back to article LogMeIn adds emergency break-in feature to LastPass

LogMeIn is launching its first revamp of the LastPass password management app, three months after its controversial purchase of the popular utility back in October. LastPass 4.0 features a modernised user interface as well as features designed to promote secure, simple password management for individuals, teams and companies …

  1. This post has been deleted by its author

  2. Martin
    FAIL

    Emergency access to the whole damn vault?

    No-one will EVER get that from me until I am dead or incapacitated.

    And my LastPass password and spare Yubikey is squirreled away somewhere in case that happens.

    Beyond that - no way, not never, not for any reason.

    1. Angus Ireland
      Meh

      Re: Emergency access to the whole damn vault?

      I thought the vault key was derived from your password - That's how LastPass can claim they don't have access and can't reset passwords?

      If this is the case, how does a vault get decrypted for Emergency Access? Is the key stored somewhere? Or is the vault duplicated encrypted with a different key?

    2. big_D Silver badge

      Re: Emergency access to the whole damn vault?

      I would like to know how they do that, because, before the LogMeIn takeover, they proudly boasted that the key was never on the server and it was decrypted at the client... If that is so, how can they give emergency access?

      Do they create a OTP for access, which is then stored centrally? Still not a good idea.

    3. Robert Moore

      Re: Emergency access to the whole damn vault?

      > No-one will EVER get that from me until I am dead or incapacitated.

      Your porn collection is not that interesting. :)

    4. Dan 55 Silver badge
      Alert

      Re: Emergency access to the whole damn vault?

      I would imagine the magic is done with the help of the new client which uploads something to LogMeIn after logging in successfully, so if you're going to close your account then don't upgrade your client beforehand.

    5. joejack
      Thumb Up

      Re: Emergency access to the whole damn vault?

      LogMeIn/LastPass still never lays eyes on your password. The recipient has to create an account in order to be designated (free account is fine, and 2FA is now free on the free accounts as well). A public/private keypair is generated based on the master passwords.

      Full details: https://helpdesk.lastpass.com/emergency-access/

  3. Anonymous Coward
    Anonymous Coward

    I want to know how exactly “Emergency Access” works. LastPass is holding my passwords, and as I understand, it does not hold a master key to decrypt them. Thus it cannot offer such a feature, without me doing something first, to allow it to decrypt my passwords (without my master key?). I wonder what that "something" is, and what its security implication are.

    AC because I'm paranoid, occasionally.

    1. big_D Silver badge

      The only thing I can think of, is that you generate a new one time password, which can be used to gain access if you forget your password or are in a location which "isn't safe" to enter your proper password, and that password is stored along with personal information about an emergency contact...

      Not very well described in the story and how it is described is very worrying for anyone who is a long term LastPass user.

    2. Keith Langmead

      Hopefully it requires you to have designated your "trusted family, friends or colleagues" as being authorised in advance, at which point the relevant passwords are encrypted not only with your key but also theirs as well, but they're not allowed access to their copy of the encrypted passwords from your vault. Then when the Emergency Access feature is used, if you fail to deny the request then LMI makes those details available, and they can be accessed by the requester using their own login.

      That way LMI still don't access to the original passwords, they're simply controlling which encrypted details are visible in your account.

      1. Keith Langmead

        In fact yes, the documentation mentions "After the waiting period passes, your vault will sync to their LastPass account automatically.", so those trusted contacts do need to be existing users.

      2. Rimpel

        That wouldn't work tho, if your passwords were encrypted using both your key AND their key then you would always need both keys to read any password.

        1. Anonymous Coward
          Anonymous Coward

          Think like how PGP works. The secret data can be encoded with a session key unique to that data, and the key to decrypt that data is then encrypted using the actual user key. Done that way, all you need is a second copy of the decryption key, this time encrypted by the designee's key. It can also be flagged as a one-time-use-only key, which when successfully decrypted can be destroyed.

