“Trust LastPass at your own risk!” would be our answer. One based both on:
- this password manager's own “beefy” record of critical security vulnerabilities, cross-site scripting bugs, breaches and major architectural issues
- our bad experience with LastPass, as a client
And before we dig into the heavy load of evidence that we base our “case” on, allow us to expose some of their former clients' testimonials:
“I lost my entire LastPass passwords in March 2017. It was a disaster for me. I have had LastPass since the beginning, can you imagine all the passwords saved over the years?
I think you should do some research on LastPass and the changes, the bad changes that have happened with LastPass” (Barbara's comment, 5 Best LastPass Alternatives to Manage Your Passwords)
“About a month ago when I tried to log in to LastPass I got the message that I had entered the wrong vault password - but I can assure you that nor I, nor my cat has changed it... When I contacted LastPass, they in a rude manner "taught" me that what I hadn't experienced what I had in fact had experienced, since it is "impossible", and their "help" consisted in giving me the clue to the main password to LastPass - i.e. the password, which I explained to them isn't valid anymore... “ (Robert's comment, You Should Probably Stop Using LastPass Temporarily)
“Around a month ago I switched from LastPass to Bitwarden as my password manager. To make sure my passwords were protected I deleted my LastPass account, now I get an email asking me to renew my subscription for my DELETED LastPass account. I wonder what else they stored about me... “ (user/dumah310, LastPass storing email from deleted account)
1. But First: How Does LastPass Work?
In plain language:
LastPass stores your encrypted passwords (and secure notes) in the cloud and secures them via a master password.
And the “master password” is both the strength and the main vulnerability of this password management service.
Now before I back up the above statement with our own experience with LastPass, here's an excerpt of an “enlightening” HackerNews post:
“Users must also devise a “master password” to retrieve the encrypted passwords stored by the password management software. This “master password” is a weak point. If the “master password” is exposed, or there is a slight possibility of potential exposure, confidence in the passwords are lost.“
2. 5 Security Vulnerabilities Over the Last 7 Years... and Still Counting
“How secure is LastPass from being hacked?”
I'll leave it to you to evaluate it while going through its “impressive” record of security flaws and vulnerabilities reached over the last years:
2.1. In 2011 a Cross-Site Scripting Vulnerability Was Detected
In February 2011 Mike Cardwell, a security researcher, tracked down an XSS bug on the company's website.
Once “exploited”, this vulnerability could basically enable attackers to steal:
- hashed passwords
- the list of websites that users log into (along with the IP addresses, time and dates of their logins)
- their email addresses
- underlying cryptographic salts
LastPass fixed that bug within hours.
2.2. That Same Year A Second “Likely” Security Breach Was Identified
Later on that year, in May, the company's team spotted a new “anomaly” in both their incoming and outgoing network traffic. Therefore, suspicions arose that a hacker might have accessed their servers.
What kind of risks did this “abnormal activity” entail?
Well, the attacker could check thousands of passwords in a short period of time, using a combination of user emails, guesses on their master password and the salt.
As LastPass CEO confirmed it himself back then, in an interview for PCWorld.com:
“ You can combine the user's e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. When you do all of that, what you're potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website.”
2.3. In 2015 A Hacker Attack Compromised the Company's Servers
Here's another answer to your “Can we trust LastPass?” question:
In June 2015 a post on the company's blog announced that their team had detected suspicious behavior on their network.
The result? LastPass servers got hacked and the cryptographically protected content compromised. And we're talking here about:
- user passwords
- password reminders
- cryptographic salts
- email addresses
2.4. In 2016 A Vulnerability that Enabled Reading Plaintext Passwords Was Exposed
Within a year, in July 2016, a new security vulnerability in the autofill functionality was identified and then detailed by the representative of DETECTIFY, an independent online security firm.
Basically, the article raised new suspicions about whether one could trust LastPass with their passwords:
The URL-parsing code of the LastPass browser extension — the HTML piece of code that was added to every page that the “victim” would visit — was poorly written. Sloppy enough to enable a potential attacker to read plaintext passwords once the user landed on a malicious website.
2.5. In 2017 a “Major Architectural Problem” Was Discovered
In June 2017 Google's security researcher Tavis Ormandy made a new discovery:
A security vulnerability in the LastPass Chrome extension (that applied to Firefox and Edge, as well), which, once exploited, could enable a hacker to steal passwords or engage in remote code execution.
He described it as a “major architectural problem” to point out that this time we weren't facing some... signs of carelessness, but a hole in LastPass' security shield instead.
“How safe is LastPass?” Users started to ask themselves again and many even started looking for alternatives.
3. About Our Own Unexpectedly Bad Experience as a LastPass Client
Let us share with you some glimpses of our rough experience as LastPass users.
I would start by saying that:
Yes, the worst-possible scenario did happen to us. We've apparently lost all the passwords “safely” stored in our LastPass account.
There are zero chances to retrieve them, to export them to another password manager or/and to get a refund, considering that we had paid for one year in advance.
How did it all begin?
With us trying to log into our account, as usual. But, we got this “welcome” message instead:
“Invalid password”
We next tried to reset our master password, using their reset password form. With no success, though:
“LastPass account recovery failed for... Your current web browser did not save account recovery data on this computer. Please try account recovery again with every browser and on every computer you...”
And then the “dialogue of the deaf” began, with:
Us stating that we did NOT reset our password, for it was not possible and the LastPass support team claiming that we did restart it.
And telling us that there's no option but to:
- create a whole new account
- say goodbye to all our passwords "safely" stored there for good; there's no chance to export that user sensitive data to another password manager service
- lose all hope of getting a refund for the money we had paid in advance, due to their “No refund policy”
In short: if for some mysterious reasons, one day LastPass doesn't recognize your current master password anymore and you're not allowed to reset it either... you're doomed.
Now, can you guess what's our answer to this question:
“Can we trust LastPass?”
4. Bottom Line: Should You Trust LastPass?
“Trust this service at your own risk!”
For one day, no matter whether you've:
- disabled the auto-fill functionality
- enabled a two-factor authentication (for both LastPass and your other critical accounts)
- chosen an "invincible” master password for your LastPass account
- kept both your software and your machine “spotless clean” and up-to-date
- used one different password per account
… you still run the risk to find yourself locked out!
Just talking from experience...
