LastPass

FiyaFly

It also got approval from Steve Gibson- http://blog.lastpass.com/2010/07/lastpass-gets-green-light-from-security.html

Lastpass is my go-to utility for management. I can't really imagine going without it nowadays.

coliver

I've been using LastPass for 5 or 6 years. The one time they thought they had a breach of their database they emailed everyone as soon as it was even suspected and forced a password change. That alone proved they were a customer centric company, as most others would have tried to PR their way out of such a "breach"

The app also encrypts your passwords with your key on the client end before it even goes to the cloud database. So even if someone managed to break in and get it they would just have the hashed values that would take a significant amount of time to figure out.

Nic

We use them here at Webroot - we have a white labelled version of their service embedded in the consumer version of WSA complete. My philosophy is that my master password is only used for LastPass, so it's much less likely to be hacked than any of the other passwords I use on other sites. Two factor authentication for logins from unknown computers is pretty much the best solution you can have for this situation.

technobabble

@coliver said:

The app also encrypts your passwords with your key on the client end before it even goes to the cloud database. So even if someone managed to break in and get it they would just have the hashed values that would take a significant amount of time to figure out.

I actually saw this "hang up" in the browser...just total gibberish and when I checked it...it was still total gibberish. I reverted the data and it hasn't happened again.

technobabble

I am now checking otu the Multifactor Options...thanks for the heads up @Minion-Queen

thanksajdotcom

I know they have a two-factor authentication option, but the best way to do it is have one master password that is very strong, so uppers, lowers, numbers, and symbols, and then use randomly generated passwords for everything else. The only things I don't use random passwords for are my main email address, my LastPass master password, and one or two other key logins that I access from my cell a lot, so a random password would be a pain.

thanksajdotcom

I agree with @FiyaFly in saying I cannot deal without LastPass nowadays. I got my mother onto it and she loves it. It's true that your LastPass account is only as safe as your master password, so if you live at 123 Main Street and your dog's name is Wolfy, using Wolfy123 as your password is pretty weak. Make it something unrelated to common password triggers, like pet names, birthdays, spouse and children names, etc. Mine is 23 characters, fully complex, and not something related to anything in my life directly. It's easy to remember but pretty much impossible to guess. That's the key.

gjacobse

@thanksaj said:

I agree with @FiyaFly in saying I cannot deal without LastPass nowadays. I got my mother onto it and she loves it. It's true that your LastPass account is only as safe as your master password, so if you live at 123 Main Street and your dog's name is Wolfy, using Wolfy123 as your password is pretty weak. Make it something unrelated to common password triggers, like pet names, birthdays, spouse and children names, etc. Mine is 23 characters, fully complex, and not something related to anything in my life directly. It's easy to remember but pretty much impossible to guess. That's the key.

Last time I did that I spent six hours trying to figure out what it was only to give up and have the password reset. I generally do a number/letter replacement, cap, symbol. Sadly and not related to a 'master password' some sites I have will only allow 8 characters, so to use a 16, 24, 31 character password is not possible.

Years ago I came across someone in Cincinnati that used the maximum character length - 264 I would have been impressed if he didn't have to start over twice to type it in.

thanksajdotcom

@g.jacobse said:

@thanksaj said:

I agree with @FiyaFly in saying I cannot deal without LastPass nowadays. I got my mother onto it and she loves it. It's true that your LastPass account is only as safe as your master password, so if you live at 123 Main Street and your dog's name is Wolfy, using Wolfy123 as your password is pretty weak. Make it something unrelated to common password triggers, like pet names, birthdays, spouse and children names, etc. Mine is 23 characters, fully complex, and not something related to anything in my life directly. It's easy to remember but pretty much impossible to guess. That's the key.

Last time I did that I spent six hours trying to figure out what it was only to give up and have the password reset. I generally do a number/letter replacement, cap, symbol. Sadly and not related to a 'master password' some sites I have will only allow 8 characters, so to use a 16, 24, 31 character password is not possible.

