Saturday, March 8, 2014

Is oneself the greatest threat to LastPass security?

I wrote this letter as a Q&A submission for the Security Now! podcast. It didn't make it into the show, but I thought about sharing it here. I think there's a valid point to my argument, but who knows? Am I right? Overly exaggerating? You tell us!

Dear Steve,

I'm currently moving away from a algorithm based password system. I have been testing out LastPass with some sites and have been more or less liking it. I'm already convinced that its technology can keep me safe from threats from without. However, I still have a cause for concern. As I see it, and as it currently stands, the greatest threat to a LastPass based security scheme is: *myself*.

Although I use good habits and have not had a problem for the last decade, I cannot completely trust myself not to bring malware to my system: I can be served a malicious banner on a trusted site, open a file from a contact that has been previously compromised, or click a link in an e-mail message while distracted ("so-and-so sent you a message!").

So, if I happen to get malware in my system, what is there to stop it from taking advantage from my LastPass sessions? As I see it, there are at least two ways in which it could harm me. The first one, taking advantage of an open LastPass session to look into my vault and grab whatever it can in one fell swoop; and secondly,  passively detecting the presence of LastPass and recording the unencrypted passwords on their way from LastPass to each webpage; key logging is surely not the only tool available for hackers. And, still a third one, if one wants to go over the top, what's to stop the malware from interacting concurrently with me on an open webpage? No doubt it can beat me on speed ("look! A banking site! Let's attempt a quick transaction").

The PPP option doesn't look as if it could help me here, because it would only protect the LastPass data when closed or from without, not when open and in use.

By the looks of it, LastPass is great with holding my passwords and populating fields quickly, but not much else. I still need some sort of second factor authentication for each site, preferably a global one.

Are these cause for concern or have the LastPass people have come with a solution for this too?


Post a Comment