LastPass logo set against a keyboard glowing in the dark

Why I don’t trust LastPass with my passwords

LastPass is a popular password vault solution that encrypts and synchronizes your login data for all your various services between all your devices. Their slogan “the last password you’ll ever need” refers to how your one password for LastPass can be used to unlock all your online accounts; enabling you to have unique and random passwords on all the different services you use.

I’m having a hard time trusting LastPass despite the company doing everything, as far as we know, technically correct in terms of secure password storage that not even LastPass themselves can access.

LastPass can’t currently see the passwords you save to their servers while using the service. Their password vault client applications, even their web interface, performs all the encryption and decryption on the client side. If someone stole the LastPass database, they shouldn’t really be able to do anything with the data they get from LastPass as the encrypted blobs aren’t worth anything without your account password to decrypt them.

As of now, LastPass can’t share your passwords with law enforcement, the NSA, hackers who serendipitously gained access to LastPass’ infrastructure, or anyone else. LastPass’ servers aren’t really all that vulnerable as both encryption and decryption happens in the client with their servers only storing unintelligible encrypted blobs.

This security design is sometimes referred to as Trust No One (TNO). People don’t need to trust LastPass as LastPass can’t do anything bad with their data in the current scheme of things.


The illusion of perfect security falls apart as soon as you realize that LastPass can just change their clients to do whatever they want or are pressured to do by a government agency. Including transmitting the contents of your password vault back to LastPass’ servers in plain-text without the encryption, or send it directly to a third-party’s servers.

It isn’t just LastPass themselves who’re in a position to influence the clients. Mozilla and Google could be forced by court order to distribute modified updates for the LastPass extensions to select targets among their browser users.

Under the Trust No One security model you still have to ultimately trust the client program and those who control it. There is nothing LastPass can do to fix this problem other than to give up control over all their browser extensions, apps, and other clients. Releasing them as open source programs would go a long way to ensuring some community oversight over the clients. The LastPass password-vault-as-a-service component is actually mostly irrelevant, and they can continue to charge for their hosting/synchronization services as they currently do. I don’t want to run them out of business nor am I calling for them to open up the server component of their proprietary synchronization service.

Online backup storage service providers like Backblaze and Carbonite make the same promise about their security technology as LastPass. These services also require their customers to trust that their clients are performing encryption as promised, and that they won’t change that in the future. Note that local-encryption is optional and requires extra setup steps in Backblaze and Carbonite alike.


I’m not currently a LastPass user, and I kind of wish there were more competition with as good of a reputation as LastPass. Among the commercial service providers, LastPass really is the unchallenged king of dedicated password vault solutions.

My former employer Opera recently lost all their users’ password vaults. I have no insight in the matter, and can only hope the data was stored following the Trust No One model. As the clients are all proprietary, it’s very hard for anyone to verify that this is indeed the case.

Self-hosted and open source password vaults are few and far between. There are a few options available, but they’re made by small teams with no security vetting. More troublesome, many of them aren’t longer receiving any updates nor attention; leaving existing users in potential risk.

All this being said, I might just give in and start using LastPass in the coming weeks. Managing passwords with the Unix-centric pass is too inconvenient, inaccessible, and lately it has even gotten to be a bit stressful. I have very valuable and business critical data stored in pass. I’m no longer certain that I want to keep up with all that is required to keep the password vault safe, accessible on all my devices, and securely backed up.

LastPass’ convenience is looking very attractive, and even though I don’t trust them — I no longer feel like I have a better alternative.

Sources

3 thoughts on “Why I don’t trust LastPass with my passwords”

  1. Can you provide any insight on keepassx? It runs on most operating systems including android and is open source.

    1. Keepass[x] isn’t built to be run on multiple devices on the same time with the same database. You can use synctools to share the database on multiple systems. However, database corruption and being subtly out of sync on the various devices lays down that path. You can’t really retrofit a decentralized sync structure on top of their current database structure.

      If you only have one device, or you have good routines about opening and closing the app when you’re done using it – you can make it work. However, I don’t even consider it as an option for the modern multi-device environment we all live in.

Leave a Reply

Your email address will not be published. Be courteous and on-topic. Comments are moderated prior to publication.