Years ago I came across someone in Cincinnati that used the maximum character length - 264 I would have been impressed if he didn't have to start over twice to type it in.

LastPass has no limit on their master password, and the randomly generated passwords can be tailored per site based on the criteria. Otherwise, you can have one or two passwords with maybe the first letter capital in some and not others that is your "master password" for sites. That's what I had before LastPass. I went back later and changed a ton over to random passwords.

technobabble

@Minion-Queen would you recommend Google Authenticator or Toopher?

Minion Queen

I have used Google. But I am not as technical as some others around here. @Nic what do you suggest?

thanksajdotcom

@coliver said:

I've been using LastPass for 5 or 6 years. The one time they thought they had a breach of their database they emailed everyone as soon as it was even suspected and forced a password change. That alone proved they were a customer centric company, as most others would have tried to PR their way out of such a "breach"

The app also encrypts your passwords with your key on the client end before it even goes to the cloud database. So even if someone managed to break in and get it they would just have the hashed values that would take a significant amount of time to figure out.

Yup, there's this too. LastPass only decrypts your password database at the local level. It's always encrypted in-transit and on the cloud server.

scottalanmiller

LastPass is extremely secure. But, as with anything, the end user is a point of risk that is very difficult to mitigate.

Dashrender

To the OP - the answer is (as @scottalanmiller and other have said) LastPass is only as secure as your Master Password, and possibly a second factor authentication.

So first things first - use a long (16+ characters, including upper, lower, numeric and symbols) Master Password
and second - use a second factor - YubiKey Google Authenticator Toopher Duo Security Transakt

Additionally, you should consider printing out a few one time passwords and storing them in a safe place. Safety deposit box, safe at home - where ever you store important papers at home, etc.

Personally I use a 16+ character password and Google Authenticator. I trust this system very much and have had little to no problems with it.

I also gladly pay my $12/yr for mobile access - so I can continue to use secure passwords, even on my phone.

thanksajdotcom

@scottalanmiller said:

LastPass is extremely secure. But, as with anything, the end user is a point of risk that is very difficult to mitigate.

A.K.A you can't fix stupid.

thanksajdotcom

Also, I should add, that when HeartBleed came out, and sites like Facebook and Google were compromised, LastPass was unaffected because they were on a newer version. Just something to think about.

scottalanmiller

@thanksaj said:

Also, I should add, that when HeartBleed came out, and sites like Facebook and Google were compromised, LastPass was unaffected because they were on a newer version. Just something to think about.

And they payload is encrypted, not the tunnel. LastPass isn't SSL.

Dashrender

@thanksaj said:

And they payload is encrypted, not the tunnel. LastPass isn't SSL.

Actually LastPass is both.

@thanksaj said:

Also, I should add, that when HeartBleed came out, and sites like Facebook and Google were compromised, LastPass was unaffected because they were on a newer version. Just something to think about.

And I'm pretty sure they were affected, but it didn't matter since they use their own encryption on the endpoint before sending to the cloud.

LastPass utilizes OpenSSL for HTTPS/TLS/SSL encryption and we were therefore “vulnerable” to this bug.
http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

Also, I should add, that when HeartBleed came out, and sites like Facebook and Google were compromised, LastPass was unaffected because they were on a newer version. Just something to think about.

And they payload is encrypted, not the tunnel. LastPass isn't SSL.

True.

scottalanmiller

@Dashrender said:

@thanksaj said:

And they payload is encrypted, not the tunnel. LastPass isn't SSL.

Actually LastPass is both.

@thanksaj said:

Also, I should add, that when HeartBleed came out, and sites like Facebook and Google were compromised, LastPass was unaffected because they were on a newer version. Just something to think about.

And I'm pretty sure they were affected, but it didn't matter since they use their own encryption on the endpoint before sending to the cloud.

LastPass utilizes OpenSSL for HTTPS/TLS/SSL encryption and we were therefore “vulnerable” to this bug.
http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

Their website was affected, but not the application, AFAIK, which I think uses AES256.