Login

The biggest reasons for using LastPass is to manage passwords for the many sites you visit. This is where the security of LastPass needs to be as strong as possible. For this test I am using the following information for a website (I manually added the website into LastPass).

URL: http://www.example.com/login.php

Name: Example

Username: tester

Password: Password1

Notes: This is a test login.

Here is the request sent to LastPass:

Name

Value

sentms

1408154348369

ajax

1

extjs

1

name

!Ak8TxfXbwkCpOsIZNW3MeQ==|yjy/G/U1//l4ycn9C6hhCg==

url

687474703a2f2f7777772e6578616d706c652e636f6d2f6c6f67696e2e706870

grouping

username

!dyT5dybkq0HbgCYbvsd5cQ==|fgzNv6uOk//371iOtbuFGA==

password

!lEIb6jJY/3k1a8/1oPhibQ==|KFWn8nfmYsYCmIbLcYer0w==

extra

!kEjFSalzcun+n4C87UUd3g==|U2iIvu6FI4GvKjQm19sk1Gu7EFPyfsxNS721Ui9Hi+4=

aid

0

openid_url

isbookmark

0

iid

requid

52344236

wxsessid

6RVkMSsfr7pEwbmVgSZsI-JfjK9

sessonly

0

token

MTQwODE1MzQyNC4yOS1WqfhJCcJoiVK8rAzVazfsigO9bXw8CA4y9/V+1tRPow==

requesthash

BfU+7h76a9q+n7ggVy0bspgVPhObPoc1lKVPP5dFG0o=

requestsrc

cr

encuser

hasplugin

3.1.50

As you see in the above request, LastPass only receives encrypted information about the new site. Nothing about the site is sent in plain text. The values are encrypted using the encryption key that is generated using your email, password and the number of iterations you have specified in your account. Since the encryption key is not sent to LastPass – as proven in the previous section – LastPass can’t decrypt your data.

Besides saving website credentials, LastPass can also save secure notes, which I will look at next.

Test 3: Add a Secure Note

Secure notes are another important feature of LastPass that I use quite often. I usually use it for storing information that I need to get access to on a frequent basis, but isn’t related to a website. Because of this, I tested out adding a secure note to see what is sent to LastPass.

First, here is the data I saved for the note:

Name: TestNote

Folder: Secure Notes

Note Type: Generic

Notes:

This is a test note.

This is the second line of the test note.

This is yet another line.

I am hoping this is encrypted.

Here is the request when adding a secure note:

Name

Value

sentms

1408153957654

ajax

1

extjs

1

name

!MDdDJ2eLmqv1oa+mFMzcmQ==|pEMJnS3jzrGYaQiF2FhHVw==

url

687474703a2f2f736e

grouping

!ZIdYxUKi2OOJRsrQTO1zOQ==|xiJ4rdAUTEeGSjVj+6K10A==

username

password

extra

!Mq06kTvT7qP5E+sIg8KRVw==|06obw+3+Nbx0kkMDak22aK6+joe34reQUkpFbaF05LUSk7aqGrfIZ9BSFCMVmWStzIWH0AG5Vvc3xI2WHQ+u1JJ+wgsBVVrXf041n1sRfpgNHyxewdVbm/BsjBCP32JNAE2VQW33kMnKrvFhcklIE1kBwVoxopnDyUNg49k5xqo=

aid

0

openid_url

isbookmark

0

iid

requid

52344236

wxsessid

6RVkMSsfr7pEwbmVgSZsI-JfjK9

sessonly

0

token

MTQwODE1MzQyNC4yOS1WqfhJCcJoiVK8rAzVazfsigO9bXw8CA4y9/V+1tRPow==

requesthash

BfU+7h76a9q+n7ggVy0bspgVPhObPoc1lKVPP5dFG0o=

requestsrc

cr

encuser

hasplugin

3.1.50

Just as LastPass does with website information, it encrypts the values, using your encryption key, for the secure note. You may notice that secure notes have username and password values, which are blank. The reason for this is that a secure note sends the same request to the LastPass server as a website addition, but since there isn’t a username and password assigned to a note, those fields are just left blank.

One other feature I use often because it saves me time, is the ability to automatically have LastPass fill out forms. Let’s look at that feature next.

