In the past few weeks I’ve had a bit of an epiphany. I’ve become incredibly security and privacy conscious. I’ve closed my Facebook account, started moving away from Google and begun using far stronger, unique passwords. In the past, for websites, I’ve had one strong password which would be impossible to guess and then used that on every website (except my bank, which doesn’t allow special characters in a password). I know, shoot me. That’s the worst thing you can do in terms of passwords next to having 123456 as your password. Every website had the same password and email and (normally) username. If you got the password to one website, you had it to all of them. I’ve realised this security flaw and over the past couple of weeks, changed all of my passwords so that they are unique to each website and totally unintelligible to humans. 30 characters of random, well, characters. How the hell was I meant to remember them? I used a password manager. In the past, I’d been using 1Password to “manage” my passwords. I’d really been using 1Password, not because I couldn’t remember my passwords, but rather to reduce the number of keystrokes needed when entering a password.

Now that I was using impossible to remember passwords, a password manager was no longer a convenience, it was a necessity. After updating all my passwords in 1Password, everything was fine for a few days. 1Password is an excellent piece of software and is incredibly simple to use. Three days after changing all my passwords though, I hit a roadblock. I was on a public computer and needed to login to a website. Normally I’d just use 1Password but this wasn’t any computer. a) It didn’t have 1Password installed & b) It ran Linux. 1Password doesn’t run on Linux. It’s Mac & Windows only. I had a problem. To be fair to the 1Password developers, I could actually access my 1Password database from the computer via Dropbox. The 1Password data file includes a small web application that allows you to view your 1Password data from any web browser, without the main application being installed. The problem is, this requires my Dropbox account to have a memorable, and therefore insecure password, something I wasn’t comfortable doing. When I was back on my own computer, I started looking into a cross platform solution (since I use non Mac computers a lot) and came across the famous LastPass. Reading through the feature list, the free version seemed to cover most of my needs and the incredibly cheap premium version would cover the rest (mobile support). Best of all, LastPass was cross platform, since it is only a web service and browser extension.

I signed up to LastPass and installed its extension to my (at the time) browser of choice, Chrome (now Firefox). I was initially quite impressed. Setup was simple. LastPass offered to import my passwords from 1Password (though this did require me to export the passwords to a plaintext format) and even scanned them to tell me if there were any duplicate passwords or other potential security risks. Functionality wise, LastPass was incredibly impressive. It wasn’t anywhere near as aesthetically pleasing as 1Password but it had far more functions. After installing LastPass on my Mac and Linux boxes I carried on as normal, with the intention of replacing 1Password and purchasing a premium subscription to it after a few days. Within a few hours though, I began to become concerned about my security with the service though.

Typically, peoples concern with LastPass’ security comes from the fact that the service stores all their passwords on a server (for synchronisation). This wasn’t my concern as, before signing up, I’d done extensive research into the service’s security. LastPass’ password storage is very secure. LastPass can’t access your passwords, they can only see the encrypted file. The passwords themselves are only decrypted on your computer. I wasn’t concerned about somebody accessing my passwords remotely. I was concerned about someone getting them from my computer.

The LastPass extension works like this. You login to your LastPass account and all of your passwords are synchronised to your computer. When you visit a site, the extension offers to autofill the password for you. If you allow it to, it will continue to do so in the future. 1Password has a similar extension. With 1Password, you visit a site and press a key combination. Up pops a window asking you to unlock your password with a master password. The extension then fills in the username & password and will optionally submit the login for you. When you revisit the website again, you must do the same action. At first glance, 1Password’s method of autofilling logins seems to be slow(er), requiring several steps. LastPass is far more simple, automatically filling in the form when you visit a site. You don’t need to log back in or unlock your passwords. LastPass just assumes that it’s you using the computer and not, say, someone who’s just stolen your computer. That’s my security concern with LastPass. By default, you’re never logged out of the extension. That’s one hell of a major security flaw. Even worse is the fact that it automatically fills in passwords for you. With 1Password, even if your password vault is still unlocked (it doesn’t actually lock until after 5 minutes; you tell it; or some event happens like closing the laptop’s lid), you have a small layer of security in terms of a key combination to fill in the password. Your common laptop thief isn’t going to know what buttons to press to activate the 1Password extension. With LastPass, they don’t need to know any buttons. It’ll do it for them.

Again, in the interest of fairness, LastPass does provide two options in its settings menu to

1. Automatically logoff when all browsers are closed for x minutes.
2. Automatically logoff when idle for x minutes.

The option’s there but I’m extremely concerned by the fact that these two options aren’t enabled by default. Enabling these options then throws up an annoying usability problem. When the LastPass extension logs you out automatically and you visit a site, the extension doesn’t prompt you to login to autofill the password. This can result in a bit of head scratching as you try and work out why the extension isn’t filling in your passwords. 1Password has this problem too, but it’s alleviated slightly by the fact that the key combination to autofill passwords becomes a reflex action and so you ultimately end up being prompted for your password anyway.

