This post is a collection of forum posts that I made on the topic of password managers and LastPass. As a developer interested in security software and encryption, I have a number of issues with LastPass, and I recommend KeePass instead. KeePass is free and open source. Download here


I don’t really trust LastPass, and I find their security to be lacking (convenience over security.)

A system (like KeePass) where you can use a master password plus a keyfile to encrypt the database is the most secure option. It should be noted that LP (and possibly other cloud services) only use the other factor as access control. That is to say, if someone grabbed your password DB from LP’s servers through some attack, all they would need is your master password.

I’ve never been cool with this. Say an (ex)employee wanted to inject some javascript into the login page that sent them your master password. They also grabbed the DB through some other mechanism–you’re screwed. The access control provided by multi-factor is great and should be used more often, but it does nothing to protect the security of your actual password DB should it fall into the wrong hands. The fact that LP admitted to suspicious behavior on their network and the fact that they weren’t using key transforms to make bruteforcing harder removes any trust I may have given them.

The key transforms is a standout to me. I’m a software developer that has written security/encryption code. Setting up a system that doesn’t perform these transforms is very sloppy. I’d unfortunately expect as much on commercial websites, but for a company focused on security, this is a huge failure.

For what it’s worth, I inspected the KeePass source code a few versions ago, and it passed my exam. Note, the packaged versions (for download) may have evil code added, but the developer has been at this awhile and personally signs his products.


haven’t looked at 1Password in any depth. When I looked into LastPass, I was trying to find a service that would allow other members of my business to easily use common passwords. I did a deep dive into the service, including purchasing the full version and a Yubikey. The Yubikey is very cool, but that’s a story for another day.

In the end, I use KeePass with 2 databases. One for ‘work’ and one for my personal passwords. I also use Firefox’s password manager (with a master password for encryption support) for my less sensitive passwords (forums, shopping sites that don’t have my CC info, etc.) This is a decent compromise between convenience and security for passwords that wouldn’t be disastrous if lost.


(On the YubiKey device)

The YubiKey (http://yubico.com/yubikey) is a cool little USB device that has multiple security functions. It is small and thin, and it only has one ‘button’ on the top, which is really just a gold-plated finger contact. Anyway, LastPass uses one of its modes called OATH OTP (one time password.) Using their code or your own, you can write a form entry field (textbox) on your site that expects a code. Once plugged in, the YubiKey functions as a USB keyboard that can automatically ‘type’ a string of characters into the input field when the user presses the button. Using a couple algorithms, the server can determine that yes, you have the key in your possession. This satisfies multi-factor authentication: something you know (password) and something you have (Yubikey.)

Unfortunately, this provides access control only, though more web portals should use it to increase security (Vanguard, you listening?) What would be ideal, is if the YubiKey actually was used to encrypt your password database. Well…turns out you can do just that. I wrote proof of concept code to do it with the YubiKey, as it also supports a mode called ‘challenge-response’. You can actually ‘feed’ the YK a value, and it will return a value constructed from that value + a secret internal value that can’t be read (but can be reprogrammed.) So, for a password database, when you’re saving the database, the software could come up with a random value, feed it to the YK, and encrypt the DB with the resultant value (cyrpto hash). The value initially passed to the YK would need to be stored with the database file (it’s not sensitive.) Now, on next open, that value would be read, passed to the YK, and the hash used to decrypt the DB.

This would be one of the most secure processes I can think of. Of course, (from LastPass’ perspective) there are downsides. Loss of the device would be problematic. A new device could be reprogrammed to function the same as the lost one, but it would require using tools offered by Yubikey. No problem for a local IT department, but hard to tell your customers when you aren’t local (LastPass.) You are also forced to use a computer/device that has drivers for the YubiKey. So, understandably (from a business perspective), LastPass made a pro/con decision to be as secure as they can given the desired functionality: convenience over security.

If you do use LastPass, I would highly recommend one of their options for multi-factor. I believe they now offer the free Google Authenticator method, which uses a small program running on your cell phone as the ‘what you have’ portion.


(On malware that can read your clipboard)

KeePass tries to get around this a number of ways (http://keepass.info/help/v2/autotype_obfuscation.html) For one, it ‘hooks’ clipboard events to try and stop other programs (malware) from knowing that the clipboard just received data. This is not totally foolproof, but it’s the best that is possible for the clipboard in Windows. Another option is to use auto-type. KeePass can ‘type’ your password using a mix of clipboard and key presses. Again, not unbeatable, but it makes it much more difficult.

In any case, many local spyware apps don’t bother with the clipboard. They can simply attach to the network stack and see your raw HTTP (web) data as it’s transmitted over the wire. It’s easier for the hacker to figure out data from the network that looks like:

POST /login.jsp HTTP/1.1
Host: www.vanguard.com
User-Agent: Mozilla/4.0
Content-Length: 27
Content-Type: application/x-www-form-urlencoded
userid=joe&password=uhoh

than massive random clipboard data:

this is just a story that I am writing in my word processor(click 35,43)(enter)(click 45,65)(enter)joe(click 45,43)uhoh