Some password-manager apps that store data centrally get it right

You might be concerned from recent attacks that hosted secrets stored by 1Password and LastPass are at risk. The details say they're not.

thinkstockphotos vault safe bank door
vasilypetkov/Thinkstock

LastPass has been in the news a number of times in the last few years, and not in a good way. The firm makes password-management software for multiple platforms, synced through their central servers. In mid-2015, thieves copied its main password database, but because of good password storage design, the likelihood is that no users had any data extracted. In January 2016, a researcher found a user-interface spoofing bug, since fixed. In mid 2016, another researcher figured out how to fool LastPass with an autofill operation (fixed) and another reported a phishing vulnerability (also fixed). Then a few weeks ago, another found browser-based extension vulnerabilities (also fixed, except for one older client, being retired).

This sounds bad, right? But only in the first of those issues, the database theft, did information leak, and good design effectively mitigated it. All the rest of the vulnerabilities came from researchers reporting to LastPass, and there’s no evidence of those flaws being used in the wild, despite LastPass’s apparently large user base.

Likewise, you might think that 1Password, made by AgileBits, must be substantially stronger, because no similar research has surfaced in the last few years. But that’s not the case, either. LastPass and AgileBits have taken similar paths for products with quite different interfaces, interactions, and pricing for securing any data they host. (A problem with content-distribution network Cloudflare last month seemingly leaked some 1Password.com data, but only incidentally, and it was wrapped in additional layers of protection, as discussed in my article on the leakage.)

Security testers found problems in LastPass’s plug-ins, not in its central storage. 1Password pursues a different architecture on the browser extension side, and that’s kept it less susceptible to potential attacks. Let me break down how this all works.

Which philosophy do you want to pick?

This column arises from an email from reader Ginny, who asked about a line in an article at Ars Technica by Dan Goodin—an intrepid, veteran reporter of security flaws, who often breaks news on the topic—in which he notes, “Exploits become easier by convenience features that, for example, store encrypted password vaults in Internet-accessible locations or automatically paste passwords into websites.”

Ginny wondered if 1Password’s hosted passwords vaults had the same potential vulnerabilities as LastPass. It’s a great question, and hard for most regular users to answer, because there are so many nuances and moving pieces in security and encryption.

1Password used to be sold only as a freestanding version that could be synced locally or via a user’s cloud services. (That option still exists for $65 on macOS; iOS and Android apps are free, but have a few in-app premium upgrade features.) It launched 1Password.com in early 2016 for sharing among families and work groups, and then added an individual option in August 2016. It’s $36 a year for an individual or $60 for a family (up to 5), with options for bigger families and separate pricing for companies. All current versions of apps on all platforms are included in the subscription price. Storing items in a central vault, accessible via a website and the native apps, is optional, and local sync (via Wi-Fi and folders) and cloud sync via Dropbox and iCloud remains in place for local vaults.

privatei 1password app macos IDG

1Password’s native app integrates with browser plug-ins and allows access to optional centrally stored vaults.

LastPass is free for end users, and has a $1/month premium option that adds password sharing and support. There’s also a paid enterprise version. All versions of LastPass sync your data through its servers.

privatei lastpass web access IDG

LastPass can be used via web and mobile apps, and via browser extensions.

Goodin combines two issues that have quite different risk profiles, though I agree with him generally. Without examining all password-management apps that use or offer central storage or synchronization, it’s fair to say that Internet-accessible archives put users at greater risk than ones held or sync only across user-controlled systems and spaces. With so many out there, some are likely easy targets for crackers.

However, I’ve examined the protections employed specifically by AgileBits’ 1Password.com and LastPass and they meet several bars for protecting user data. (These are similar to my requirements for hosted backup services, in fact! You can see my criteria in a long piece comparing several hosted options.)

The basics for centralized protection are:

  • All data stored, sent, and received centrally by the hosted part of the service is wrapped in encryption set at a user’s end point.
  • The hosted service doesn’t know your password.
  • The hosted service can’t access your data, and can’t recover a lost vault or related passwords. (LastPass has some options, some of which can be disabled by a user, to recover or reset a lost master password, but none of them give it access to the password.)
  • An additional local encryption element is mixed into an account login.

