Ask LH: Is LastPass Secure? What Happens If It Gets Hacked?

Is LastPass Secure? What Happens if It Gets Hacked?

Dear Lifehacker, You recommend LastPass to avoid problems when services get hacked, but what happens if (or when) LastPass gets hacked? Wouldn't that just give hackers access to all of my accounts? Is LastPass safe to use? Thanks, Password Protector

Dear PP,

Your worry is a common one: if LastPass stores all your passwords in the cloud, what's to stop someone from hacking them and then getting into all your other accounts? Thankfully, it's not so simple. Nothing is 100 per cent secure, but we think you can feel safe with LastPass.

First of all, let's remember that LastPass — as a security-focused app — is dedicated to security in a way many services are not. Even when LastPass thought it might have been hacked back in 2011, it notified users immediately, and forced a master password change if you tried to access it from a new computer.

Furthermore, like any other service, you should be using two-factor authentication with LastPass. If you do, someone with your master password still will not be able to access your account, even in the event of a breach. If you want to take it to the next level, you can put together this awesome thumb drive-based system and enable these features for extra two-factor security.

Lastly, remember that the only secure password is one you can't remember. If you can remember it, it's probably more easily hacked and more easily usable on your other accounts. Using a password manager is still the most secure way to use your accounts, and it makes things very easy to audit an update when someone does get hacked (which sadly is a common occurrence these days).

If you don't like the idea of storing your passwords in the cloud, there are alternatives, like the awesome KeePass. These keep your data out of the cloud, but make it more difficult to access your passwords on anything but your main computer — which is a huge blow to convenience. Unless, of course, you sync them with Dropbox, which defeats the whole purpose of using a local password manager (though you could encrypt the database with something like TrueCrypt first). And remember, if someone has physical access to your computer, they can still get your password database that way.

At the end of the day, it's up to you to use what makes you feel safe. But remember: nothing is 100 per cent secure. We still think LastPass is the best option around, as long as you use it correctly.

Cheers Lifehacker

Got your own question you want to put to Lifehacker? Send it using our contact form.


Comments

    LastPass only receives and stores encrypted data, ever. They never receive your master password, they never receive unencrypted data, and they don't store anything that isn't encrypted. They use multiple-pass AES256 encryption which makes it extremely difficult to break - the fastest option to break a single encryption requires 3.8e+76 cycles, which is about 4 trillion trillion trillion trillion cycles.

    Basically, even if LastPass gets hacked and all their data is captured, it takes a prohibitively huge amount of processing time to break just one AES256 encryption pass on just one account.

      You're right, unless someone is able to hack LastPass and deploy a hacked browser plugin/app which incorporates password capture.
      (Note: not saying this incredibly marginal risk 'problem' is limited to LastPass. An equivalent problem would occur if someone hacked the KeePass hosting and swapped out hacked versions of the binaries).

      "Basically, even if LastPass gets hacked and all their data is captured, it takes a prohibitively huge amount of processing time to break just one AES256 encryption pass on just one account."
      Correct - remember the point of encryption is to make it so that by the time the protection has been broken, the data being protected is redundant.

    "... there are alternatives, like the awesome KeePass. ... Unless, of course, you sync them with Dropbox, which defeats the whole purpose of using a local password manager (though you could encrypt the database with something like TrueCrypt first). And remember, if someone has physical access to your computer, they can still get your password database that way."
    KeePass encrypts the password database anyway, so even if they got hold of the *.kdbx file, they'd still have to crack it open to get at your data.

    EDIT: http://keepass.info/help/base/security.html

    Last edited 02/04/14 12:00 pm

Join the discussion!

Trending Stories Right Now