Solved

Is password usage and management secure enough?

  • 10 January 2013
  • 1 reply
  • 37 views

Userlevel 5
Badge +1
As a LastPass user I have noticed that WRSA Complete version's password manager is based on LastPass. What I understand about LastPass is that the main password,and decrypting of passwords viewed / edited on my PC, is done locally. What I can see when trying the same in the Password section of my online account of WRSA is that basically it's open to any administrator at Webroot who has access to my account, am i correct? For the sake of clarity, I do not have the issue that someone else raised earlier that their password page is not encrypted in their Opera browser, and my questions is more concerned with the design of the WRSA security product / integration of LastPass into the product. I also have a potential concern that if the password is caught / hacked to the Webroot product itself, upon installing / registering each install of it across several devices, then of course that provides the hacker instant access to the database of passwords on the account. I think that there should be some kind of "firewall", between the two parts of the account and using the Webroot password plugin on a browser, i.e. using a seperate key password for password management and usage. Put another way, it seems to me as a LastPass user that potentially the level of security has been lowered in order to get it integrated into WRSA, but I am happy to be proven wrong by someone who can explain the situation.
icon

Best answer by JimM 10 January 2013, 20:15

View original

1 reply

Userlevel 7
If your Webroot master password was somehow obtained by a hacker, and assuming the hacker also knew your email address, he could attempt to sign into your online account.  However, the online account would be inaccessible to them because they still don't have your pin, which is the second, two-factor method of getting into the online console.
 
Regarding any ability to see your passwords, I know I don't have that myself, and I know support doesn't have that either.  Further, I'm not aware of any reason even development would ever need to see that.  When you enter your password, the software converts it into an encrypted, salted hash, sends it up to Webroot, and Webroot uses that to facilitate the transfer of more salted, hashed, encrypted data which is then transported to your computer and only then decrypted locally.  At no point does the master password or the stored data ever need to exist as a human-readable value during that process.  The hash alone isn't useful without the salt.  Plus it's encrypted with 256bit AES encryption.
 
Speaking for LastPass, they also state they can't access your passwords on their own page here, and they are pretty proud of the solution being "Host Proof."

Reply