After the 2015 potential security breach at LastPass many people became paranoid about lastpass. Even some deleted their accounts and moved to alternate solutions or pen and paper.
Truly speaking even I was scared about my data beig secured and for sometime went back to a small pocket notebook and a pen. using a small pocket notebook, a password generator on phone and a pen was all I needed for sometime until “I lost my pocketbook“.
Ofcourse my passwords were not all in plain text, somehow I had a random text after all my passwords which only I knew so someone logging to my sites using that notebook was not much of a concern but loosing all my accesses was. Kept wondering how did all this hassle of writing down passwords helped me as I have to begin all over again. If I would have used a password manager, atleast I could have taken a backup of some sort.
So finally it was time to move back to a decent password manager. Choices were many. Lastpass, 1Password, Dashlane, Enpass etc. For weeks I went through reviews, tech articles, blogs etc. after which became all the more puzzled. But then I found out that 1Password released their 6 months account free for new users. I jumped on it, created a new account; installed 1Password on all my devices and was extremely happy with the service.
Everything was magically getting synced to all my devices. All about 6 months my trial was over, now it was time to pay for the service. Ofcourse they also need to make money, I can’t expect something like this for free (there’s no free lunch). Their desktop app (without account) was extremely expensive. I switched to iOS app version and used that for sometime. But everytime on my Mac I had to manually type those long passwords. So I decided to give a shot to lastPass or Dashlane.
I checked the prices, and LastPass was cheapest among them. Dashlane was a solid product but was expensive and it didn’t have a file upload feature which Lastpass premium and 1Password has. So lastpass became the no brainer choice. It was even free for personal use and with premium you get some extra benefits like family sharing, priority tech support and 1GB of file storage. Went with Lastpass finally. The migration was a breeze with import utility.
The plugins were all installed on all my browsers and I started using Lastpass inspite of all the paranoid articles. Ofcourse I am no security expert and no knowledge of server side code, but since last pass had web access I decided to give it a shot and see the API calls.
I tried some random email/passwords combinations, and found that the Master Password, as claimed by them is NOT transmitted to them. Only the user Email and some device keys, encrypted userId and some Hash gets transmitted.
Here is a screenshot:
Though something made me uncomfortable. When I tried a random test Id (but with valid domain like firstname.lastname@example.org which may have been someone’s actual id on LP- (apologise if someone has similar id and got a notification for failed login try – I was just typing random id which was something like this) I saw that the error message was “Invalid Password”. I couldn’t understand as I had typed gibberish and that email should be invalid. So I tried my test email with wrong password, and same message of Invalid Password was given. But when some complete junk email was provided ( email@example.com ), Lastpass gave a popup asking whether I want to create an account. Now I am not sure if its because of the valid domain or lastpass validates the email in their database and provided the error message.
This doesn’t look right to me. I think LastPass should not give any hints whether an email id valid or not. If someone tries my email id even without knowing my master password, he/she will know atleast that I have an account with Lastpass even without asking me (they can’t login to my account without knowing my Master Password though). But this may result to phishing attacks.
But other than this small concern, the Network calls looks pretty ok. Everything is done on the device and personally speaking I liked what I saw or atleast what I understood. They really have made a solid,secure product and probably I will soon sign up for their premium version.
Thanks to lastPass for keeping us safe and taking a lot of burden for us.