Police Wanted to (But Couldn’t) Break into User’s Password Manager

CyberTech

Level 44
Thread author
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Backdoors bundled into software and hardware products sold in the United States have always been a controversial topic.

And now, there’s a high chance they make the headlines once again following a failed law enforcement attempt to access the login details of a suspected criminal.

The Drug Enforcement Administration, or the DEA, reached out to LastPass, the maker of one of the most advanced password managers out there, asking for the details of a user called Stephan Caamano.

The man, according to official documents, was under investigation for trafficking a counterfeit drug and money laundering.

The police believed that Caamano was storing all his logins and passwords in LastPass, so they wanted to break into his accounts to look for more information that could then be used as evidence in court. But when asking LastPass to provide access to the suspect’s data, all they got was a big “nope, we can’t do it.”

Strong encryption used by password managers
This is because, as LastPass itself explained, password managers like this one do not store encryption keys on company’s servers, as all the data is decrypted on the user’s device. In other words, they can only be accessed from the device where the password manager is installed and only when the master password is provided.

“User passwords stored on LogMeIn's servers are only done so in an encrypted format. The only way they get decrypted is on the user’s side, and the way that happens—the decryption key—is the user’s master password (used to log into LastPass), which is never received by or available to LogMeIn/LastPass. In other words, we have no means of decrypting user password information on our side, and thus, we are unable to provide these passwords,” a LastPass spokesperson explained as per this Forbes report.

LastPass isn’t the only the password manager that’s impossible to break into. Enpass, for example, stores all data locally and can sync with cloud services for easy access from multiple devices. The data, however, is locked with a master password that’s used for decryption and which isn’t recorded and stored anywhere. Once the master password is lost, there’s no way to recover it, and the data is locked forever.

In this case, LastPass only provided law enforcement with the IP address of the suspect, as well as details regarding the last logins.

The man pleaded not guilty and the trial is scheduled for May.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Just strip that guy naked and put him inside an ice box with him sitting on a few blocks of ice.

I can guarantee he'll volunteer the password gladly........mind you without the use of physical force :)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top