Adding a Profile

If you are like me, you get tired having to fill out forms that need personal information. LastPass provides the ability to store your personal information in different profiles, that you can then use to automatically have LastPass fill on a Web form. Of course, much like everything else that you store in LastPass, the profile information needs to be secure – especially since it can contain financial information.

For this test, lets look at the data I will be using:

Profile Name: Testing

Personal Information

First Name: Paul

Last Name: Salmon

Username: TechnicallyEasy

Credit Card Information

Name on Card: Paul Salmon

Credit Card Number: 9999999999999999

Expiration Date: August 2014

Security Code: 999

The request sent to the LastPass server from my computer can be seen below:

Name

Value

sentms

1408238380403

ffid

0

profiletype

0

profilename

!jgETje+aOXsWl4V+xL+aeA==|VE6as6ydWnZ3Ph3AtYcPEg==

profilelanguage

!78URLBm/sr+jGrIJyiFDbA==|c0zvRiWWU0c0ERYkrxeQaw==

firstname

!wdwkZK7F1L2AKj6WF7SVjg==|aF4aAbenFmrTOggxIFRUFg==

middlename

lastname

!8/cJ0j8z87OcTJcg1EiByA==|Ahx5TthD4ZOsPtlZVvhpqw==

lastname2

firstname2

firstname3

lastname3

email

mobileemail

company

ssn

birthday

gender

title

address1

address2

address3

city

county

state_name

state

zip

country

!palH/g7LShVer319Hwu47Q==|SnsIPRliQksoFiVV2Voo4g==

country_cc3l

!f+9sdzrY0maeU17LNAP4uw==|0YcKjmHEDQX979/bDg6HVQ==

country_name

!B0xxqYuFYAfdUSk3Th6wVA==|/W6iFMz9fKb35Gu8Q3g7vA==

phone3lcc

evephone3lcc

fax3lcc

mobilephone3lcc

phone

evephone

fax

mobilephone

phoneext

eveext

faxext

mobileext

ccname

!UsUa3+4CDFNRNJFunjeowg==|jlgOqtFhYzXKvxdFgA27IQ==

ccnum

!hxYY9X5tcfTr7m8tUZ8CqQ==|4cvtvCMh4Uovdgl/Ni2rhyMdeFiO3XUdKhVobkJ4Jbc=

ccstart

ccexp

!hD3ybkU5QotaDK3z/meMpQ==|7k0Pe8b/X6BYDLElzYdIWg==

cccsc

!ss+APFgus+LpMMFuvTrIuA==|gQ8dndrv1rJ6ynmw05pH+g==

ccissuenum

username

!dTqlKzFD22WUs9PsRDNpxw==|w1qvEtkQCsL6QL3P2fvY2A==

timezone

!mh1a8jVcn6dOGsJSB+xUEA==|7GlcCa9ZL//iRGmL4e1tfQ==

bankname

bankacctnum

bankroutingnum

customfield1cfid

0

customfield1text

customfield1value

customfield1alttext

customfield2cfid

0

customfield2text

customfield2value

customfield2alttext

customfield3cfid

0

customfield3text

customfield3value

customfield3alttext

notes

iid

requid

52344236

wxsessid

m8PIodTsIw8qge6wGEGURoWtvYd

sessonly

0

requesthash

BfU+7h76a9q+n7ggVy0bspgVPhObPoc1lKVPP5dFG0o=

requestsrc

cr

encuser

hasplugin

3.1.50

As you can see the request for adding a new profile is larger than for adding a website or secure note. This is because there are many more fields that you can fill out for a profile. While there are many more fields, one thing is the same: LastPass encrypts all the values (including the values that were filled in by default) before sending the request to the LastPass server. This means, that even your credit card information is encrypted so you don’t have to worry about storing such information with LastPass.

Before I concluded about the security of LastPass, there was one more test that I wanted to try. All the previous tests were performed against the LastPass browser plugin, which is what I use 99% of the time. The last test I wanted to run would be logging into my account from the LastPass website.

Test 5: Logging Into the LastPass Website

While most of the time I log into LastPass from the browser plugin, there are times I do need to log into the actual LastPass website. I mainly log into the website when I need to change a security setting, as that is the only place where it can be done. Since I do use the website, I wanted to verify that the login is as secure as the browser plugin.