That’s my main problem with the LastPass extension. While this was annoying, it was fixable and so I continued using the service and, ultimately, ended up signing up for the premium service solely for the ability to access my passwords on mobile devices, in my case, an iPhone. This is where the service became sickeningly bad.

A years subscription to LastPass premium cost £7.49 ($12) which, in terms of coffee pay is maybe 3 and a bit coffees? Either way, it’s not going to break the bank. I downloaded the iPhone(/iPad) app and went through the setup. As expected, the UI was pretty rough. I’d come to expect this, given LastPass’ track record with the browser extensions. After logging in, you’re presented with a list of your sites according to their groups. If you haven’t set up any groups, you’ll just get a list of sites under a group called “none”. Tapping on a site presents a modal list of options including the ability to copy a password or username to the clipboard. Counter intuitively, the button to cancel the list is at the top, whereas it’s normally at the bottom in iOS. This is just one of the many user interface and design flaws in the application. The most frustrating of these flaws is the option (or lack thereof) to logout on close.

The mobile application, like its desktop counterpart, likes to keep you logged in for as long as it can. If you close the app so that it enters the background, you stay logged in until the application is killed full stop. As soon as the application is killed, everything’s nice and secure. Digging around in the settings, there’s an option called “log out on close”. Logic foretells that enabling this will log you out of the application when you close the application, even if it’s still running in the background. Oh no. It does nothing. At all. At least, as far as I can tell it does nothing. The app continues to keep you logged in until you kill the application. This is a major security flaw, especially on a mobile device. Having to remember to logout of a mobile application is just stupid, especially one with as sensitive data as this. Mr iThief could happily take my phone and, even if I haven’t launched LastPass in a while, it could still be running in the background and Mr iThief could easily get my passwords.

Again, In the interest of fairness, 1Password (Touch) does a similar thing and can stay logged in indefinitely as long as it’s running in the background. Whether it does this by default I can’t remember but it does provide some fairly extensive options to configure auto locking. Currently, my copy of 1Password requires a pin as soon as it is enters the background, requiring the master password after 5 minutes of inactivity. I think this is pretty secure and works nicely.

Thanks largely to the terrible iOS application (it has so many problems), I’ve stopped using LastPass for now and switched back over to 1Password. I’ve also sent a message to LastPass asking for a refund, I should get one. It’s going to be annoying on my Linux machines trying to use 1Password but, in terms of design and local security, 1Password feels a lot safer since it doesn’t leave me logged in for indefinite periods of time. LastPass is an excellent product assuming you only use the browser extensions with automatic log out enabled. Otherwise, despite the excellent security LastPass takes in storing your passwords, it fails miserably at keeping your passwords safe on your devices, especially mobile ones.

Update Within minutes of writing this post and a few hours of requesting a refund, I’ve received an email from LastPass confirming a refund for the premium service. Ultimately, no harm done.

Update 2 The other night (14/02/12), I got two emails from Joe at LastPass in response to the issues I raised in this post. Here’s what he had to say:

Email 1

For windows we force you to choose if you want to be logged out or stay logged in, the fact that we don’t have this option on OS X / Linux prompting you by default is something we’ll rectify.

For iOS, we have the option to logout on close, and to pin prompt if you’ve left LastPass logged in the background  – did you miss this in the ‘more’ menu?

Best,

Joe

Email 2

I should also mention that you might want to try LastPass Icon -> Preferences -> whatever 1password key combo for fill in next site to get that behavior.

Joe

Nice to see a response from someone at LastPass! So it would seem I missed a setting in the iOS application. Apparently, enabling pin prompt in LastPass (along with logout on close) will solve my security concern on the iOS app. I didn’t realise that both of these settings had to be enabled, the app didn’t (but should) point this out. I can’t actually verify that this would solve my security concern since I don’t have a premium subscription (and hence access to the mobile application) anymore but I trust the guys and girls at LastPass and don’t see why they’d lie.

I’m pleased to see that LastPass are aware of the issue of remaining logged in indefinitely to the browser extension on Mac OS X (and, it would seem, Linux). Judging by the email, the Windows version asks the user if they should remain logged in during setup, which I think is a pretty good implementation as I know it would annoy some users if they where being logged out of the extension all the time.

Finally, in response to using a keyboard combination to fill in site login info, while using a custom keyboard combo is handy, LastPass continues to offer to autofill passwords after enabling the keyboard shortcuts (as expected). After experimenting a bit, I’ve found that, in order to get the extra layer of “security through obscurity” that the 1Password extension offers, it’s necessary to change a few other preferences. You must also disable the “Automatically Fill Login Information” preference (LastPass Prefs > General) and the “Show Fill Notifications” preference (LastPass Prefs > Notifications). This way, LastPass wont throw up an alert telling you that it can autofill a login form and it wont attempt to automatically fill a login form either. The only way that the form can be filled is by you explicitly telling the extension to do so, hopefully via a slightly obscure shortcut that someone couldn’t guess.

In light of this information, I’m going to reconsider using LastPass since it really is a fantastic service and cross platform compatibility is so useful to me. It would just seem that LastPass requires some tweaking in order to get its local security to levels which I feel comfortable with.