  4. JimmyPage Silver badge

    Seems sensible ...

    setting up MrsJPs Facebook over Xmas, I was impressed* with the ability to designate a trusted contact to help a user out, plus the feature to nominate a legacy contact to take control of your account when you join the choir invisible.

    *despite actively hating Facebook for years, having dabbled now for a few months, I realise it was Facebookers I disliked with a vengeance. Being objective, FB is a very well written and designed site.

    There's a saying about not discarding tools because you don't like the colour. Has anyone found anything to replace Lastpass ? I've tried a few (all suggested by El Reggers), and they haven't come close.

    1. circusmole

      Re: Seems sensible ...

      I've spent many an hour trying to find a replacement for FastPass. None I have tried have the functionality of FastPass, in fact most are an absolute pain to use.

      1. noj

        Re: Seems sensible ...

        FWIW I use 1Password by AgileBits. Not open source, so if that's a deal breaker read no further. It also isn't free but I think its worth every penny.

        Lots of nice features, easy to use. Allows select cloud syncing but also my preference, which is syncing via wifi.

        Active forum, constant CPI, responsive support. Spent a lot of time emailing their support with questions, always received great answers and sometimes a warm reception for a recommended change. If you're still searching for a replacement to FastPass, consider taking a look at AgileBits and 1Password.

        Disclaimer: None. I have no affiliation with AgileBits except being a very satisfied customer.

        1. JimmyPage Silver badge

          Re: AgileBits

          (btw, I *up*voted you, for a sensible reply)

          Just curious, if AgileBits isn't

          - open source

          or

          - free

          then what's the difference between it and LastPass ?

          I'm not thrilled about the LMI takeover of LP, but I can't find another tool that does the job the way I like it - irrespective of price.

          1. RachelG

            Re: AgileBits

            @JimmyPage then what's the difference between [1Password] and LastPass?

            Well the one that clinched it for me was not having the vault stored on their servers. So removing the "emergency access" questions above (although also not having that feature of course). I'd ideally have it in my owncloud but make do with it in dropbox for the sake of syncing to my iOS devices.

            No Linux support in 1Password. I use macs now but this is one reason I've lost being able to say I stick to platform-agnostic software. (The other being Ulysses.)

          2. noj

            Re: AgileBits

            @JimmyPage: Thanks for the upvote. I can't speak to the difference between LastPass and 1Password. Any knowledge of other password managers I have is dated; I started using 1Password a couple of years ago and have been satisfied since. When I hear someone dissatisfied with their password manager I suggest taking a look at 1Password because I'm happy with it and maybe that person would be too.

            Also, unlike some of the people I've seen posting here, I'm not super technical. So I can't promote my choice based on 1Password's technical superiority over any other password manager. What drew me to 1Password was the fact that its AgileBits' flagship product, my experience with customer service has been well above average. AgileBits is continually improving 1Password in ways I approve of. Within days of Heartbleed OpenSSL AgileBits had implemented an upgrade to warn of sites that had not yet patched. When I communicate with product support I receive answers I understand and in a timely manner. In the 1Password forums I see the same help for others in addition to those with more technical background being pleased with the answers they receive as well. For someone like me these are features that sell a person on a product.

            In spite of all that, again, I'm not super technical. I don't try to sell 1Password. I just suggest that when people are looking to select a password manager that they take a look at 1Password too.

            1. Graham Cobb Silver badge

              PwSafe

              Personally I use a PwSafe format file and various different PwSafe-compatible programs to access it on different devices (Password Gorilla on my main desktop). The file is automatically synced to a location in the web so I can easily access it from elsewhere when needed.

      2. Pen-y-gors

        Re: Seems sensible ...

        Alternatives: I notice that /. are plugging an offer of 75% off a lifetime sub for Sticky Password (i.e. down to $25) - no idea if it's any good, but possibly worth a look.

  5. Magani
    Black Helicopters

    Why does it need 'improving'?

