Trust Lastpass with internet banking password?

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Trust Lastpass with internet banking password?

1 | 2

surfisup1000

5288 posts

Uber Geek

#1438643 1-Dec-2015 14:51

I use lastpass for my banking passwords . I have 4 bank accounts and use the most complex passwords possible - i think all of my banks use 2-factor authentication too.

If I did not use lastpass, they would be weaker passwords and more easily compromised.

The risk of using lastpass is lower than the risk of using weak passwords. To date, noone has been able to steal AND decrypt user passwords.

I wonder if the banks have official policies on password managers. I reckon they'd probably be against them in theory but for them in practice. Fewer password1234 passwords that way

SumnerBoy

2074 posts

Uber Geek

ID Verified

Lifetime subscriber

#1438644 1-Dec-2015 14:54

UHD:
SumnerBoy: +1 for local (I use KeyPass) and then ownCloud for private syncing between devices.

Surely this is just LastPass with a less secure online distribution method (a personal cloud service).

All depends on how secure your personal cloud service is I guess. And whether you trust *it* more than you trust someone like LastPass or Dropbox to store your password database.

But yeah - I guess anything that is *online* is vulnerable, to some degree.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#1438840 1-Dec-2015 20:12

UHD:
You are right about the password database being stolen at least once. This was four years ago and to date not a single report (even unverified) of passwords being decrypted exists.

You're missing the point. The point is that this is true now. We cannot guarantee that computational ability in the future will always be insufficiently powerful to decrypt the data.

UHD:
I'm not sure what you mean about storing the passwords on the servers in a reversible manner. If you take a quick look at the LastPass design you will see that even if LastPass wanted to decrypt user passwords they would not be able to do so. All encryption is done locally, meaning LastPass only ever see hashes which are then randomly salted and PBKDF2-SHA256'd.

We don't actually know that the decryption is only local given that it's proprietary. Even if that is the case, the fact that they do not secure their infrastructure and their databases have been compromised no less than once would raise the risk that anyone compromising them would be doing so not to steal information, but to replace it (i.e. compromise the downloaded executables to introduce backdoor code). Given the visibility of LastPass and the value of the data they hold, it's not impossible.

And last but not least, LastPass has recently been acquired by LogMeIn, a company with a bad customer service record and a questionable track record of converting previously free services to subscriptions, and even spitting in the face of customers that paid for their premium app. I wouldn't touch anything from LogMeIn.

UHD

655 posts

Ultimate Geek
Inactive user

#1438962 1-Dec-2015 23:06

Kyanar:
UHD:
You are right about the password database being stolen at least once. This was four years ago and to date not a single report (even unverified) of passwords being decrypted exists.

You're missing the point. The point is that this is true now. We cannot guarantee that computational ability in the future will always be insufficiently powerful to decrypt the data.

UHD:
I'm not sure what you mean about storing the passwords on the servers in a reversible manner. If you take a quick look at the LastPass design you will see that even if LastPass wanted to decrypt user passwords they would not be able to do so. All encryption is done locally, meaning LastPass only ever see hashes which are then randomly salted and PBKDF2-SHA256'd.

We don't actually know that the decryption is only local given that it's proprietary. Even if that is the case, the fact that they do not secure their infrastructure and their databases have been compromised no less than once would raise the risk that anyone compromising them would be doing so not to steal information, but to replace it (i.e. compromise the downloaded executables to introduce backdoor code). Given the visibility of LastPass and the value of the data they hold, it's not impossible.

And last but not least, LastPass has recently been acquired by LogMeIn, a company with a bad customer service record and a questionable track record of converting previously free services to subscriptions, and even spitting in the face of customers that paid for their premium app. I wouldn't touch anything from LogMeIn.

I'm missing no point. Take a look at the computational complexity of the hashing algorithms used by LastPass right now and you will see that even being generous with regard to computing hardware the hashes will take thousands of years to crack. Given that every member is aware that the database has possibly been stolen, all a customer needs to do is to update their passwords and that stolen database is worthless to the hackers. Computational power in the future means nothing at all when the current database has been updated.

