LastPass uses AES-256 data encryption plus PBKDF2 hashing with SHA-256 salting.
Product Features
Password Generator
Data breach monitoring
security dashboard
save and autofill
single sign-on
MFA support
Password Sharing
Adaptive authentication
SIEM intergration
Last pass has a responsible disclosure program
while last pass is considered a cloud service - there is a physical application, a browser extenstion which is the most popular that works with most major browsers. There is also a mobile phone application. As these apps are just different entry points that talk to the last pass SAAS - the most apporiate assessment method was to use the NCSC cloud principles.
There evidence that the product if configured in an appropriate way with certain feature disabled to be able to process and store official information extending to OFFICAL SENSTIVE.
The main recommendation is that MFA is performed by the use of a physical key - such as a YubiKey.
This would strongly reduce the risk presented.
One of the rationals for yubikeys is to ensure access in areas where mobile phones might not be available such as in datacenters.
other security consideratinon
Last pass has a bug bounty program
Last Pass has a negative history in the new and media
https://www.silicon.co.uk/security/cyberwar/lastpass-separates-from-parent-after-security-incidents-561688
LastPass is separating from its parent company, GoTo, following several significant security breaches. These incidents, which included the theft of encrypted customer backups and encryption keys, raised serious concerns about data security. In response to these breaches, GoTo, which had acquired LastPass in 2015, announced plans to make LastPass an independent company to focus on enhancing its security protocols and rebuilding user trust (TechCrunch).
Using a password manager comes with several security concerns, particularly with features like autofill:
Autofill Vulnerabilities: Autofill functions can sometimes be tricked by malicious websites into filling out hidden forms, leading to data leakage.
Phishing Risks: If a user is directed to a phishing site that looks legitimate, the password manager might autofill credentials, unwittingly giving them to cybercriminals.
Centralized Data: Storing all passwords in one place, despite encryption, poses a risk if the password manager itself is compromised.
Browser Extensions and Integrations: These can have vulnerabilities or security flaws that might expose data.
Master Password: If the master password is weak or compromised, all stored passwords and data are at risk.
These concerns highlight the importance of using strong, unique master passwords and being cautious with settings on less secure or unfamiliar devices.
Software Bugs: Any software may contain bugs that could be exploited by attackers to gain unauthorized access.
Syncing Risks: When passwords are synced across devices, it can increase exposure to data breaches if any of the synced devices are compromised.
Insider Threats: Employees within the password manager company might misuse their access to data or systems.
Backdoors: Software updates or integrations might inadvertently introduce vulnerabilities that could act as backdoors for cyberattacks.
Physical Security: Loss or theft of physical devices where password managers are used can pose a risk, especially if device access is not adequately secured.
Cloud Storage Breaches: If passwords are stored in the cloud, breaches to cloud infrastructure can pose risks to password integrity.
- Compliance with UK Security Standards
ISO 27001 Certification: LastPass holds ISO/IEC 27001:2013 certification, which is a comprehensive security management standard that includes controls for managing and securing sensitive information.
SOC 2 Type II Attestation: This demonstrates that LastPass has robust controls in place for security, availability, and confidentiality, which are regularly audited and validated.
- Encryption and Zero-Knowledge Architecture
LastPass uses AES-256 bit encryption for data at rest and TLS for data in transit, aligning with high security standards required for sensitive data.
The zero-knowledge architecture ensures that decryption keys are never accessible to LastPass or any third party, as decryption occurs locally on the user's device.
- Multi-Factor Authentication and Secure Access Controls
LastPass supports multiple forms of multi-factor authentication (MFA), which is crucial for securing access to sensitive information.
Policies can be configured to restrict access based on various parameters, enhancing the security posture against unauthorized access.
- Secure Sharing and Access Management
Public key cryptography allows for secure sharing of passwords and notes without exposing the actual credentials to LastPass servers.
Detailed access controls and the ability to revoke access at any time provide granular management over who can see or use the stored data.
- Audit and Incident Response
LastPass provides comprehensive logging and alerting capabilities that enable users and administrators to monitor access and activities. This is essential for compliance with government security policies.
A structured incident response protocol ensures that any potential breaches are managed promptly and effectively.
Considerations and Risks
While LastPass offers robust security features that could potentially align with the needs for storing "Official-Sensitive" information, several concerns must be addressed:
Geographic Data Storage: Data sovereignty could be a concern, as sensitive data related to UK government operations may need to be stored within the UK. LastPass stores data in various global locations, and users must ensure configurations align with data residency requirements.
Third-Party Risk: Using a third-party service like LastPass introduces a dependency on the vendor's ongoing security practices and their ability to respond to new vulnerabilities.
Regulatory Compliance: Specific government-related security frameworks or standards (such as those specified by the UK Government's National Cyber Security Centre) may have requirements that are not fully covered by LastPass's certifications.
Conclusion
While LastPass is equipped with strong security measures suitable for handling sensitive information in many sectors, the decision to use it for storing UK HMG "Official-Sensitive" passwords and notes should involve a thorough risk assessment and consultation with security experts familiar with government standards. Compliance with specific government regulations and internal security policies of the relevant UK government entities must be verified to ensure alignment with all mandatory security and operational requirements.
LastPass Cryptography Model
LastPass utilizes a zero-knowledge security model, meaning that sensitive user data is encrypted and decrypted locally on the user's device and not by LastPass servers. This model ensures that LastPass does not have the ability to access the clear text of user data.
Master Password and Encryption:
When a user creates an account, they set a master password that is used to generate a unique encryption key using a Password-Based Key Derivation Function (PBKDF2).
PBKDF2 applies several rounds (specifically, 600,000 rounds in LastPass's case) of hashing to the master password, combined with the user's email as the salt, to produce a derived encryption key. This key is used to encrypt the user's password vault.
