How are services like lastpast or password generator apps/things secure?

[Rosss]

So I did absolutely no research on this and haven't ever used one of these services/even looked at the features, so this probably belongs in off-topic..

 

But how is a service like last-pass more secure? They preach not having the same password for multiple accounts but if someone happens to get your last pass account don't they have access to everything?

 

Is the idea just that you only have one hub account to secure/worry about?

[KuJoe]

This is why I prefer a self hosted solution and not an online one. While I'm sure Last Pass has a ton of security in place to protect a user's data, it's still an online service which makes it vulnerable to hackers. Technically self hosted solutions like KeePass are also vulnerable to hackers, but if you look at it from a hacker's perspective would you rather spend the time trying to hack the passwords for a single user and hope they don't do anything crazy like have an offline token or some other 2FA or would they rather target potentially millions of users and spend your time focusing on a public service like Last Pass? If you're being targeted then you're out of luck either way, but in a breach like with Marriot I doubt the hackers were after 1 single person when they took the time to dump their databases.

 

Services like Last Pass are convenient, but I always say that security shouldn't be convenient.

 

EDIT: So it looks like Last Pass was breached in 2015. The hackers didn't get actual passwords, but they still got some information which is more than they'd get if you used an offline solution. https://www.pcworld.com/article/2936621/the-lastpass-security-breach-what-you-need-to-know-do-and-watch-out-for.html

Edited December 7, 2018 by KuJoe
Added article.

[Rosss]

3 hours ago, KuJoe said:

This is why I prefer a self hosted solution and not an online one. While I'm sure Last Pass has a ton of security in place to protect a user's data, it's still an online service which makes it vulnerable to hackers. Technically self hosted solutions like KeePass are also vulnerable to hackers, but if you look at it from a hacker's perspective would you rather spend the time trying to hack the passwords for a single user and hope they don't do anything crazy like have an offline token or some other 2FA or would they rather target potentially millions of users and spend your time focusing on a public service like Last Pass? If you're being targeted then you're out of luck either way, but in a breach like with Marriot I doubt the hackers were after 1 single person when they took the time to dump their databases.

 

Services like Last Pass are convenient, but I always say that security shouldn't be convenient.

 

EDIT: So it looks like Last Pass was breached in 2015. The hackers didn't get actual passwords, but they still got some information which is more than they'd get if you used an offline solution. https://www.pcworld.com/article/2936621/the-lastpass-security-breach-what-you-need-to-know-do-and-watch-out-for.html

That's interesting. Last Pass being breached isn't even what I was necessarily talking about either.. If that happened then that would just be chaos. I was thinking if they just social engineered your lastpass or if you briefly encountered a general RAT/Keylogger/Your computer is a botnet type of thing and they got it then.

 

Offline sounds pretty kewl, but really inconvenient! I would be really annoyed if I forgot my USB and wanted to login to something somewhere where I didn't bring my computer.. Although maybe you can have it offline on your phone?

[KuJoe]

2 hours ago, Rosss said:

That's interesting. Last Pass being breached isn't even what I was necessarily talking about either.. If that happened then that would just be chaos. I was thinking if they just social engineered your lastpass or if you briefly encountered a general RAT/Keylogger/Your computer is a botnet type of thing and they got it then.

 

Offline sounds pretty kewl, but really inconvenient! I would be really annoyed if I forgot my USB and wanted to login to something somewhere where I didn't bring my computer.. Although maybe you can have it offline on your phone?

That's why I use KeePass because they have Android and iOS apps.

[0x21]

According to LastPass

Quote

We’ve implemented AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure complete security in the cloud.

Your data is encrypted and decrypted at the device level. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass.