At the moment what concerns me is not the functionality of LogMeIn, which seems about as good as any other remote access software I've used, but the fact that LogMeIn is often the scammer's choice for accessing and compromising the systems of unsuspecting users. The LogMeIn folks do business with these people. Do they have no responsibility for how their product is misused? See here: http://www.troyhunt.com/2012/06/how-logmein-is-enabling-scammers-to.html
They don't. The only way to decrypt the password was to attack the users' storing it locally. The martivigo.com report details this (a good read). Any password stored locally is vulnerable.
That's the report I was referring to. Where in it does it say a user's LastPass password can be obtained from LastPass?
And how can any company prevent that without making their software too restrictive for the general public? Sure let's blame the tool, not the user. And please don't make nonsensical claims devoid of proof like LogMeIn actually doing business with scammers.
And Linux is the OS of choice. Ban Linux! And Windows is typically the target. Let's ban Windows! We'll all be like that author who uses DOS still.
The point of LastPass is that you can remember one password and therefore don't have to store it. My LastPass password is in my head and in my fireproof double-locked safe in case something goes wrong with my head.
Did you read the article that I linked to? The article implies that LogMeIn is complicit with the scammers. The article is making that claim, not me. Perhaps you could comment on what the article states?
Because you inferred does not mean he implied. It is one guy's opinion, based on his complaints not causing an immediate, visible fix in his admittedly narrow view. He's only complained that they must 'do something'. He hasn't pointed to a problem anyone can fix. You can't fix the social engineering attack surface with technical means. LogMeIn isn't 'complicit' in anything to do with regards to persons letting a total stranger connect to their computer and the author hasn't suggested such.
Like @Rolo42 said, the article did not conclusively prove anything other than it is the author's opinion. And even he did not state LogMeIn is doing business with scammers.
As I understand it I am very secure even if some hacker know my master password since I use two factor authentication (Transact) and only allow two physical computers to even log in to lastpass without the second verification. My home and my work computer are the only ones that are allowed to login without the second authentication. I even have the option in my browser plugin in my main browser at home to remember the password so I am always logged in to lastpass when the browser starts.. As I see it the only way for someone to use my lastpass, even if he knows my master password, is to sit at some of my desktops that I have allowed. As I see it I can even login with the two factor authentication on a random internet café and let eventual keyloggers steal my master password and I will be safe after I have logged out from the internet café computer. Am I right?
Not if that hacker is also able to steal your blob from the LastPass servers. 2FA no longer plays a role then...
That translated means, if they have physically your database of passwords then they can decrypt it locally with the master password. So if an hacker has your master password, first it need to crack the 2FA to be able to access the second server where your database is stored and hack this one. Ah, I forgot that they may need to spoof your location and/or the unique ID of your registered devices as, since some months, lastpass will reject calls if not from your devices/location. Paradoxically its easier to hack a typical password software that stores all the information locally.
As the article stated, that was fixed (they were able to get your QR code to add your account to their 2FA device...which would lock you out of your account if you didn't already have 2FA enabled). Until such time, that was a vulnerability. 2FA, like any security mechanism, isn't 100% 100% of the time.
We need another pole. I would love to know how many users will move away from Lastpass or stay as result of this acquisition. I have no clue about the Logmein debacle etc, and after reading all the comments on the lastpass blogs, 99% are against this buyout. So im at a loss as to what to do. Stay with lastpass or move onto Keepass or Sticky Passwords. Either way, I think its best to explore other options nonetheless.
Never said it was not working great. However will it be the case tomorrow, is to me a cause for concern and for a lot of people.
I have never heard of this "logmein" before, but reading about it on the net doesnt give good vibes. If this purchase of Lastpass has any consequences that I dont like, or that peoples worries shows to be true and not FUD, I wont hesitate to end my Premium account and look for something else. Before Lastpass, back in 2009, I was a Roboform user and might try that again if necessary. I dont mind paying for a good software.
"I also wonder why they decided to buy this service" Their YTD gains and the internet of things group. Senior Executives From Under Armour and Symmons Industries Join LogMeIn's Xively IOT Advisory Board http://markets.ask.com/ask/quote?Symbol=537:3695053
Almost blind herd-like behaviour seen here of all places... Guess we should prove LogMeIn is innocent instead of the other way around.
In the event that I suddenly need to completely get rid of LastPass I have an export of all data locked away in a safe. If my info is that important that someone is going to break in with the equipment to remove an old iron safe from my house then have at it (I must be more important that I had originally thought). In the meantime I'll keep using LastPass until I see how everything plays out. Maybe we should pool our money, find a secure data center, hire the LastPass employees when LogMeIn fires them, and create our own company.