    ...“large website icons, simpler navigation, and bolder colours”

    Just what I don't need in a program that currently is unobtrusive and works well in the background, are large icons and bright colours.

    "Simpler Navigation"?? Can't say I've ever had any navigation problems.

    Is this a case of LogMeIn 'improving' a product to the point of losing clients?

    I'll wait and see, but as a LastPass Premium user for the last few years (and given LogMeIn's previous antics), I suspect a replacement password manager may be looming on my horizon.

    Any ideas for a replacement??

    Black chopper because I too have problems with their 'Emergency Access'.

    1. Ambivalous Crowboard

      Re: Why does it need 'improving'?

      > Just what I don't need...

      Agreed. All of this. I hate to be a naysayer but there's nothing wrong with it; I type in the site I'm looking for and press enter or click it. I don't need extra bandwidth-hitting of logo fetching (and where do the logos come from? Embedded? No, fetched live, which means some webserver somewhere knows I have a login in my lastpass for that site), and...

      blah, blah. I'm out of energy. I'm going to look for alternatives. Fuck you, Loggyminge.

    2. Stuart Halliday

      Re: Why does it need 'improving'?

      Cause a bunch of sales reps think that buying a company needs to justify their wage packets by offering useless addons and features.

      I fully expect other useless features to be added as time progresses. Norton software all over again.

      My Lastpass password is in a sealed envelope in locked filing cabinet in a lower floor, with the bulb removed. (You get the idea).

  6. YetAnotherLocksmith Silver badge

    Dodgy

    As others have said, how can LastPass decrypt with no backdoor?

    I'm out. Sub is up in 5 days, so I'll be going to something else.

    At this rate it'll be an encrypted text doc in Dropbox!

    1. Dan 55 Silver badge

      Re: Dodgy

      This is more-or-less what KeePass is, with a GUI on top. You may like it.

    2. phuzz Silver badge

      Re: Dodgy

      As others have replied, they use the sharing feature. If you don't share your passwords with anyone then there's no way for Lastpass to decrypt them.

      1. Adam 52 Silver badge

        Re: Dodgy

        Still doesn't make sense. If you share then the recipient can decrypt from the moment you share, because they have to be reencrypted with the recipient's key but the article says that there's a time delay.

        If they're shared after the delay then someone or something needs to have stored the decryption key.

        1. joed

          Re: Dodgy

          maybe it's like so:

          your passwords is the base to encryption key to your LP key. It never gets out of your possession. When you grant emergency access to it you request public key matching the other side's private key (from LP dashboard they have to accept the request and reply with the key, this key does not even have to correspond to their LP encryption key, they just have to store it in case it's needed). You receive the public key, encrypt your encryption key with it, store it on LP server (LP can't decrypt the content) so emergency contact has no access to it until conditions are met (and you did not block it within the grace period). Then they get the blob, decrypt it using their private key and recover your key in the process. It can be done correctly (but making sure tehre's no mitm is the key).

          I'm not a LP user as I distrust solutions I can't completely verify (no access and no skills).

          1. Anonymous Coward
            Anonymous Coward

            Re: Dodgy

            I agree with the above, that presumably, the correct way to do it would be with a form of public key.

            https://www.youtube.com/watch?v=GSIDS_lvRv4

            So both you and the trusted other need to generate keys and encrypt the passwords. You have a private master key, that decrypts by it's self. You also have a public key.

            Your trusted other has their own private key. You also give them your public key. Via some clever maths, the vault can be locked with your two keys, and unlocked with their two keys. They only ever have their private and your public key, and always need those two (so MitM attacks are harder).

            Though they will have complete access to your passwords/vault as the only thing preventing their keys from working everytime is the service provider checking back with you. Generally when you give someone an access to something using private/public keys it's because you want them to access it. :P

  7. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Never trusted

      "Here, why don't you just keep an eye on my wallet, as well, kind stranger."

      You mean like a bank?

