Everybody have their own flavor... as for me I use lastpass for most of my Internet activities... site login, forums, etc... but for most critical like banking, online shopping, paypal, etc... I use my own algorithm and never put it online
You don't have to put all your eggs in one basket, only the dull thinks that. I never use LastPass for important passwords like my email which is used for recovery purposes. And don't forget about 2-factor authentication.
i guess you missed the OP's original question. so your answer to the OP is 'no i don't trust lastpass enough to store all my passwords'. if someone trusts lastpass then why wouldn't they put all their eggs in one basket? they would. you don't because you don't trust lastpass enough
Over at prismbreak they consider LastPass proprietary. https://prism-break.org/en/subcategories/windows-password-managers/ With proprietary anything it's all a matter of trust. That said, I think LastPass is a ton better than nothing. Personally, I use Keepass2 and want to play around more with KeepassX, and maybe Schneier's password safe. Having things stored on your own hardware gives you a bit more control. And if your own hardware is compromised with malware or whatever, well, it doesn't matter if your passwords are stored on LastPass or your hard drive- you have to assume someone has them by that point. But use whatever works for you and gets the job done. Any breaches or shady dealings at LastPass would be reported pretty quick I'd think.
Why would anyone put the password of the email they used to create their LastPass account on LastPass itself? I do trust LastPass more than I doubt it.
because they trust lastpass and used lastpass to store their ridiculously hard to guess/remember email password. is that not the intended purpose of lastpass? to store passwords of abnormal complexity..? so you admit an element of doubt to the extent where (by your own admission) you don't use it for 'important' passwords. that is what the OP wanted an opinion on, to see if people trusted it. if the OP was not asking for an opinion on using lastpass to store 'important' passwords then i digress
I meant the email account they used to create their LastPass account. Of course there is an element of doubt in (virtually) everything, including those you trust.
they were pretty quick last time even if a breach was trivially small edit- they were pretty quick last time even if the likelyhood of a breach was trivially small
Leading password expert Jeremi Gosney uses Lastpass. https://twitter.com/jmgosney Gosney is CEO if a password cracking hardware company. Clearly he has good reasons for using Lastpass, and it's based on his engineering knowledge of Lastpass. https://sagitta.systems/
but not to the extent where i act differently, ~removed analogy which will undoubtedly be used in a straw man~ if the doubt changes someones behavior (in your case to omit important passwords) then the doubt is not a small one indeed. i might be sounding frivolous now so i will leave it at that
as the self proclaimed devils advocate (me). i say, isn't it in his best interest to promote an all in one solution like lastpass seeing as he owns a company that cracks passwords for the government? that's like an intelligence officer proclaiming he uses stock android (makes his companies job easier). there are also quite a few google results on the argument against using a 3rd party password storage facility if you search for that instead, especially online storage ones like lastpass
Treating your important password differently from your normal passwords is common sense, not some display of doubt. I know you doubt LastPass, but that doesn't mean you know how others doubt it.
Always a trade off. I can have nearly 100% secure passwords even against even brute force GPU. However it's not easy to manage them, and they aren't available on all of my devices. So I make a trade off.. Less security - how much less is debatable, but I can access my passwords anywhere (w/TFAx2). I've tried nearly unbreakable options, but always end up being inconvenienced by them so I've learned to use more flexible solutions, and make adjustments to increase security of those flexible solutions. Lastpass works, and works well, and with TFAx2, and other methods, such as decaying password rules, etc. Help increase it's overall security for me.
of course very true, a persons individual idea of convenience and requirements will ultimately decide what route they take. i only use around 30 passwords so an algorithm stored in my head is no brainier. only through time can we ultimately judge the correctness of our decisions.
not according to lastpass which is what this thread is about. i don't claim to know how others doubt it, i only claimed that you did doubt lastpass due to post #27. if i am wrong then why make the statement that you did? you don't doubt lastpass but yet refuse to use them for your 'important' passwords?
I think it's highly, highly unlikely your average or even sophisticated hacker will gain access to your LastPass data; the top notch encryption methods in place will prevent that. Not keeping all your eggs in one basket is a valid argument, but it is not one that prevents you from using LastPass. Your most sensitive passwords can be kept in your head or printed to paper and kept in an inconspicuous place in your home, absolutely. However, I still believe my privacy/security would be compromised in other ways before my LastPass account is. It seems at this point if the NSA wants access to your, say, email or bank account, it's going to get it—and not by using your password. Furthermore, if you are being targeted by the government (and not by dragnet), you're already in deep **** anyway.