The data I use is the same as the previous requests – with my testing account. After clicking the “Sign In” button on the LastPass website, which uses SSL, my computer sent several requests to the LastPass server:

1. Get the Iterations Number

While I am not entirely sure what all the requests do, I have performed a guess based on analyzing the requests. The first request seems to retrieve the iteration count for the username. The request sent was:

Name

Value

email

testing@technicallyeasy.net

The response to this request was simply the number of iterations – in my case “5000″.

2. Perform the Log In

Next, LastPass appears to perform the log in, as it is a similar request to the previous log in request that I have seen. Here is the request:

Name

Value

method

web

hash

ef6513d537ecd4d328d87e1e7760bcd447022779444bc3e0950b0941e393493a

xml

1

adlogin

username

testing@technicallyeasy.net

fullusername

encrypted_username

BfU+7h76a9q+n7ggVy0bspgVPhObPoc1lKVPP5dFG0o=

otp

gridresponse

multifactorresponse

trustlabel

uuid

YZ#USjxD^a5k&cs6k&bCDY@4ZewrRa!^

sesameotp

lcid

lcidhash

domain

iterations

5000

origusername

outofbandsupported

1

outofbandrequest

0

outofbandretry

0

outofbandretryid

email

testing@technicallyeasy.net

password

Once again, the email address is sent as both a plain text and encrypted text, but the master password, or encryption, is not sent to LastPass. The authentication hash that we have seen previously, has been calculated and sent during this request.

3. Display the Vault Template

The following request was puzzling to me, mainly because of the response I received. First, here is the request:

Name

Value

fromindex

1

ac

1

lpnorefresh

1

fromwebsite

1

newvault

1

xmlerr

1

hasplugin

3.1.50

hasplugin

1

wxsessid

lMuaygznLKy0OToiRvZSve59vE6

username

testing@technicallyeasy.net

_dc

1408232242995

The reason this request is puzzling is because the response that was returned was the actual HTML for the vault webpage. There was no account information on the webpage, so it looked more like the template. The next request, though made me think that LastPass sent the template of the vault webpage, and then that page sent the following request to the server.

4. Perform Log In Check

It seems that once the vault page is sent from LastPass, it makes a request to the server to perform a log in check, because the response was similar to what I received from previous logins. Anyway, here is the request:

Name

Value

sentms

1408232243105

version

3.1.50

method

ff

hp

0

uuid

YZ#USjxD^a5k&cs6k&bCDY@4ZewrRa!^

wxsessid

lMuaygznLKy0OToiRvZSve59vE6

requesthash

crunknown1

requestsrc

cr

encuser

hasplugin

3.1.50

Once again, the request doesn’t include either the master password or encryption key to do the check.

Summary

The security implemented by LastPass has been questioned many times online, mainly because of the closed-development approach for the service. As I mentioned earlier, most of what LastPass generates is done by JavaScript, so it can be reviewed by anyone with JavaScript knowledge.

However, since I am not very familiar with JavaScript, I took a different approach by monitoring and reviewing the requests sent by LastPass from my computer to the LastPass server. With that I can conclude a few things:

All requests sent to LastPass are sent over a secured, SSL connection.

The master password is never sent to LastPass.

The encryption key used to encrypt the data stored by LastPass is only generated on the local computer, and is never sent to LastPass.

Since LastPass doesn’t know the master password, an authentication hash is used to authenticate your account.

All website information is encrypted locally and then sent to LastPass.

All secure notes are encrypted locally and then sent to LastPass.

All profile information is encrypted locally and then sent to LastPass.

The LastPass website doesn’t send the master password to the LastPass.

All the testing that I have done has confirmed all the above statements as you can see in what I have presented in this post with a capture of the requests to LastPass from both the Web browser add-in and the LastPass website.

Knowing this, I feel confident that LastPass can keep my personal data safe and secure, especially when I also specific security settings within LastPass. Knowing this I will continue to use their service.

Application To Generate LastPass Encryption Key and Hash

I have created a small application that can generate both the encryption key and hash using an email, password and iteration number. You simply provide those three inputs and the encryption key and hash will be generated. The source files for the application are included.

Download LastPass Test.



About Paul Salmon

Paul Salmon is the founder of Technically Easy. He is a an experienced PC user, and enjoys solving computer-related problems that he encounters on a regular basis.

Facebook | Twitter | Google+

The post Is LastPass Secure? appeared first on Technically Easy.

Show more