  8. JimmyPage Silver badge
    Mushroom

    Of course at $12/year

    (that's less than £10) ... for the *premium* LP (base version is free) you have to consider value for money ....

  9. adnim
    Meh

    why trust a third party?

    Serious question... I don't trust anyone, including myself.

    What's wrong with using a Libre Office spreadsheet protected (AES encrypted) using a sentence (upper case lower case and symbols) that one memorises? Locally stored and backed up on changes (multiple back ups), and also uploaded to a private FTP server again protected by a strong password?

    Perhaps I am missing something? Please enlighten me.

    1. John Robson Silver badge

      Re: why trust a third party?

      That server - it ought to be Sftp ;)

    2. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      Re: why trust a third party?

      "What's wrong with using a Libre Office spreadsheet protected (AES encrypted) using a sentence (upper case lower case and symbols) that one memorises? Locally stored and backed up on changes (multiple back ups), and also uploaded to a private FTP server again protected by a strong password?

      Perhaps I am missing something? Please enlighten me."

      1. All your passwords are visible on screen (depending on the screen size), easy work for a trojan.

      2. Copy paste does not clear itself

      3. no validation of password complexity

      4. no way to securely share info via a central server

      5. no version control

      6. does windows still index the text of open files I can't remember - could have sworn I found the contents of an encrypted word doc from search some time back.

      7. I'm sure there is more but I don't want to spend more than a minute thinking about it and you got upvotes so I'm probably trying to convince the wrong people.

      1. adnim
        Happy

        @Powernumpty Re: why trust a third party?

        1, Point taken... Although the last virus/trojan I had (that I was aware of) was the Saddam virus on my Amiga.

        2. Only me accesses my devices, with the exception of see point 1.

        3. don't need one... I know a strong password from a weak one.

        4. I don't share passwords.

        5. My memory is my version control... see point 4.

        6. Possibly I hadn't thought of that, although I don't index my files with Windows search.. I don't trust it. I know where my sensitive data is stored.

        7. I think you have covered most possibilities.. I do have a software firewall that informs me of ALL egress. Yes, some applications and services are allowed without confirmation so there is a weakness there.

        Still so far so good.

        I presume LastPass/LogMeIn will only ever employ perfect, intractable human beings, perfect encryption, perfect security and will mitigate every mitm attack. Elsewise why would anyone trust them?

    4. phuzz Silver badge

      Re: why trust a third party?

      For exactly the same reason people use a hosted webmail rather than running a mailserver themselves: Convenience.

      (You don't trust yourself? I hope you don't know your password then ;)

    5. Happy_Jack

      Re: why trust a third party?

      What's wrong with using a Libre Office spreadsheet protected (AES encrypted) using a sentence (upper case lower case and symbols) that one memorises?

      1) It's potentially vulnerable to key logging.

      2) It's inconvenient.

      I do use locally encrypted files for more sensitive stuff, but it doesn't come close to the convenience of LastPass for logging onto less sensitive websites (like this one). For example you can search your LastPass vault by keyword to find a website if you can't remember the URL and it will go straight to it and log you in; your spreadsheet can't do that. Really important passwords, like online banking, I won't write down anywhere.

  10. zero2dash

    So glad I switched to KeePass years ago

    Free desktop apps, free mobile apps, synching where I want, security the way I want it.

    LogMeIn has great pay products but I fear history will repeat itself with LP Free before too long when they inevitably kill it just like they neutered and then killed LMI Free.

    1. Anonymous Coward
      Anonymous Coward

      Re: KeePass

      Is *not* a replacement for LastPass by a long chalk.

      1) No *easy* way to import passwords from LastPass (I did it, no way could a non-techie)

      2) Lacks equivalent features for payment cards (you need to have a template and stuff)

      3) Is local, not cloud based (which, if you like that sort of thing is a deal breaker).

