I have been looking in to it, looks pretty good, uses 256bit AES encryption, I will probably switch to it for both desktop and iPhone as it works with Apple's Touchid.
I don't think intruders can crack my master password and I am using 100,000 Iterations, this is way past embarrassing , I always have been Leary of keeping passwords on servers but it is their responsibility to use adequate security....it seems they have fallen short.
I've been using it on Windows for over 2 years now, on Android and iOS as well and it works great for me I don't use Dropbox to store my database - only local copy. WiFi synchronisation between my devices - simply - great solution that fits me best.
I use KeePass + Syncthing to synchronize my password database among my various devices. Syncthing is a peer-to-peer application, so nothing is stored on a central server outside of the user's control. All communications between devices is TLS encrypted in-transit.
I wouldn't assume that they were somehow remiss. Hacking is becoming more and more sophisticated. Two factor authentication is a necessity IMHO and it can be implemented in the free version of LastPass. The PC Mag article is a good read, as it points out the importance of not only a strong password but an obscure password hint. You can harden LastPass by going into advanced settings and enabling features such as country restriction and auto-logoff options. There is also the LastPass security challenge which goes through all of the website credentials in your "vault" to find weak and duplicate passwords.
AES does multiple rounds of transforming each chunk of data, and it uses different portions of the key in these different rounds. The specification for which portions of the key get used when is called the key schedule. The key schedule for 256-bit keys is not as well designed as the key schedule for 128-bit keys. And in recent years there has been substantial progress in turning those design problems into potential attacks on AES 256. Nonetheless AES-256 is being widely deployed since it conveniently lies at the intersection of good marketing and pragmatic security. In upgrading from AES-128 to AES-256 vendors can legitimately claim that their products use maximum strength cryptography, and key lengths can be doubled (thus squaring the effort for brute force attacks) for a modest 40% performance hit.
Also notice that there's nothing published or commented in the news to suggest that LastPass was/is at fault. All the posters here that all of a sudden need to jump ship with an "alternative" remind me of a bunch of drama queens on a deliriously tasteless soap opera that need a revenge date to show their bewildered ex a thing or two.
The article says it was password reminders that were stolen. This doesn't surprise me, password reminders are often childs play to crack, exponentially less secure than the password itself. I prefer to use local storage, keypass is very good. The same encrypted store works on both the windows version and the linux keypassx.
They've been looking hard and digging around. All good journalists thrive for the story that burns so if LastPass could be implicated as being negligent or at fault in any way, they would've jumped on that schytte like white on proverbial rice. And now, back to the Days of our Hives. p.s. & btw @Nanobot... BV was, like, one of the best movies ever.
I expect you're correct that many people don't understand that the password reminder must be only a hint so as not to make it easy to guess the password. More generally the problem is making password managers usable for people with limited skills. Ideally you would eliminate potential attack vectors such as a password reminder option, but too many people can't do without. This isn't the fault of the password manager though. LastPass can be made much more secure if the user understands the mechanisms and best practices.
I agree with you that its better to manage and store personal or sensitive data yourself than risk exposing that data across third-party systems. The only flaw with this logic, is that fundamentally the operating system, hardware, and all of the software running on your computer is essentially third-party. So regardless of whether you store information client-side or server-side, you are always at risk of exposing your personal and sensitive data to some other third party. The determining factor here is going to come down to what is more important to people: the convenience of accessing their credentials and other data from anywhere or the security and privacy of there data. The previous discussion on password managers made this point pretty clear, as some users insisted on the convenience of LassPass, dash lane, or some other solution, while others insisted on using memorization techniques to eliminate the need almost entirely. I think the argument is a moot, considering a keylogger or a implementation failure (i.e., the federal governments storage of DoD employees personal data in plaintext) server-side is all someone needs to access your data. If you can avoid sensitive activities online, then you should do so. But its good to stay on top of these types of events when planning for the future. Sorry to hear that this happened. Hopefully last pass users are not negatively impacted too much. Never hurts change login information after an event like this.
If your equipment is compromised, it's not going to make much difference what you use. For websites, there's no real way around the browser handling the password, even if it's not storing it. There isn't much any of us can do about how any given site or server stores passwords. The big difference is that if one of those sites get hacked, only the data you have there is at risk. With a password manager that uses online servers, a hack there can expose everything. The convenience factor doesn't make a lot of sense to me. How hard is it to put a copy of your passwords on each of your devices? Is it that much more difficult than installing an application that makes them available on the same device? IMO, password managers are an unnecessary addition to your attack surface, part of which is beyond your control.
For me, this arrangement works quite well. https://www.wilderssecurity.com/thr...-using-for-windows.232660/page-4#post-2364977 The padding system for this has been modified since that post.
If you must store PW's, why not locally in an encrypted container/folder. For eg, Axcrypt/7Zip etc etc. Just remember 1 master PW to open it. Even a long one can be remembered, if you think about how to easily do it !
If you look at the LastPass forums there are people locked out of their accounts, people who haven't been able to change their master password - which was also the case for me. I created a new account after deleting my account and imported the csv file from my usb stick. If I had been able to change my master password right off I would have stopped there. After seeing kasperskys own network being hacked without them knowing it for months I'm not sure anything is really safe. Just being cautious on my end.
Indeed. It is 4th or 5th time LastPasss has been hacked, but people will keep using it, because it is much more convenient compared to offline solutions.
a bit of clarification from lastpass: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ I do not really understand all the panic around and rush to use other systems.
Official statements usually lie, but people tend to believe them, because that is, what they are expected to do. No company would admit a fail, it would ruin their business, even if the proofs are well known and obvious.
@TairikuOkami In general and to varying degrees, your above-captioned "statement" does not apply to LastPass's country of origin. Nice try, though.