As a software engineer and long time LastPass user, I’ve always been an advocate of password managers. With data breaches becoming more and more common these days, it’s critical that we take steps to protect ourselves online. However, over the past year LastPass has made some decisions that have made me question their motives and ultimately has recently caused them to lose my business.
Last year LastPass introduced a new redesign of their vault in which they added nice pretty logos of all the sites in your vault.
This got me wondering, if LastPass is encrypting all of my data before it goes to their servers (like they claim) how are they able to show these logos to me when rendering the vault webpage? I turned to my browser’s developer tools to find out.
Here is the data being sent to LastPass when I save a site in my vault for Google.com:
As we can see name, grouping (the folder), username, and password all contain AES encrypted data in the form of:
However, that URL property doesn’t look like an encrypted string to me.
Whenever I save a site on a different LastPass account for Google.com, we see this:
As you can see, all accounts are saving the same unprotected, hexadecimal encoded string for Google.com:
Which when decoded is:
LastPass then uses this encoded string to render a logo for all sites in your vault for Google. I reached out to LastPass support inquiring about this and received the same canned response that’s repeated all over their website:
LastPass encrypts your Vault before it goes to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data.
Read more here https://lastpass.com/support.php?cmd=showfaq&id=6926
This is concerning for a few reasons:
- LastPass claims that they are a “zero knowledge” platform and that no unencrypted, readable site data is ever sent to their servers. This is obviously not true. Hex strings are basically the same as plaintext in this case.
- Worst of all, URLs can (and often do) contain sensitive data. For example, an HTTP basic auth URL might look like this:
https://username:firstname.lastname@example.org. Or you might unknowingly store a URL that contains a password reset token in it (which isn’t hard to do with LastPass’s features that assist you in automatically onboarding new sites in your vault). It’s important that you audit your site’s URLs in LastPass for any such data.
Some people may not really care about this information being sent to LastPass unencrypted since their usernames and passwords are still protected properly (with exception to the case pointed out in #3 above), however, I think that LastPass is deceiving it’s users when they make the current claims that they do. Some users may be more conscience about their privacy and are unknowingly submitting their identifying private data to LastPass. Who knows what they are doing with the data that they have?
I’ve since moved to a more transparent, open source password manager that I can trust and I haven’t regretted it. Check out https://bitwarden.com for a comparable free alternative to LastPass.