      KeePass does what it says it does. However what it says it does is not "replace LastPass"

      1. tom dial Silver badge

        Re: KeePass

        Yet Keepass does provide me the functions I think essential for password management:

        - generation of non-memorable complex passwords

        - password storage in an encrypted file

        - easy password retrieval and use

        as well as some I consider desirable:

        - portability to all the operating systems I use (with required .net or mono)

        - local-only database storage, optionally on removable/portable media

        - open source and free license (GPL2 or later).

        Not as convenient, maybe as LastPass (which I have not used), but better suited to my preferences.

      2. Charles 9

        Re: KeePass

        1) If you use KeePass from the go, this is a non-issue as you're not importing. Indeed, a lack of easy export out of LastPass has to be taken into consideration, as it may swing your decision to take up LastPass in the first place.

        2) Perhaps this is for the best. One of the best ways to manage credit is to limit it. If you're down to one or two cards, you can just memorize them.

        3) Want to cloud your password safe? Drop it in an OwnCloud or Dropbox. The safe is encrypted with encryption similar to what governments use, so if they can break it, they'll be in trouble themselves.

      3. Dan 55 Silver badge

        Re: KeePass

        1) Apparently it can import passwords from LastPass and many other sources...

        http://keepass.info/help/base/importexport.html

        3) Cloud save via DropBox sync folder or DropBox plugin.

        http://keepass.info/plugins.html#kpdatasave

        1. Anonymous Coward
          Anonymous Coward

          Re: Apparently it can import passwords from LastPass

          Yes, that's what you think. Until you *try* it. It misses some fields and can't cope with LPs "FormFill" entries. It's a best guess approach, which took as long to correct as I would have to re-entered by hand. Non-trivial for 300+ sites ....

  11. Mr Humbug

    Available for all browsers ...

    But the download page only has versions for Chrome and Safari. Whose definition of 'all' is that?

    1. Crazy Operations Guy

      Re: Available for all browsers ...

      Web 2.0 Hipsters. The same kind of people that believe that icons need to be massive two-tone monstrosities.

  12. Adam 52 Silver badge

    "Fans of the older interface"

    Is anyone a fan of the old interface? It must be one of the most ugly, space wasting unergonomic UI ever made. As if someone decided to ship the developers' test harness.

    1. Ambivalous Crowboard

      Re: "Fans of the older interface"

      > be 2016

      > be trolling

      Okay, I'll bite. Here is just one example of how the new interface blows.

      When I search for text in my vault now I can see 16 items on my 1920x1080 monitor. And loads of HUGE pictures which I don't have any apparent control over.

      In the old vault I simply got a nice and elegant list of the text results, immediately, without the people standing behind me being able to see which sites I frequented at a glance.

  13. Stuart Halliday

    So quit moaning and ask the company?

  14. Anonymous Coward
    Anonymous Coward

    F*** this

    Anyone know how I close my account?!

    1. Bluto Nash
      Trollface

      Re: F*** this

      Sure thing - give me your password and I'll be happy to take care of that for you.

  15. Deadlock Victim

    Their explanation of the process

    LastPass uses public-private key cryptography with RSA-2048 to allow users to share the key to their vault with trusted parties, without ever passing that information in an unencrypted format to LastPass. When Emergency Access is activated, each user has a pair of cryptographic keys - a public key to allow others to encrypt data for the user, and a private key that allows the user to decrypt the data that others have encrypted for them.

    The key used to encrypt and decrypt your vault data is encrypted with the Emergency Access contact’s public key, and can be decrypted only with their corresponding private key. When setting up Emergency Access, you are using the recipient’s public key, encrypting your vault key with that public key, and then LastPass stores that RSA-2048 encrypted data until it’s released after the waiting period you specify. Only the recipient can decrypt the data, so no one else can decrypt it without access to the private key of the recipient you’re sharing it with, which is encrypted with their master password key. This process is completely automated, with no action required by the end user, and ensures that the data is inaccessible by LastPass or outside parties.

