Is LastPass vulnerable to FireSheep attacks?

Say I was at Starbucks and wanted to use LastPass... would FireSheep users be able to steal the password/cookie/session?


Solution 1:

In general, no. In addition to their servers, your passwords are stored on your local machine in an encrypted state, and when you send your password to their server, it's encrypted with 256-bit AES (i.e. really good) encryption before it leaves your machine. Likewise, when you get your password from their server, it's in its encrypted state, and only your master password can decrypt it. If you log into a website without SSL (i.e. HTTPS), then that particular password is vulnerable, but your master password will be safe. You did use a different password for your master password, right?

In addition, when logged into their site, you'll be in a secure session, meaning any information passed between you and LastPass is (theoretically) safe.

Since LastPass doesn't store any passwords in the clear (especially your master password, which I don't think they store at all), the only vulnerability would be if someone managed to get a hold of their encryption salt and at least one master password. That reduces the time it takes to crack another master password (remember that they may not have the login yet) from the age of the universe squared down to several million years, assuming that the encryption key is generated only from the master password and the salt, which for LastPass I don't believe is the case, I'm fairly certain it's tougher.

To summarize, you only have to be worried if you're logging into a site that's already insecure, and still, your master password is safe. Without LastPass, you'd probably be using the same lame password as every other site, which would mean you'd be less secure overall without it.

Solution 2:

From LastPass's technology overview, all data is encrypted and decrypted locally, and their data transfer is encrypted with AES-256. FireSheep uses a man-in-the-middle attack, which makes unencrypted connections vulnerable.

The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL.

So to answer your question, FireSheep users will be able to steal your credentials if the website you're logging in to does not use HTTPS. LastPass itself is not vulnerable.