With this in mind, a malicious party who obtained 100 percent of the information stored on behalf of users by either company would find it effectively impossible to recover any user data, even if they also intercepted 100 percent of the traffic to and from the services’ websites. The worst they might be able to do in capturing web interactions is see listings of passwords and other stored information by name and with some metadata.

The contents would remain uncrackable, because both services encrypt and decrypt data only at the user endpoints, whether in a native app, browser plug-in, or browser. (iCloud Keychain works the same, except there’s no web interface and it’s integrated only with Safari.)

The key difference between 1Password.com and LastPass, as far as I can tell, is that 1Password’s local element is a separate “secret key” that’s only shared among native software and used in the Web app. It considers this a second factor, because it’s generated locally and never transmitted. LastPass relies on a user name and password plus a uniquely generated local factor that identifies the device, and prevents the same login from being by another device if captured. 1Password lets you chain validation from device to device, by having, say, an iPhone scan the secret key’s QR code from a copy of 1Password in iOS. LastPass uses email-based verification to ensure a new machine logging in using your master password has been approved. It also supports many kinds of two-factor authentication for enhanced security.

The rest is cryptographic detail about implementation and choices, and to my eye, both companies have made good choices.

If you choose to use 1Password without any centrally stored passwords, only local vaults, it’s not clear whether that’s per se any safer than data stored at 1Password.com or LastPass. Even if you sync via Dropbox or iCloud and another person was able to gain access to those accounts and acquire your 1Password vault, they would still need to your vault password.

Effectively, the only clear way to crack either a local 1Password vault, 1Password.com, or LastPass is through malware installed on your computer that can access keystrokes. In that case, it’s already game over for any password you enter or store.

But what about phishing and browser plug-ins?

The second half of Goodin’s sentence is where 1Password and LastPass diverge: pasting passwords into web pages. LastPass’s method of interacting with a browser has allowed it be more vulnerable to researchers’ testing, because it relies on JavaScript injected into a loaded page to handle password fill-ins and other behavior. That means that phishing (luring someone to a malicious page) or a page someone happens upon that’s set up to attack LastPass users could render their data vulnerable.

The attacks discovered in the past would allow a malicious web page to probe for passwords for particular domains, download the entire set of passwords, or, in the most recent attack with a small number of LastPass users, install malicious software on the computer itself. (LastPass also used to rely on some interface elements that could be spoofed on a malicious web page.)

AgileBits has engineered 1Password’s desktop extensions differently for some time, using a kind of proxy that talks via a conduit to the standalone 1Password native app. This arm’s-length approach has provided fewer surfaces for researchers to probe, and attacks against it rely on having access via malware or an administrative password to a machine, which, again, means game over. (LastPass and 1Password have embedded browsers in their iOS versions, where there’s no risk of extension behavior, and Apple controls the functions of the Safari or WebKit browser.)

LastPass said in a blog entry that it was relying on a form of JavaScript sandboxing in browsers to prevent malicious code from slopping over and affecting its software. That’s proven not fully effective, and it’s added a kind of proxy to its approach that prevents these exploits.

As safe as a safe in your house

What’s the use of having a safe in your house that anyone can spin the dial and open? You’re better off having a safe that thieves might steal, but resists all attempts to break into, no matter how much time (and explosives) they have.

That’s the situation with these two providers at least, which are two of the biggest firms offering password management. The choices made for central security and end-point encryption, if implemented well, seem to me to mitigate risk almost entirely, leaving the problem up to you to prevent malware from running on your computer. LastPass needs to invest more in having outside security people test their plug-ins, but they seem to have gotten that message.

The fact is that the greatest threat to your passwords is the combination of you using the same password at two or more sites and sites both having weak security allowing exfiltration of their account databases and using weak encryption techniques to prevent brute-force attacks cracking those stored passwords. A password manager lets you set a strong password, which is more resistent to cracking even when bad techniques mask your password, and set a unique password for every site and account, eliminating the threat of the weakest link in the chain.

Related:
Shop Tech Products at Amazon