This is VERY true. For example even if you have extremely complex passwords, and lockdowns on your router/appliance, I can likely still get into it. All of them, including Fortigate have alarming backdoors in them. Fortigate for example I can access your serial number, and then use 'maintainer' backdoor. In Cisco I can use Bad Secrets to break in. These aren't complex, and certainly aren't the full extent of these. So to compromise these things folks like the NSA don't even really care about your security measures, they walk right through it. It's great to assign a 40char P/W, disable HTTP/HTTPS/PING/SSH, Restrict Admin to Subnet IP, and other crap, but when someone can walk right through as maintainer, you've lost the game before it began. Bottom line - if the big boys want your stuff, they already have it, or can get it almost immediately from the innumerable 'leaks' you already sprung. Now if you take a password database, 2-Cipher it, then toss it on a biometric ironkey you carry in your pocket, then the NSA is out of luck. But you give up some conveniences by doing this, and also you risk losing your data. I've lost many USB sticks over the years, and thankfully they were all encrypted, but it doesn't mean I didn't NEED things on them. For 'General' everyday passwords, Lastpass is absolutely sufficient. If you want additional security for more sensitive passwords then develop your own algorithm for those specific ones. One additional tip.. You COULD keep an algorithm system passwords in Secure Notes within Last Pass. If you develop a proper method, you could keep 'hidden in plain sight' passwords, because you know how they decrypt. Nobody would have a clue what they are, or how to decode them as they are based entirely on your proprietary method - but there they are - in LastPass's secure vault.
Tell me what LastPass states then. Honestly, there's no getting through stubbornness to the degree of boycott. Let's just say our definition of "trust" and "doubt" are different.
I don't use it right now because I don't need it. I've used it before. Weren't LastPass the pioneers to storing them in the cloud? I'm thinking that most everyone else in that business have been following in their footsteps, including companies that specialize in security. It's not just LastPass that does it that way now. If I needed that service, I think I would trust it enough to use it as long as I was using multi-factor authentication with a strong master password. I don't trust anything 100%.
says the person who calls those not subscribing to the same philosophy as you 'dull'. i go by the dictionary definitions
Marketing 101 duh. The idea of either putting all or none of your eggs in one basket isn't dull now? The dictionary definition is an ideal that isn't realistic. Since it's obviously futile arguing pointless semantics, I will refrain from giving a damn before it gets in my head.
might want to look up the meaning of dull, surely its more exciting than dull. futile now? you gave it a good go though
Regarding TFA a practical problem I see is there's no way to use it when the primary device is a smartphone. TFA typically uses the phone to provide the second factor, but for instance if you log into LastPass on the phone there's no secondary device. Has anyone addressed this? The LastPass android app includes a number of safeguards, such as auto-log-off and PIN protection, but that's after the fact.
As for the cloud. Evidence is suggesting the cloud is more secure overall. Compare the breaches/exploits to hosted vs non-hosted infrastructures and you may find the results interesting. Part of the reason the cloud is bearing out as being more secure is because you have a centralized system, with extensive physical security, and fully trained experts in intrusion prevention/detection, as well as a consolidated approach to security on several levels. Anyone that has dealt with companies with localized IT, and localized security knows it's generally a mess. Nothing is standardized, a wide range of 'gear' is used, and they employ people of varied experience ranging from the total idiot to the guru, and everything in between. The result is often very ugly, severe security lapses, and worse. With cloud/hosted, you often find state of the art equipment, scalable security/threat responses, and highly trained people. It's the same for your passwords to some extent.. If you self-host them, are you entirely sure of your capabilities to manage your security, network, and infrastructure? Do you have advanced security measures in place like deep IPS, and Flow Through scanning? Or are you better off relying on the expertise of people that make it their business to ensure you are 100% secure? I advocate the cloud for the simple reason I'm a trained cloud engineer (CU, Rackspace, and VMware VCP), and I have seen the difference between competent cloud systems, and their specialists vs the consumer, small business, and at times even large corporations with localized IT. Private Blocks are almost always more compromised than hosted clouds in my experience.