

Ask HN: Given the Lavabit case should we trust LastPass? - AhtiK

Is LastPass obliged to transplant a hook for master password grabbing whenever NSA makes the request?<p>I find it hard to believe that there has been no such request and something tells me it&#x27;s easier to install a hook into every LastPass browser plugin downloaded.
======
mcintyre1994
Lavabit had a gag order so we really don't know what we need to know in order
to accurately assess the situation. That fact's probably enough to conclude
you shouldn't trust a company you believe the NSA or allies' equivalents with
anything you'd want to believe is secure though.

------
mknits
LastPass has been compromised by hackers before; I think this incident
happened last year. Since then, I stopped using LastPass and now I use
KeePass, whose database rests on my desktop.

~~~
baconhigh
Citation needed.

There was a 'network traffic anomaly' a while back - but it wasn't a confirmed
compromise.

Not saying it wasn't.. but I think you should provide examples before blindly
calling a hack.

~~~
AhtiK
The cause for the 'network traffic anomaly' was not identified and it was big
enough to contain usernames, emails and hashed passwords (no data-blobs) [1].
I find it hard to believe that a programming or devops error could result in
this kind of traffic anomaly that remained unidentified (the traffic
destination IP was likely something LastPass guys did not expect, not just a
lastpass-owned S3 backup bucket).

The good part is that after the incident they also improved the algorithms:
PBKDF2 with a user-configurable iteration count [2].

I think LastPass handled the situation perfectly, implemented the changes
required. My only remaining concern is the risk of distributing tampered
browser plugins in order to provide NSA the passwords whenever they ask for
it.

It's not that I'm paranoid of NSA being interested in me. Having tampered
plugins opens up the attack vector for all hackers rendering the encryption
layer useless.

[1] [http://blog.lastpass.com/2011/05/lastpass-security-
notificat...](http://blog.lastpass.com/2011/05/lastpass-security-
notification.html)

[2] [https://helpdesk.lastpass.com/security-options/password-
iter...](https://helpdesk.lastpass.com/security-options/password-iterations-
pbkdf2/)

------
junto
Is 1Password also now suspect? I let my keychain be saved over Dropbox. At a
guess that is a weak link right?

