LastPass Vulnerability Exposes Account Details

Details on this here: https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details

I have never really liked the whole idea of Lastpass anyway. The idea of my passwords encrypted or not being stored in a "cloud" = bad idea for me. I use keepass but I have my keepass database saved on a networked shared hard drive so that I can sync my passwords on all my computers easily. My question is is this safe? or should I be worried about an exploit that could access my passwords possibly? My home network is behind a firewall. Would I be better just saving the keepass database locally on my computer or is syncing with a network shared hard drive safe?

 

Wow, great that it's reported and fixed quickly.

As for your KeePass question, make sure it's encrypted with a secure algorithm.

I like LastPass, because it's very convenient for me, and works everywhere.

 

I don't like the idea of keeping the password for your online bank account ( or some other important info) on a website that you can only access only if you have web access and what if you lose your job or some other thing and can't afford to pay for web access in todays economy this can happen.

 

Looks like you havent even used LastPass before, Please educate yourself by visiting the Lastpass website, your Data is also stored in an encrypted file on your Computer using 256-bit AES Encryption, they also have Portable versions you can install on a USB to work with Firefox Portable or Crome Portable..... The reason passwords are stored encrypted on their servers is so that you can access your passwords anywhere, and if your HD crashes and you dont Backup to an external drive then you always have a backup of your lastpass data you can access and or restore to another computer....

 

I use Lastpass and have been for a year or so. The best thing about Lastpass is that there are many options. I use multifactor authentication in Lastpass so that my data is protected if there are unfortunate eventualities in LP's security.

There are multiple types of multifactor authentication that LP offers and they are all nice such as the usb key fob and the grid.

 

Wow.. scary. That is why I use offline Sticky Password.

 

How do you propose to do your online banking if you don't have web access??

 

I'd be lost without LastPass. It's a saviour for me

 

Yep, same here

They have implemented several security improvements. Nevertheless, as a Firefox user it's always wise to use Noscript with its XSS protection. BTW: Noscript adds HSTS to FF 3 whereas FF 4 supports that by default.

 

Between home and work, just too many passwords for me to remember

NoScript is working out great for me, as opposed to past usage where I gave up too quickly and uninstalled it. I make good use of the middle-click WOT lookup feature to aid me in my decision making

 

You don't have to use LastPass (or any other password manager) on those accounts.

 

I use keepass .
@warlockz No I never have used LastPass before.

 

Me too. I have been using it for a while now and it has become one of my favorite Firefox addons.

 

From Password service locks out hackers:

 

I use Sticky Password as well. By far the most convenient password manager I have tried. You couldn't pay me to keep my passwords online.

 

I use it too... and there is a free limited version ..see if you like it.
http://www.stickypassword.com/products

 

me to love lastpass, email them of any issues they are great !. I love the fact i can go to any pc, install it and there is all my passwords!

 

Looks interesting, but unfortunarely it's not available for Linux which I'm using.

Regarding the recent LastPass XSS hole and a comment by Steve Gibson see also this posting of mine.

 

Thanks for posting this. Read it this morning and read the updates to it this afternoon. WOW. They are getting slammed, as everyone off loads their passwords.

Wonder if they will post what their anomalies were? was or will just sweep it under the rug.

---

So KeePass is the general consensus?
How do you get it to autologin as sleekly as LastPass?

 

Not surprising at all. This can happen to any website, including you e-mail, bank, etc.

 

You're only in danger if you're using a weak master password (which would be rank stupidity). Users with a strong password have nothing to fear.

This article summarizes it nicely.

 

Having tried LastPass, there is no prompt from the program concerning what Password you select. In fact it will gleefully accept any password you put in it. While I know many that would know better I equally know many that wouldn't know a Strong Password from a Weak Password. So a prompt from the program itself would be a nice benefit going forward.

Saw this link on another forum, CEO explains possible leak,

http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html

 

How about you "security experts / paranoid people" stop being lazy to type-in your passwords and stop using all sort of "unbreakable" password containers. Keep the password in your head, yes even if it is complicated to remember. If you are afraid of key-loggers, use onscreen keyboards. I never understood this concept of having 100+ security applications on a machine because some "NSA people" might want to inspect what kind of adult stuff you have on it and what pirated music you listen to, but when it comes to passwords then the paranoid ones find it sooo convenient to have something typing their passwords for them.

 

+1.