Lastpass vs Chrome - Which is safer?
Justin Schuh defended Google's reasoning in the wake of this post detailing the "discovery" (sic) that passwords saved in the Chrome password manager can be viewed in plaintext. Let me just directly quote him:
I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theatre.
Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install a malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behaviour. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.
I've been using LastPass under the assumption that it is better and safer than using Chrome's built-in password manager. There are two additional facts that are relevant here:
LastPass has an option to stay signed in on a trusted computer. Let's assume I use it. Chrome lets you create a separate password for Google's synced data (read: stored passwords). Let's assume I do this as well. With those givens, all other things being equal, is LastPass any safer than Chrome? It seems like once malicious software gets on my system, or a bad guy has access, it doesn't matter from a theoretical perspective, I'm 100% compromised. Is that true?
Also, from a practical perspective, is one or the other more likely to be hacked in real life? Are there certain attack vectors which are more common or more successful that would work one one of these or not the other?
Lastpass vs Chrome First of all, Chrome does encrypt your passwords and other secret data. But there are different aspects to this depending on the setting, plus a few details that you should keep in mind. On your Computer, In your OS When passwords are saved locally on your computer, Google will attempt to use whatever local password vault might exist. So for example, if you're on OSX, that's the system's Keychain. If you're on Windows, it's the Windows Data Protection API (Microsoft has a peculiar skill for naming products), if you're on KDE, it's the Wallet, in GNOME it's Gnome Keyring.
Each of these products has its own implications that are worth noting. For example, if you ever sync your passwords on an OSX device, those passwords go into the Keychain (as mentioned) which has been rebranded the iCloud Keychain -- the implications of which are exactly what they sound like: now Apple knows your saved passwords too, and will sync them to your iPhone, your iPad and any other Apple devices. That may be precisely what you wanted. And maybe not. Just be aware. The Windows Exciting Names And Data Protection API Professional Edition boasts no such features. Your passwords are on your computer, and there they stay until further notice. Call it old-fashioned or call it safe. But bear in mind that Microsoft has a history of chasing Apple, and may decide to do so here as well. In the Cloud In addition to any unintentional iCloud syncing as mentioned above, Chrome will also sync your passwords between Chrome instances. This means sending your data to Google. Yes it's encrypted.
How is it encrypted? That's up to you. You can either use your Google Account (the default), or you can set a special "sync passphrase". While I have no special knowledge of the internals of these two options, the implications appear pretty straight-forward. If you use your Google Account password, then the passwords are encrypted with no further intervention on your part. Note that the actual password is in fact required; access to the Google Account alone isn't sufficient. I've seen situations where Chrome had successfully managed to log in and fetch its sync data through external authorization but was not able to decrypt it until I typed in the original Gmail password. The advantage, therefore, of using a separate "sync passphrase" is to make sure that anyone who has your Gmail password (presumably Google could, for example) will not have your sync password.
Remembering autocomplete=off Passwords The geek.com article mentioned brings up an interesting point, but that point is traditionally argued from a position of... unenlightenment. It's a common position held by "privacy advocates" (particularly the kind for whom I'd put that term in quotes) but the security implications are very, very, very clear, and very definitely, squarely on the side Google takes. I've written about this already. Go read that other answer and then come back. I'll wait.
Go on. OK, back? OK, here are the critical points while they're fresh on your mind: autocomplete=off was an intervention added to turn off a very dangerous feature. That feature is not the password saving we've been talking about. The feature we've been talking about helps users. That other one was a misguided attempt at being useful by filling in forms using things you typed on other websites. So imagine an autocomplete assistant like Clippy, but with worse social skills: "I see you're trying to log in to Ebay; I'll just fill in your login from Yahoo and we can see if that works." Yeah, we had funny ideas about security back in the 90's. You can see why putting autocomplete=off into everything even remotely security-related quickly became a bullet-point in site audits. By comparison, the autocomplete that we've been talking about is a very carefully-controlled security-enhancing solution. And if you use it for anything at all, you'll want to use it for your most secure passwords? Why? Phishing.
Phishing is literally the single most dangerous online attack facing you. It's super-effective and super-devastating. It doesn't get nearly the attention it should because we always just point a finger at the stupid user who gave the Syrian Electronic Army his password. But defending against phishing is really, really hard, and exploiting it is therefore really, really easy. Furthermore, a successful phishing exploit has unlimited damage potential, all the way up to shutdown-the-whole-bloody-company sort of disasters. And in protecting against phishing, your single greatest weapon is a browser-integrated password manager. It knows where your passwords should be used, and locks you out from using them unless you're actually looking at the right site. It's not fooled by look-alike domains or "site seal" graphics, it knows how to check the SSL certificate and knows how to check the SSL certificate. It keeps your passwords locked up until you're ready to use them and staring at the correct login prompt.
- Should the Chrome password manager ignore the autocomplete=off message? MOST DEFINITELY YES.
- Should you use it? If you're using LastPass then you're fine sticking with that. But this should be considered a reasonable alternative if the caveats mentioned above don't bother you.
- If you're not using any password manager, then start using this one right now. It's safe by any reasonable measure, and in particular, far safer than not using it.