A New Password Manager

I’ve mentioned a couple times before that I used KeePassX, the unofficial Linux port of the highly-thought-of KeePass Password Safe. A few months ago I decided that I’d gotten tired of using it… KeePassX had only basic password management features, it lacked most of the nice features that I heard KeePass had, like automatically and intelligently logging onto web sites when asked to. It was time to move to a more modern password management system.

(I see that KeePass has an official Linux port now, as of last month. If I’d known that was coming I would have waited for it, but I had no indication they’d ever make an official port of it.)

I’d heard good things about 1Password and LastPass, and other than KeePass they seemed to be the only really popular options, so I looked into them.

1Password looked very good, but there was one huge problem: no Linux version. I spend most of my time in Linux, so that’s right out, no further evaluation needed.

LastPass looked very good too. It was compatible with all three major operating systems, and in all my research I couldn’t find any criticism of the implementation security. The only thing that gave me pause was the discovery that it stores your passwords online.

I’m of the firm opinion that trusting the security on my machines is a far better bet than trusting anyone else’s, especially anyone on the ‘net. I know what I’m doing, I have plenty of experience doing it, and I’m paranoid about security (as you must be in order to remain secure). There’s no way to judge the strength of another company’s security until someone breaks it, or until it’s both popular and has been up and running with no intrusions for a good long while. And in the latter case, there’s always the suspicion that there may have been intrusions, but they weren’t discovered or were covered up.

With that in mind, I scoured the ‘net for any hint of problems with LastPass. There weren’t any, or at least there weren’t any I could find — and if something that popular and heavily scrutinized had a problem, there would be a lot more than just a hint of it out there.

Okay, they pass that part. But I know a good bit about encryption and implementation security too — how did their security stack up to my own critical evaluation?

As it turns out, very well. The technology they use is adequate, and I might even be moved to term it impressive. They’re obviously paranoid about security, a very good sign. They’re extremely open about essentially everything, which is an absolute requirement for a security company. And unlike recent discoveries about DropBox, they really can’t decrypt your data — their code is JavaScript, which is easily examinable by anyone using it, and I’m sure lots of amateur cryptographers have given it a critical examination (and likely more than a few professionals too) — if they tried anything underhanded, it would be less than a week before someone caught them at it and raised the alarm, which would completely ruin them.

In other words, it looked like they ran it exactly the way I would. I was impressed despite myself.

The only other objection I had was that, as a ‘net-based system, what happens if they go out of business or their servers become unavailable for whatever reason? Am I locked out of my data?

As it turns out, they’ve addressed that too. Every client system has its own encrypted local copy of your passwords, which are synchronized with the server on a regular basis. Even if they go out of business and disappear tomorrow, I’ll still have all my password data, and can move it to something else (or even keep using it as-is if I wish).

Congratulations, LastPass. I’m not a fan of cloud-based computing (an understatement, I flatly refuse to use it at all for anything else), and I’m very cynical about a company’s security and honesty, but you convinced me.

I moved my passwords over and thought no more about it, until one week ago when I got an e-mail, the first I’d ever received from them:

Dear LastPass User,

On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.

As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.

Please visit http://lastpass.com/status for more information.

Thanks,
The LastPass Team

It was alarming news, but after thinking about it, I didn’t think it was much of a problem. Even if the presumed hackers managed to steal my data blob, LastPass didn’t have the passphrase to decrypt it, so there was no way they could have stolen that too. It’s a very strong passphrase, one that no dictionary attack could possibly defeat and even a brute-force attack with every possible combination of characters would have a hell of a time with, so I wasn’t worried about my data. And it turns out that only a handful of encrypted data blobs could have been taken, so it’s all but impossible that they could have gotten mine anyway.

But watching how this company handled the problem was enlightening. Honest, very open, and at the same time very security-conscious. Exactly the way I’d have done it myself, and exactly what users of the service needed.

LastPass, my hat is off to you. If you maintain that level of quality, I’m a customer for life.