Backdoors bundled into software and hardware products sold in the United States have always been a controversial topic.
And now, there’s a high chance they make the headlines once again following a failed law enforcement attempt to access the login details of a suspected criminal.
The Drug Enforcement Administration, or the DEA, reached out to LastPass, the maker of one of the most advanced password managers out there, asking for the details of a user called Stephan Caamano.
The man, according to official documents, was under investigation for trafficking a counterfeit drug and money laundering.
The police believed that Caamano was storing all his logins and passwords in LastPass, so they wanted to break into his accounts to look for more information that could then be used as evidence in court. But when asking LastPass to provide access to the suspect’s data, all they got was a big “nope, we can’t do it.”
Strong encryption used by password managers
This is because, as LastPass itself explained, password managers like this one do not store encryption keys on company’s servers, as all the data is decrypted on the user’s device. In other words, they can only be accessed from the device where the password manager is installed and only when the master password is provided.
“User passwords stored on LogMeIn's servers are only done so in an encrypted format. The only way they get decrypted is on the user’s side, and the way that happens—the decryption key—is the user’s master password (used to log into LastPass), which is never received by or available to LogMeIn/LastPass. In other words, we have no means of decrypting user password information on our side, and thus, we are unable to provide these passwords,” a LastPass spokesperson explained as per this Forbes report.
LastPass isn’t the only the password manager that’s impossible to break into. Enpass, for example, stores all data locally and can sync with cloud services for easy access from multiple devices. The data, however, is locked with a master password that’s used for decryption and which isn’t recorded and stored anywhere. Once the master password is lost, there’s no way to recover it, and the data is locked forever.
In this case, LastPass only provided law enforcement with the IP address of the suspect, as well as details regarding the last logins.
The man pleaded not guilty and the trial is scheduled for May.