The derived key is never transmitted to LastPass servers. The authentication hash generated from the master password is sent to LastPass for login purposes but cannot be reversed to obtain the original key or password.
Data Encryption and Storage:
User data such as passwords and notes are encrypted locally on the user's device using AES-256 encryption before being sent to LastPass servers for storage.
The decryption of this data only occurs locally when needed, and the decryption keys are only accessible to the user, provided they enter the correct master password.
Authentication and Account Access
Passwordless and Federated Login: LastPass supports passwordless logins on trusted devices and federated login options using identity providers like Microsoft, Google, and Okta. This allows authentication without the traditional master password, leveraging instead the security mechanisms of these platforms.
New Device Verification: If a login attempt is made from a new device, LastPass requires additional verification, typically through email, to authorize the new device.
Secure Sharing
LastPass uses public key cryptography to facilitate secure password sharing among users. Each user has a pair of keys:
Public Key: Used to encrypt data before sharing with another user.
Private Key: Stored securely in the user's vault and used to decrypt any data that has been shared with them.
Multifactor Authentication (MFA)
LastPass supports various MFA methods, including the LastPass Authenticator app, which provides a time-based one-time password (TOTP), and hardware tokens like YubiKey. MFA adds an additional layer of security by requiring a second form of verification in addition to the master password.
Infrastructure and Network Security
Data Centers: LastPass data is stored in secure, geographically distributed data centers that are monitored 24/7.
Network Security: Utilizes TLS for secure data transmission, and infrastructure is protected with DDoS mitigation techniques, firewalls, and intrusion detection systems.
Compliance and Audits
LastPass adheres to several industry standards and undergoes regular audits to maintain certifications such as SOC 2 Type II and ISO 27001, ensuring compliance with rigorous data protection and security standards.
Incident Response
LastPass has a structured incident response protocol to handle potential security breaches, including timely investigations, mitigation measures, and communication with affected users.
This technical framework ensures that LastPass can provide robust security features while maintaining a user-friendly experience for managing passwords and other sensitive information securely.
The applications The LastPass Authenticator app does not store user credentials, such as a user’s password or biometrics, on its
authentication server or any centralized database. Many users rely on biometric authentication like face recognition or
fingerprint ID to enable secure, effortless access to the LastPass Authenticator app. To maximize security, the LastPass
Authenticator app never gains access to any of the underlying authentication data (
LastPass typically categorizes its users into different classes or types based on the level of access, functionality, and management capabilities they require. These classes are primarily structured around personal use and enterprise (or business) use, each with specific features tailored to meet the needs of different user groups:
- Personal Users
Free Users: These users have access to the core features of LastPass, such as password storage, autofill, and generation of passwords. Free users can sync their data across all devices, which is a significant feature for individual users without any cost.
Premium Users: Premium accounts offer enhanced features over the free version, including advanced multi-factor authentication options, emergency access, priority tech support, and 1GB of encrypted file storage.
Families Users: Designed for family use, this plan allows up to 6 individual premium accounts under one subscription. It includes a family manager dashboard and shared folders for managing family passwords and notes securely.
- Business Users
Teams: This plan is tailored for smaller teams or businesses, providing essential password management features plus shared folders, standard security policies, and basic reporting. It supports up to 50 users and is focused on small to medium-sized businesses.
Business: Suitable for larger organizations, this tier includes all features in the Teams plan plus single sign-on (SSO) integration, advanced reporting and security policies, automated user provisioning, and more. It also provides a dedicated customer success manager for enterprise support.
Enterprise: The most comprehensive plan, catering to large organizations needing maximum security and scalability. This plan includes all features of the Business tier, along with more sophisticated security measures, full API access, and personalized onboarding experiences.
- Admin Roles
Admins: In business and enterprise plans, admins have capabilities to manage users, enforce security policies, access reports, and configure integrations. They can also handle user provisioning and de-provisioning.
Super Admins: Typically found in enterprise environments, super admins have higher privileges than standard admins, including the ability to reset passwords, manage admin roles, and configure advanced security policies.
Special Cases
MSP (Managed Service Provider) Accounts: LastPass offers specific functionality for MSPs, allowing them to manage password security for multiple clients. This includes multi-tenancy capabilities and centralized management features.
Each user class in LastPass is designed with specific features and security measures to fit the varied needs of individual users, families, teams, and organizations of different sizes. This stratification ensures that every type of user has access to the tools and controls appropriate for their security and management requirements.
At LastPass, the security of our customers' credentials and sensitive information has always been our top priority. We
achieve this by continuous improvement of our product and clear communication to our community.
Our key security measures include:
Security and encryption best practices: LastPass is designed to ensure that only the user (or their admin) can access
their sensitive data. Sensitive data is encrypted using a key (never known to LastPass) locally, in a ‘vault’ that is stored on
the end user’s device and on our servers in world-class hosting facilities. LastPass offers recognized cryptography methods
within its product that defend against brute-force attacks.
Industry-tested compliance standards: LastPass holds third-party security certifications including ISO 27001, SOC2 Type
II, SOC3, BSI C5, and TRUSTe. Completing and maintaining these standards is just one way we demonstrate our
commitment to data security, safeguarding of information, and service availability.
Timely incident response: Our team responds quickly to investigate, verify, and resolve or mitigate reports of bugs or
vulnerabilities. We incentivize responsible disclosure and improvements to our service through BugCrowd and offer a
similar disclosure program directly through LastPass. Our product and customers benefit from the positive relationship we
maintain with top security researchers.
Regular audits and penetration tests: We engage trusted, world-class, third-party security firms to conduct routine audits
and annual testing of the LastPass service and infrastructure.