Fill out forms, add checking account protection, credit card, you can also add notes- some websites like banks ask for security questions.
login vie lastpass website... not the plugin, then go to option > show advance settings > Password Iterations = 200000 (or more), and enable grid...
Yeah, fuhget about the Brooklyn bridge to sell ya... Crank that amp all the way up to P for paranoia. LastPass as a browser extension does not need to go through the aforementioned extreme measures to remain secure. Honestly, why bother otherwise. Just because somebody may be able to fiddle and tweak with the advanced settings doesn't make their advice in the least bit necessary; and in this particular case, even beneficial by a long shot.
There are couple downloads in the official site. Tried installer version. Vault shortcut was created on desktop. When I click the shortcut, browser opens. So it stores info local or cloud? Tried Firefox extension. Guess this will store info in the cloud, right? Tried Firefox portable. Does this stores info locally in the Firefox folder or USB folder or info in the cloud? If I use extension only then info will be stored in the cloud only, right?
A copy is always stored locally. When online an encrypted version is downloaded from the cloud and unencrypted locally. Cloud only deals with encrypted data (up/down). https://lastpass.com/how-it-works
I guess this needs LP to be locally installed, right? If only extension is used i.e no local install then data is stored in the cloud only, right? What about portable i.e where is the data stored for portable LP?
No, fax is right in that there is always a local copy somewhere. The cloud is used to store an up to date copy that the local copies are compared to / updated with when the user logs in.
I misunderstood the download section in the official site. I thought there is an installer & extensions too. But universal installer is just a quick way to install LP extensions in all the browser installed. And there is no seperate extension for Internet Explorer & universal installer installs IE extension. And universal installer adds an entry in add/remove & creates desktop shortcut for LP Vault. Where does on system LP stores data? If I use portable Chrome & portable LP for Chrome, where is the data stored i.e the location?
If you have a smart phone then enable two factor authentication (TFA) in LastPass using Google Authenticator. TFA is available in the free version. I would also recommend installing HitmanPro Alert (HMPA). The free version of HMPA will encrypt the data you type into the LastPass browser plugins (like KeyScrambler). FYI the Pro version of LastPass only costs $1/month.
Im not sure of the default settings for lastpass but double check that; "Country restriction" is enabled for only countries that you will use lastpass in. "Disallow Tor Networks" is checked You could increase "password Iterations" Enable 2 step authentication as mentioned previously, highly recommended.
FYI from the LastPass manual: "By default, the x number of rounds that LastPass uses is 5000. LastPass allows you to customize the number of rounds performed during the client-side encryption process. If you log in to LastPass, open your LastPass vault from the LastPass Icon, and launch Account Settings, you will see the “Password Iterations” field displaying the current number of rounds used for your account. Although 5000 is currently the default number of rounds, your number may be lower if your account is older. 5000 rounds provides a good balance between increased security and the inconvenience of longer pauses when logging in to your account. While it’s tempting to point to the number of rounds when comparing implementations of PBKDF2 across services, this is essentially an apples to oranges comparison, as other services may be using SHA-1, which is less computationally intense than SHA-256. In other words, SHA-256 is a more intensive process than SHA-1, so a lower number of rounds can still be a higher level of security against brute-force attacks. In terms of usability, the number of rounds used only affects the process of logging in to your LastPass account. Once you gain access to your account, the implementation of these changes will not affect your browsing experience. Note: LastPass supports a diverse set of platforms which vary greatly in speed. In order to utilize all of them, we recommend you do not exceed 10,000 rounds. A change from 5000 rounds to 10,000 rounds may not be perceptible to you on most platforms. However, while we permit users to increase their rounds all the way to 200,000 rounds, you may start to notice problems when logging in via certain browsers or platforms when you go above 5,000 rounds. For example, Internet Explorer 7 will be very slow with such a higher number of rounds. Logging into m.lastpass.com on a smart phone (where the rounds are done in JavaScript only) may not work at all"
Im sorry, Im not sure where you are going with this. Was this to support my suggestion to increase password iterations, or to leave it as it is? As " In terms of usability, the number of rounds used only affects the process of logging in to your LastPass account. Once you gain access to your account, the implementation of these changes will not affect your browsing experience". regards.
I posted it so people would understand what "password iterations" means. Also 5,000 is the current default but that wasn't always the case, so longtime LastPass users should check that setting and increase the number if necessary (I discovered my number was lower than 5000). Last the notes state that a number larger than 5,000 may cause the LastPass Android app to fail logon so it would be important to test after increasing iterations above 5,000. More generally though the notes don't help us decide how many iterations is enough. How long would it take to brute force a master password encrypted with 5,000 iterations? One year, ten years? I have no idea. What about 100,000 or the max 200,000 iterations? I'm all for more security, but I like to know what the numbers mean.
I don't think that a general answer is possible. It not only depends on the number of the PKBDF2 iterations but also on the quality of your master password, of course. The number of iterations chosen by you ultimately depends on your hardware and on your patience . I'm using 50,000 iterations, and it's still fast enough for my desktop computer and my iPad 4. I'm not using Lastpass on my mobile phone so I don't know if it would be overchallenged. I'm afraid that you have to experiment yourself. EDIT: Here's an interesting discussion with good links.
Thanks, this provides some perspective "Brute Force We start with a 128-bit symmetric key. Assuming the algorithm (e.g. AES) isn't yet broken, we have to look at power consumption. Assuming 100% efficient computation devices whose technology far exceeds any computer, ASIC, graphics card, or other key-cracking device you can dream up, there's a minimum energy requirement for just flipping the bits to count that high. Wikipedia has done the math for us, and it comes out to, for a 128-bit key, the minimum energy requirement demanded by physics is approximately 1018 joules, or 30 Gigawatts for one year. Obviously with "real" hardware, the requirement would be several hundred thousand times that; more than the energy production of the entire world. So that's well outside the capability of any existing terrestrial body. But if we move to a 256-bit key, the math gets more serious. Schneier did the math on this one in Applied Cryptography, and it's been discussed here before. To avoid boring you with repeated details, I'll simply cut to the conclusion: our sun does not produce enough power to accomplish this task." The whole read is here: https://security.stackexchange.com/...terations-to-pbkdf2-provide-no-extra-security