We do know that encryption is done locally because it is possible to review the source code of the non-binary browser extension which is Javascript. The LastPass infrastructure is incredibly secure but it also has the world's largest target painted on its back. The fact that only two real intrusions have occurred in all the time the company has been running is, frankly, incredible.

Once again, it would be trivial to review the Javascript on any new browser extensions that are downloaded to ensure a hacker hasn't managed to introduce a backdoor. Not to mention that the LastPass team would probably nuke any affected machines and rebuild from a known good code version in the case of an attack like that..

jdmatt

28 posts

Geek

#1439231 2-Dec-2015 12:47

I use lastpass, and have the same dilemma when it comes to trusting my bank details with it. Currenlty have not stored my back account login details in there. I have stored my Credit card details though so can auto-fill out payments sites.

Absolutely love lastpass though makes it so easy to login into sites, plus I don't have to remember 150 different logins for different sites.

Rikkitic

Awrrr
18663 posts

Uber Geek

Lifetime subscriber

#1439261 2-Dec-2015 13:34

I think an important principle is being left out of the discussion here. As soon as you delegate your password protection to any other service, the integrity of your password protection becomes dependent on that service, which may deteriorate over time, be compromised by inferior management, be taken over by another company, be the target of a rogue employee with insider information, be the victim of new decryption techniques, be subject to any number of future vagaries that can undermine it. All of this is an acceptable risk for your social media logins, but I would never entrust it with my money.

Plesse igmore amd axxept applogies in adbance fir anu typos

Hammerer

2476 posts

Uber Geek

Lifetime subscriber

#1439265 2-Dec-2015 13:51

I would happily store my bank password in LastPass if I was happy with my password database being stored on their servers. If I wasn't happy with that situation then I would not use LastPass at all or I would use continue to use LastPass but add another product for my bank password only.

Anyway, my bank password is not a big concern because the financial risk is quite small and their are other security checks. At most the password gets access to thousands and perhaps tens of thousands of money. If my bank password could get access to millions of dollars then the risk-benefit goes up a thousand times which would make me consider my options more carefully. But even then my actual financial risk would still be very small.

My bank's other security which could help if my password is revealed include the following: transaction size limits; warnings for password changes, account changes and transactions over $x; checking of IP addresses; etc.

I consider a bigger risk for banking to be the actions of bank staff members or someone else in a position of responsibility such as my legal firm.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

mattwnz

20164 posts

Uber Geek

#1439268 2-Dec-2015 13:57

Rikkitic: I think an important principle is being left out of the discussion here. As soon as you delegate your password protection to any other service, the integrity of your password protection becomes dependent on that service, which may deteriorate over time, be compromised by inferior management, be taken over by another company, be the target of a rogue employee with insider information, be the victim of new decryption techniques, be subject to any number of future vagaries that can undermine it. All of this is an acceptable risk for your social media logins, but I would never entrust it with my money.

You would expect thy would use third party auditing to check things in real time, which would overcome all this. Also isn't have online access to banking details already, and bigger risk. I mean how good are banks online security? The fact that at least one major NZ bank still use windows XP and an old version of IE, to loginto online banking I think is more of a worry. I mean isn't windows xp less secure than windows 10?

UHD

655 posts

Ultimate Geek
Inactive user

#1439450 2-Dec-2015 18:25

Rikkitic: I think an important principle is being left out of the discussion here. As soon as you delegate your password protection to any other service, the integrity of your password protection becomes dependent on that service, which may deteriorate over time, be compromised by inferior management, be taken over by another company, be the target of a rogue employee with insider information, be the victim of new decryption techniques, be subject to any number of future vagaries that can undermine it. All of this is an acceptable risk for your social media logins, but I would never entrust it with my money.

1) Service deterioration: database is always stored locally and may be exported at any time.
2) Inferior management: see above.
3) Another company takes over: already happened, see above.
4) Rogue employee: LastPass cannot decrypt your data. 2FA, etc...
5) New decryption techniques: mathematically infeasible.
6) Any number of future vagaries: lol.

All things considered, the risks are statistically negligible when compared to the risk of a weak password or the other insecurities already present with banking online.

1 | 2