7

While categorizing my accounts in LastPass, I had a dumb thought cross my mind.

Can I store my LastPass password in LastPass?

Initially I thought this would be a completely pointless thought experiment. There's no way you could actually save your LastPass details in LastPass... right?

Even if a user did try to save their own LastPass password, surely there would be some sort of error or sanity check preventing this from...

LastPass Password in LastPass

...or I can add my password without any issue.

Presumably there isn't much point to this. Doing this is the equivalent of storing a safe combination inside said combination-locked safe. What I'm curious about is the security implications.

How insecure is it to store my LastPass password in LastPass? What potential security issues could it cause?

Stevoisiak
  • 1,535
  • 1
  • 13
  • 27
  • 2
    If something is pointless and may have even the smallest impact on security the gain can only be negative. – Elias Aug 03 '17 at 08:33

3 Answers3

3

LastPass seems to store your Vault as a single encrypted blob, according to their documentation. Let's consider two attack scenarios.

First, an attacker manages to get his hands on your encrypted Vault. He needs to open the Vault to get the password. Theoretically, it is possible the attacker only recovers parts of your vault, and your master password happens to be in it. This will lead to the compromise of your entire Vault.

Second, let's say an attacker manages to get a snapshot of your unencrypted Vault. He then has your master password, which allows him to decrypt your Vault at a later time when it possibly contains more secrets.

In theory, storing your master password in your Vault weakens security somewhat. Whether it is acceptable to someone is a trade-off everyone has to decide himself.

Daniel Szpisjak
  • 1,965
  • 12
  • 20
3

It is rather useless because you first need to type the password to recover it. But IMHO this does not really weaken the overall security of the password vault by itself. Assuming LastPass encryption is correctly implemented, the only way to access the encrypted master password would be... to find it by another way. And if an attacker ever gains access to the encrypted vault, then the master password does not protect anything else, since the whole vault is in attacker's hands.

IMHO it is still a poor practice, but mainly because as it is useless, doing that could either give a false security feeling, or be an indicator of other weird usages.

Serge Ballesta
  • 26,693
  • 4
  • 44
  • 89
  • 2
    It isn't useless though. It allows you to access the LastPass website without having to reauthenticate. It's kind of a SSO option of sorts since it will auto-fill the web credentials if you have logged in to the application. This itself does have some security implications as they reprompt in part to make sure you are who you say you are before letting you make changes though, but it's a personal security level decision. – AJ Henderson Aug 03 '17 at 16:54
1

It's akin to putting a key to your safe, in your safe. While sure your key is safe in your safe, you need the key to open the safe. Since you need a key to open your safe everything you put inside the safe is safe, including your key.

LastPass is essentially a safe, but they call it a vault. It's all encrypted with your master password, which is your key. Storing your LastPass password in LastPass is exactly like storing a duplicate key in your safe.

Is this a security risk? Entirely up to you. If a person got ahold of your unprotected compter, they'd be able to see the master password and copy it, compromising your LastPass account. This is the same as you leaving the safe open for a second, and somebody comes and grabs an imprint of the key you left inside of it.

zzarzzur
  • 1,132
  • 8
  • 8