Which one is safer - Google Password Manager vs LastPass?
Justin Schuh defended Google's reasoning in the wake of this post detailing the "discovery" (sic) that passwords saved in the Chrome password manager can be viewed in simple plain text. Let me just directly quote him:
“I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.
Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.”
I've been using LastPass under the with a thought that it is better and safer than using Chrome's built-in password manager. There are two additional facts that are relevant here: LastPass has an option to stay signed in on a trusted computer. Let's assume I use it. Chrome lets you create a separate password for Google's synced data (read: stored passwords). Let's assume I do this as well.
With those givens, all other things being equal, is which is saher - google password manager vs LastPass ? It seems like once a malicious software gets on my system, or a bad guy has access, regardless of the theoretical perspective, my security is definitely compromised. Is that true?
Also, from a practical perspective, among Google password manager vs LastPass is one or the other more likely to be hacked in real life? Are there certain attack vectors which are more common or more successful that would work one one of these or not the other?
Justin's point was the same as your observation that even LastPass passwords would be 100% vulnerable to malware present on your machine. Your machine is where the ultimate security lies.
The Elliot Kember post claims that your overall safety of the password is increased if you require a master password to view other passwords. And he has a valid point. There is definitely an advantage to reducing your attack surface, and his claim is that Google's not even trying in that regard. Elliot also claims that Justin's "false sense of security" ignores the human element, which is that 95% of the people you might loan your machine to are incapable of exploiting it. However, if you loan your machine to your worthless brother-in-law, he might do something foolish that exposes you to a virus -- your brother-in-law isn't deliberately exploiting you, but he's a potential vector for infection. All in all Justin's argument also exploits human behavior. If Chrome lets other people easily see your passwords, you'd be stupid to let someone else use it without close supervision. Both sides have valid points.
The problem with Chrome is that unless you click an obscure advanced sync option, your sync password is the same as your Google password. When we compare google password manager vs Lastpass, by default Google has the ability to decrypt your sync file and access your passwords. You've now spread your attack surface to include completely trusting Google to protect all your passwords. Is Google trustworthy? The simple answer is to ask why Google would ever snoop on your passwords and risk damaging the trust people have for them anyway. But do they turn them over to the authorities when presented with a warrant and a National Security Letter? Those questions have unknowable answers, yet they're dealing with your personal security.
You can go one step further, though, and actually improve your security through trusted hardware. You can link your LastPass account to use a YubiKey for dual-factor authentication. It's basically a USB key that acts like a keyboard, but you keep it on your keyring next to your house key. It provides a seemingly random string to Lastpass that Lastpass can then use an algorithm to verify, granting you access to your account. Even on a totally pwned machine where malware can intercept the passwords in active use, as long as it doesn't have clipboard access or you're using the Lastpass browser plugin, your passwords are safe.
Another perspective when comparing Google password manager vs Lastpass is, Google stores your passwords in your account, and that is basically cloud storage. So if your Gmail or Google account was compromised in some way, the attcker would have access to everything you have stored in your chrome password manager.Ergo, to safely use this service, you will need to create a highly-secure password for your Google account and preferably turn on two-factor authentication for added protection.This platform is integrated with the Chrome browser on both PC as well as with mobile, allowing users to generate passwords when registering and storing them in an encrypted locker for access across devices.