    (https://helpdesk.lastpass.com/emergency-access/)

  16. Jan Hargreaves

    "A microsite explaining the changes is here or, for those who prefer it, there’s a short video on YouTube below."

    I would have called it a web page.... what makes it a "microsite"?

    1. Graham Cobb Silver badge

      Does anyone need it? After all, apparently the whole advertisement has been reproduced as an article by a formerly reputable, interesting and independent IT news site.

  17. AustinTX

    Secure passowords or SHARE them?

    Seems like LastPass is now a password SHARING app with many options and methods to do so. That can't open the door for exploits, heh.

    Also, if the corp can hand our passwords over to our bereaved wives, it seems obvious they can decrypt the file supposedly only held in escrow on their servers.

  18. Anonymous Coward
    Anonymous Coward

    no need to have an emergency key. my missus knows my vault password, I know hers. we trust each other. if we both go together, we have no family to speak of so who gives one? we won't be in a position to worry about it. simples.

    1. The Boojum

      In your use case, as you say, simples.

      In other use cases with other family structures, not so simples. I will actually find this functionality rather useful, whereas your solution, to me, would be an absolute #fail.

      And on a more practical note, if you keep bank login credentials in Lastpass, your bank would treat your approach as having disclosed your PIN to someone else if you are the victim of fraud. The fact that it's your significant other and that you trust her will matter not one whit to them.

      1. Anonymous Coward
        Anonymous Coward

        bank login details aren't in LastPass - that's one thing we do NOT store there - but we also share various bank accounts, and know each other's PINs (and do at times use each others cards)

        BUT - I have to agree in that our solution only really works for our personal circumstances, whereas it may not work for others with families to manage

  19. JimmyPage Silver badge
    Mushroom

    Of course any password manager

    is just a link in a chain of security.

    Not that you'd think that from some of the more hysterical tinfoil-hattery being exhibited here.

    If you make the assumption that *any* form or credentials caching - regardless of implementation - is susceptible to being read by 3rd parties, you take appropriate preventive measures.

    In my case, even though my card details are stored in LastPass, an attacker with full access to my vault (which would require going through a 2FA challenge, so already they'd need to crack the Google authenticator mechanism) would not be able to use them, since my bank *also* demands 2FA. And all my saved payment details require the CVV number from the card. Which is *not* stored anywhere - not even on the card (use a soldering iron, the digits are embossed).

    Anyone who criticises LastPass for "not being secure enough" is clearly stupid enough to think their security needs are capable of being met by a single application. And that person is - at best - "naive", and at worst, a moron. Especially if after lambasting LastPass for "not being secure enough" it turns out they have a safe inside the locked doors of their house.

    1. Charles 9

      Re: Of course any password manager

      "And all my saved payment details require the CVV number from the card. Which is *not* stored anywhere - not even on the card (use a soldering iron, the digits are embossed)."

      But what happens when you FORGET the CVV numbers or get them mixed up and can't recall which is which?

      1. Anonymous Coward
        Anonymous Coward

        Re: forgetting CVV

        not something I've experienced. But if it's a possibility, I'm sure there are plenty of ways to have it noted for oneself, but not available to anyone else. From a bogus phone number in your contacts, to sewing a label into your jacket.

        Remember: in person, there is nnever a reason for someone to know/see the CVV number. And anyone who comments on it's absence is worthy of investigaton.

  20. Ken 16 Silver badge
    Paris Hilton

    Active Directory integration?

    Anyone had good experiences with LastPass Enterprise alternatives having AD integration?

    Main requirement doesn't accept the usual tokens so MS solution is out.

    1. Anonymous Coward
      Anonymous Coward

      Re: Active Directory integration?

      Imprivata ?

  21. Reliance

    Re: LastPass Security

    My online banking doesn't let me move funds around, only to view my balance and transactions.

    The only exception is PayPal, and they offer 2-Factor Authorization.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon