LastPass has great Password Management function. But would a better name have been “LostPass”? This article takes a quick look.
The previous article in this series discussed Two-Factor Authentication (“2FA”) with mobile Push: what it is and why this technology has generated interest recently. Google’s new mobile Push AuthN was quickly reviewed.
This article has an overview of the LastPass Password Manager (“LP”) application: what it is, why LP is interesting, “Suggestions for Use”, and “Gotchas”.
What and Why
LastPass is the granddaddy of the online password managers. It is a screen scraper, automated form filler, and password manager rolled into one.
Best of all LastPass supports “Two-Factor Authentication” with mobile Push. This makes LastPass a good candidate for helping to mitigate the new hacking threats discussed in the previous article.
Here are some features that make LastPass interesting:
- LastPass is the oldest online pwd mgr app.
- Has lots of functional goodness as well as loads of SAAS customizing knobs and levers
- Is one of the cheapest apps
- Supports 2FA Push AuthN (“Authentication”)
- Has wide cross-platform support to enable password synchronization between platforms
- Supports a wide range of 2FA technologies including Yubikey tokens.
Danger! Danger Will Robinson! Possible Security Breach!
Unfortunately LastPass has had a long and checkered history of ongoing security vulnerabilities: 2012 XSS, 2011 Security Breach, 2015 Security Breach. The Wikipedia article on LP has more details.
The first and most important recommendation:
Do not use LastPass for important credentials.
A less risky alternative would be to store the passwords locally using Keepass or similar software.
LastPass (“LP”) was tested on both Win 7 and Win 10 systems using Chrome and Firefox browsers.
The LP browser plug-in components were installed along with LP’s so-called “binary component”. (The binary component is required in order to benefit from full function).
The LP mobile Authenticator was installed on an Android test phone.
Documentation is here: https://helpdesk.lastpass.com/
Installation instructions are here : https://helpdesk.lastpass.com/downloading-and-installing/
What the tests showed
Based on the quick “hands-on” testing, here are some findings / comments. (No particular order)
LastPass works better on Firefox than Chrome
Surprisingly, LP on Firefox seemed to work better than on Chrome:
- The Chrome user interface had a “clunky” look and feel to it (IMHO). The LP FireFox UI was slick and clean.
- The LP “Import” function (tested with Keepass XML data) was broken (!) on Chrome but worked cleanly with FF.
Chrome “Incognito” not supported
Not surprisingly, LP does not support Chrome “Incognito”.
This means of course means that the LP browser plug-in runs in the normal browser environment along with the rest of the “motley crew”: the browser extensions in use / the web applications beingsurfed to. This is not a comforting thought.
Mobile Push does not always work
Sad to say, the LP mobile AuthN mobile application crashed from time to time. Once a situation even occurred where the mobile app proudly announced “You’re In!” but nothing happened browser-side.
Both LastPass and Duo Push AuthN apparently can get confused. This has a greater chance of happening if the mobile phone has complex connectivity: e.g.
- The mobile phone has both WiFi and cellular data channels open to the Internet.
- The phone is running a mobile VPN.
The confusion undoubtedly occurs because mobile Push technology has complicated backend “plumbing”.
All things considered, throughout the testing 2FA Push “mostly” worked.
Mobile Push AuthN resulted in a significant improvement in end-user UI experience.
Suggestions for use
Here are some suggestions for better use of LastPass:
Let Google handle Google
Use native Google 2FA Push notification for Google 2FA. Don’t use LP.
Google sites change URL names frequently which makes it tough for a 3rd-party app like LastPass. Also Google push AuthN supports Chrome Incognito (which LP doesn’t).
Why are we not surprised?
Supplement with KeePass
Since LP has all the credentials, it is probably a good idea to do the initial (2FA!) to LastPass from another (local) credential store (eg KeePass).
Also use KeePass for anything important eg Google Acct, LinkedIn, Facebook, MS Live, accounts that have a credit card attached (eg cell provider, Amazon AWS).
LP should only be trusted with low-value web site credentials.
Use LP on Chrome only / “Man in the Browser” attacks
Chrome *is* your main browser, right?
LP is first and foremost a browser plug-in component. The browser’s plug-in security model is therefore vital for LP security (or lack thereof!).
