News Flash: Your passwords were available to you during the outage
I had no problems accessing my LastPass passwords during their datacenter glitch today so I have to disagree with these postings. I disagree with the original Register article too as it fails to mention the multitude of ways that LastPass users can recover their passwords during a network outage.
First thing to know: LastPass does not store your unencrypted passwords in the cloud. Your passwords are encrypted in a datafile, sometimes called a "blob" that is local on your device (e.g. laptop), with a copy of that encrypted blob periodically backed up to the LastPass server. They go into more detail at the link below but here's how LP describes this:
"All encryption/decryption occurs on your computer, not on our servers. This means that your sensitive data does not travel over the Internet and it never touches our servers, only the encrypted data does."
https://helpdesk.lastpass.com/getting-started/introduction/why-is-lastpass-safe/
2nd thing to know: If you were setup with multi-factor authentication using something like the 3rd party 'Yubikey' product discussed on LastPass' site then you'd have had full access to your cyphers (encrypted passwords).That's why many of the premium users were unencumbered by their network outage today.
Multi-factor authentication is one of the features of their premium service ($12/yr) but even the people using LastPass for free have a solution. LastPass offers 'Pocket' detailed here at the link below and this allows you to decrypt your password blob locally. Everyone should keep a copy of Pocket on their computers and on a USB key for backup.
https://helpdesk.lastpass.com/lastpass-on-the-go-2/lastpass-pocket/
It should also be said that LastPass doesn't have your MASTER password on their server either. Once again, there's no reliance on their datacenter to unlock your passwords. They store a one-way cryptographic "hash" of your master password only. Your passwords are local on your device and are unlocked using that hash. They can be unlocked other ways though too. They explain the "salted hash" concept that they use, where passwords never actually reside in their datacenter, at this link: https://lastpass.com/how-it-works/
An even better explanation of the specifics outlined above is on the Security Now! podcast from a few years ago: https://www.grc.com/sn/sn-256.htm <-- fantastic detail on this one.
Thoughts?
--Athonia
Biting the hand that feeds IT
