[kwlug-disc] Storing loads of passwords

Eric Gerlach eric+kwlug at gerlach.ca
Sat Sep 4 10:49:40 EDT 2010

On Sat, Sep 4, 2010 at 10:21 AM, Johnny Ferguson <hyperflexed at gmail.com> wrote:
> Checked out the website. Am I the only one that finds it strange they claim
> to require javascript to secure your authentication over HTTPS? I understand
> this is to make the service accessible with cell phones, but I don't really
> need this feature.

The reason they need JS to authenticate you is because of the way they
do authentication.

Your AES key is the concatenation of your username and password, run
through SHA256.

Your authentication key is your encryption key, concatenated with your
password, run through SHA 256.

They don't even store that on their servers.  They hash that with a
nonce, and store that.

In order to be able to do this using a web browser, you need JS.

> It does seem decent, but it has a lot of features I'm not sure I need. The
> yubikey looks cool though (hadn't seen this gadget before). I think for now
> I'll stick to running gpass on a single machine (using remote X sessions
> from my "slave" machines), until I can verify LastPass is what I need, or I
> find a simpler tool to do what I want.

Yubikey is totally optional.  I don't use it, nor do I plan to.  I
just mentioned it for the super-paranoid out there :-)

Right now, I'm just using it to store website passwords.  Which is
what it does best.

> I don't think it'd be too hard to make some kind of yubikey authenticated
> web-based password vault. The only thing that would be tricky with that is
> clearing the clipboard after you're done with the tool (something gpass does
> quite well). With a web-based system you get portability, but you have to
> remember to copy some arbitrary text to clear your password from the
> clipboard (which is paranoid, but it can't hurt).

What I like about LastPass is it doesn't even go into the clipboard.
Since it directly fills in the password on the site using the plugin,
there's no risk of clipboard leakage.

> Is LastPass open-source? I didn't see any source on their site. I just feel
> safer knowing myself and hundreds of other people can see the code that
> we're entrusting our sensitive information to.

No, it isn't open source, but they have published code to perform all
of the things they do for encryption and authentication manually.  So
their crypto is verifiable.  Admittedly, they *could* plant some code
in there to steal all your passwords, but I trust them not to do that.

Actually.... I wonder how much of their Firefox Add-On is just JS
(thus being "open source", even if not "free software"), and how much
is native code.  It could be worth looking into.



More information about the kwlug-disc mailing list