FF’s security model for extensions is minimalist: all extensions can access each other’s data and web pages.
Running LP in the FF “Wild West” environment is a risky proposition.
For more information on Firefox’s extension permission model see:
Chrome in comparison does have a permission model for extensions.
To protect the LP plug-in’s data, any Chrome extensions with permission to “Access data on all websites.” should be disabled.
It should be understood clearly that *anything* that could give rise to a “Man-In-the-Browser” (MITB) or “Trojan Web Proxy” attack could result in all LastPass passwords being exposed.
SSL/TLS encryption and 2FA do not protect against MITB attacks.
Most of LP’s recovery function should be turned off.
This will improve app security. It will be more difficult for an attacker to abuse recovery function to gain unauthorized access.
However doing this means that it is important to backup the LP data regularly.
Export the LP data to a CSV “flat file” backup on a regular basis.
Store this data securely in a pwd-protected archive.
If the need arises, the backup data can be re-imported into LP to accomplish simple, robust recovery.
The following are things to note concerning LastPass.
LP’s “Autopwd” function
The LP “Autopwd” password change automation function only works on a limited number of sites. Approximately 75 sites are supported. Most of these are high-value sites whose credentials should not normally be stored in LP in any case.
Do a manual “logoff” regardless
During testing the automated “logoff” of the LP browser plugin worked (some) of the time (at least).
However, it is better not to trust the browser plug-in to automatically log off from LP.
Do a manual “logoff” before closing the browser.
Browser “native” synchronization
Attention is likely needed concerning native browser synchronization.
During testing, the LP plug-in configuration kept resetting itself back to default values. This was possibly due to other copies of the LP plugin being installed (with default values) on other instances of the browser.
Some bugs still – after all these years
There are some bugs (still!) in LP. During the short testing done:
- Mobile Authenticator crashed from time to time.
- Browser sync did not appear to be working properly.
LP recovery: Everything depends on the security of the user’s email acct
If 2FA authentication is broken, LP provides a “break-glass” recovery option (https://helpdesk.lastpass.com/multifactor-authentication-options/ ):
Whenever you login with Multifactor Authentication enabled, you are prompted to use your authentication code to login. Underneath the entry field for your code, there is a link entitled:
“If you lost your device, click here to disable authentication.”
“I’ve lost my device.”
Clicking this link will send an e-mail to your LastPass account e-mail address (or security e-mail address if you have set one), that will contain a link that will temporarily disable your Authenticator.
Bottom line: LP's security depends on the security of user's email account!
LP accounts can also be recovered by the following methods:
- A OTP (“one-time pwd”) sent via email (but this can – and should – be turned off)
- An SMS text msg (but this requires the local recovery pwd to be saved in the browser. This should be turned off.)
There is also provision to fall back to an old version of a Master Password. (This also should turned off).
For the details concerning recovery, see:
Like we said at the start, “Do not use LP for high-value credentials.”
Like any mature SAAS, LastPass has a multitude of configuration knobs and buttons. This section documents some recommended configuration values:
Preferences / Security
- Automatically log out when all browsers are closed and Chrome has been closed for 1 min
- Automatically log out after 180 min idle
- Automatically Fill Login information
- Show my LP Vault after login
Preferences / Advanced
- Warn before filling insecure forms
- Clear filled fields on log out.
LP Vault Account Settings
General / Advanced
- Reprompt for LP master pwd before you access an identity
- (Consider specifying a different protected email account as “Security Email” for recovery purposes.)
- (Consider restricting to certain countries only.)
- Disable logins from TOR networks
- (Consider disabling Mstr Pwd fallback)
- Automatically log off other devices when logging in from a different device.
- Track History
- (Specify at least 2 distinct 2FA methods including the LP Mobile Authenticator. Other methods could be Google Authenticator, Duo, YubiKey).
Trusted Devices / Mobile Devices
- (Don’t have any Trusted Devices.)
- (Do not sync to a mobile device which is also being used for 2FA.)
When properly implemented and used, LastPass is a great tool to automate robust password management. The online synchronization as well as mobile Push AuthN are powerful, convivial functions.
LP should only be used for websites with low-medium value credentials. Also attention needs to be given to configuration and backups.
The next article looks at Duo. Duo is a SAAS which pioneered mobile 2FA Push notification.