Thoughts on Systems

Emil Sit

Dec 20, 2008 - 1 minute read - Technology clipperz lastpass mashedlife passpack password security

Considering MashedLife and LastPass

After my review of Clipperz and PassPack, I received comments and e-mails suggesting that I consider Mashed Life and LastPass as well.

The most interesting feature of Mashed Life is that it supports logins with a YubiKey–a USB dongle that Mashed Life uses as part of either one or two-factor authentication. This is a very cool feature, as two-factor authentication is harder to beat even than PassPack’s (now potentially weaker) packing key: an attacker must literally have your YubiKey to login as you. But, the downside of the Mashed Life architecture is that it relies on the security of their servers, which, as far as I can tell, have an unencrypted version of all your authentication data–the despite any secret splitting they talk about in their FAQ (Q6), it must be programmatically possible to extract your password since the login action retrieves your password from their server over SSL. Of course, this is probably what enables them to provide an API for synchronization with KeePass and Password Safe, but for me, this is a show stopper.