Yes thanks for that, i should have been more clear. If i remember correctly the default once upon a time was 2000 iterations, before i increased it to 10000. If you have a long complex master password, the number of iterations IMO can be left at default. Having said that i have never seen any issues if the number was increased to 10000 even on a smart phone. The real problem that we face one day is quantum computing. I remember an article a while ago, maybe 2010 stating that a quantum computer may perform 1 million computations at once with a PC can only perform one at a time. That somehow for a 30 qubit quantum computer equals 10 teraflops (trillion) of computations per second while current PC can compute 10 gigaflops (billion) of computations per second. There are even plans for a Petaflop or exoflops supercomputer. Thats trillion x trillion x million computations per second. Absolutely incredible. It will be serious password cracker. But it will be a long time before general consumers have this availability, possibly never as the energy requirements are extremely large. Unfortunately governments will have this before we do posing a serious threat to anything password protected.
When I visit the website, username & password are filled but login is not automatic & I like this behavior. On one site, from LP context menu I selected autologin & now when I visit that site it is login automatically. How to revert it to previous behavior i.e username & password filled but not automatic login? Is it safe to use LP for banking & online shopping?
Open the LastPass vault and click the "edit" button for the specific site. You will see a checkbox where Auto-logon can be toggled. There is also an option to toggle "auto fill". I use LastPass for online banking/shopping. I use HitmanPro.Alert to encrypt keystrokes when entering data into websites. It also protects the LastPass plugin. When available two factor authentication is advisable too and the free version of LastPass supports many types (I use Google Authenticator).
Thanxx for the info. Autologin is not selected under edit. Anyway I deleted the site & resaved it & its fine now. How to save router page? Router page dont have username, only password. I tried saving it but after login mention invalid password.
Have a look at the info that LastPass has in the various fields for the router logon, in particular the URL for the page. I find that sometimes LP doesn't save the info in quite the right form and it has to be edited.
Ok. You mentioned you use HitmanPro Alert & it encrypts the keystrokes. I installed it. There is HitmanPro malware scanner in it too. Where HitmanPro malware scanner is installed? I dont see it in HitmanPro Alert folder. Whats the level of encryption? I dont know much but like 128/256 AES, etc...?
HitmanPro is downloaded and run by clicking on the "scan computer" tile on the front page of the HMP.Alert UI; it's automatic so no need to install HitmanPro manually (though you can do so if you wish by downloading it separately from surfright.com). Sorry, I don't know what level of encryption is used for the keystrokes. By the way, I don't know if the keystroke encryption feature is offered in the free version as part of "safe browsing"; you may want to check that. Also there is a 30 day trial license option for home users.
Whats the difference between Chrome LP extensions i.e with binary & without binary one? Which one would be better?
https://lastpass.com/misc_download2.php Check out the official download page of LP for Win OS. I have installed without binary one & Chrome extension page shows version 3.2.7. Binary one gives exe installer.
Chrome extension - Why options are accessible & can be changed without login? Rightclick LP icon - Options
The options that can be changed without logging in only pertain to the extension not to the account, so I'm not seeing that as a problem.
No the options changed remains changed. Without log-in I checked "Hide context menu". I logged-in & checked it was still checked. I checked with rightclick & context menu was not there. So this seems a bug & could be dangerous if the system is shared. People can change any options & could be dangerous.
What I meant more specifically is changing the extension options doesn't make the password vault vulnerable. I agree that one user changing settings can be problematic for another user, which is why it's not a good idea to share a Windows user account IMHO. Each user should have their own desktop and create personal settings that don't impact others.
I agree with you. But I do think as multiple accounts can be created, the options should be visible only after log-in i.e when clicked on options the page opened should ask for password. And the changed settings should be tied to the accounts & not affect other accounts.
Researchers to crack Lastpass and issue report in November 2015 Here is what they will demonstrate: How to steal and decrypt the LastPass master password. How to abuse password recovery to obtain the encryption key for the vault. How to bypass 2-factor authentication used by LastPass to improve security of accounts. Nothing is bullet proof The methods that they will use to do so are not revealed in the briefing but the researchers mention that thay have reversed LastPass plugins and discovered several attack vectors in doing so. It is likely that they mean browser extensions by plugins but it is not clear from the briefing. http://www.ghacks.net/2015/09/15/researchers-to-reveal-critical-lastpass-issues-in-november-2015/
LastPass claims these vulnerabilities are over a year old and have been dealt with. LastPass also claims they do not have your master password. It'll be interesting to see what happens in November.
And gaining access to the plugin by the attacker in the first place isn't necessarily an easy feat. Basically, you have to be either hacked or infected, which I doubt many of us experience.
Time and time again, LP is being hacked (I have stopped counting) and people still trust online password managers.
I assume you did not read the original article. (GHacks got the time wrong, link below for the original Sept 2014 paper). All of the three points require big IFs to work ( they were also fixed) Code: http://www.martinvigo.com/a-look-into-lastpass/ I am not saying LP is bulletproof, however it is quite harder to hack than what you believe it to be. I don't store my credit card etc but I am perfectly fine using it for mail accounts,etc.
Yes, this was added to the ghacks.net article: "Update: LastPass contacted us with the following clarification: These reports were responsibly disclosed to our team over a year ago All reports were addressed immediately at that time and do not pose an ongoing risk to LastPass users Users do not need to wait to understand what the reports were about - all of them are covered in Martin's post from last year with the exception of the account recovery Zreport, which was addressed at that time but was not covered in his original blog post It's also worth noting that we explicitly warn users not to use the Remember Password option"
From the linked announcement: "What does this mean for you as a LastPass user? Great things! We will continue to build and improve LastPass for our free, Premium, and Enterprise customers. Together with LogMeIn, we’ll be able to accomplish more, faster – providing an even better service to millions of people. As we become part of the LogMeIn family over the next several months, we’ll be releasing updates to LastPass, introducing new features, and continuing to grow the service as we work to bring LastPass to millions more who struggle with passwords." Typical marketing spin that says nothing. How will LastPass improve from this collaboration? I've never used LogMeIn, but the very negative comments from virtually everyone who responded to that article have put me on alert.
I make use of LogMeIn quite often. I have never had any problems worth mentioning with it. Likewise, LastPass. But, like everyone else that uses these products, there are other alternatives and I would switch if I find it necessary. At this point, I'm happy to see what develops.
