Why I don’t trust LastPass with my passwords

LastPass is a popular password vault solution that encrypts and synchronizes your login data for all your various services between all your devices. Their slogan “the last password you’ll ever need” refers to how your one password for LastPass can be used to unlock all your online accounts; enabling you to have unique and random passwords on all the different services you use.

I also wonder how safe is LastPass and I’m having a hard time trusting LastPass despite the company doing everything, as far as we know, technically correct in terms of secure password storage that not even LastPass themselves can access.

LastPass can’t currently see the passwords you save to their servers while using the service. Their password vault client applications, even their web interface, perform all the encryption and decryption on the client. If someone stole the LastPass database, they shouldn’t be able to do anything with the data they get from LastPass as the encrypted blobs aren’t worth anything without your account password to decrypt them.

As of now, LastPass can’t share your passwords with law enforcement, the NSA, hackers who serendipitously gained access to LastPass’ infrastructure, or anyone else. LastPass’ servers aren’t all that vulnerable as both encryption and decryption happen on the client with their servers only storing unintelligible encrypted blobs.

This security design is sometimes referred to as Trust No One (TNO). People don’t need to trust LastPass as LastPass can’t do anything bad with their data in the current scheme of things.

The illusion of perfect security falls apart as soon as you realize that LastPass can just change their clients to do whatever they want or are pressured to do by a government agency. Including transmitting the contents of your password vault back to LastPass’ servers without encryption, or send it directly to a third-party server.

It isn’t just LastPass themselves who’re in a position to influence the clients. Mozilla and Google could be forced by court order to distribute modified updates for the LastPass extensions to select targets among their browser users.

Under the Trust No One security model, you still have to ultimately trust the client program and those who control it. There’s nothing LastPass can do to fix this problem other than to give up control over all their browser extensions, apps, and other clients. Releasing them as open-source programs would go a long way to ensuring some community oversight over the clients.

The LastPass password-vault-as-a-service component is mostly irrelevant, and they can continue to charge for their hosting/synchronization services as they currently do. I don’t want to run them out of business nor am I calling for them to open up the server component of their proprietary synchronization service.

Online backup storage service providers like Backblaze and Carbonite make the same promise about their security technology as LastPass. These services also require their customers to trust that their clients are encrypting their data, and that they won’t change that in the future. Note that local-encryption is optional and requires extra setup steps in Backblaze and Carbonite alike.

I’m not currently a LastPass user, and I kind of wish there was more competition with as good of a reputation as LastPass. Among the commercial service providers, LastPass is the unchallenged king of dedicated password vault solutions.

My former employer Opera recently lost all their users’ password vaults. I’ve no insight into the matter, and can only hope the data was stored following the Trust No One model. As the clients are all proprietary, it’s very hard for anyone to verify that this is indeed the case.

Self-hosted and open-source password vaults are few and far between. There are a few options available, but they’re made by small teams with no security vetting. More troublesome, many of them aren’t longer receiving any updates nor attention; leaving existing users in potential risk.

All this being said, I might just give in and start using LastPass in the coming weeks. Managing passwords with the Unix-centric pass is too inconvenient, inaccessible, and lately it has even gotten to be a bit stressful. I’ve very valuable and business-critical data stored in pass. I’m no longer certain that I want to keep up with all that’s required to keep the password vault safe, accessible on all my devices, and securely backed up.

LastPass’ convenience is looking very attractive, and even though I don’t trust them — I no longer feel like I’ve got a better alternative.