Discussion in 'other software & services' started by Rainwalker, Oct 20, 2014.
I know it has been around awhile. Would you trust it?
Steve Gibson gives a thorough review here. I use it and trust it.
or rather 'do you trust the concept of putting all your eggs in one basket?'
I do, because I use it, but whether I should is another matter. The case has been made by the LastPass folks and other security professionals for the measures it uses to secure and encrypt your data. I would never worry about a hacking attempt or anything like that on the LastPass data servers, and given that I am the only one who will ever have the key to decrypt my data, I wouldn't worry about it (my database) falling into the wrong hands (court order, or by some nefarious actor). I think there's a better chance my PC would be physically compromised before my LastPass account is. They also have good data redundancy.
a key has to be stored somewhere. seeing as how stronger military systems have been compromised, its a case of 'when' not 'if'. i hope it does not happen in your lifetime
I use it and trust it.
On second thought...........
I've been using it for years now. I trust it more than a lot of other software I use, including the OS I use it on.
Do I trust Lastpass? Sort of.. Do I trust other solutions more? Without a doubt.
However usability of Lastpass is one of the best, and for that reason I use it. There are more secure options, such as Keepass w/local storage, or Keepass w/encrypted zero-knowledge cloud. But for raw usability, and convenience, nothing seems to be beat Lastpass these days. Also, Lastpass has become quite profitable, and any breach would likely destroy them as a company. So knowing this, I think they will do whatever they can to protect their customers, and customer data. It would be corporate suicide if they were ever exposed being complacent, or involved with any NSA snooping. It would be instant suicide if they were ever breached. Few companies related to this type of thing ever fully recover if they are breached, or have lapses in security.
So given all of that, Lastpass is a good option.
What do you mean by trust? Do you mean can the company be trusted, or the software?
Password managers dramatically improve security IMHO. LastPass enables me to have a different password for every site logon without the burden of remembering them all or writing them down, etc. The potential weakness is the master password; to protect it I use two factor authentication. It is very hard to keep passwords unique and organized without this kind of system. Most people just keep reusing the same password or if they change them they later forget and have to go through a password recovery process. Which option sounds more secure to you?
I don't trust the idea of passwords being stored online. I prefer to store them on my computer and backup them on external HDD.
100% agreement! The level of security these offer for the normal user is fantastic. The alternatives are much less secured. If everyone used some sort of password manager we'd have far less compromises namely because in the case of the recent Dropbox leak, people often use the same password at multiple locations allowing one breach to escalate into dozens, sometimes hundreds. A password manager effectively eliminates cascading breaches. A password manager also allows you to use stronger recovery methods, for example you can use long strings for security questions rather than 'the last job I had' or 'my dogs name' which can be ascertained through social engineering.
Those are just a few things, but many more benefits are evident.
Yes, but by whom? Cyber warfare between nation states is a little different than hackers trying to steal credit card numbers from online retailers. It's more important to look at how systems are compromised. For instance the latest hacking round of retailers, such as Target, brought to light how antiquated the card payment system is in the U.S. This has been known for years, but it took a big theft to force the industry to begin upgrading to the more secure "chip and pin" system (definitely not perfect yet far better than current magnetic strip technology). Using LastPass combined with two factor authentication on all sites that support it (and to protect the LastPass master password) is very secure in comparison.
But again, one of the best protections from this is to prevent harvesting of data.
Each breach yields millions more breaches. Why? People without password managers tend to use 'similar' passwords, or variations of the same password. So that 7 million Dropbox leak is a treasure trove of information leading into countless Gmail, Facebook, and other accounts. Then once into Gmail they can access further accounts by engineering the account, and then using recovery methods. People seem to have no idea how this happens, and how suddenly 'everything' is compromised that they use. The value of a PW manager cannot be overstated IMO.
Even a lousy PW manager is better than no PW manager.
I couldn't agree more. I think the social engineering aspect is even less understood than the same/similar password problem. Online password reset mechanisms are essentially back doors for hackers. The "security question" model is ridiculously flawed. How many people understand this and answer the "questions" with unrelated, complex "answers" that can't be found via Google or Facebook search and store them in a password manager? My guess is not many.
My security question answers generally look something like this; jEXCwhfvn7TpnD8XhacR
no need for nations to get involved, i guess you missed the story about this guy.
just being the devils advocate here, i don't feel comfortable and i go back to the analogy (putting all your eggs in one basket)
i personally think having an algorithm stored in your brain is more convenient and ultimately safer than storing it in bits and bytes where the potential for a breach is infinitely greater than having your memories hacked. i just use the first 3 letters of the domain to finish the algorithm (the algorithm is the only thing i need to remember). outcome of password is different for every service. you can make the algorithm as complicated or as simple as you like.
edit- i genuinely hope i don't get to say 'i told you so' in the near or distant future
I agree, I also don't like it. I've checked out the Opera extension to see what all the fuzz is about, but I got turned off when I had to sign in.
WAY too much work.
I store 1,600 passwords. Having them all in my head may work for a few, and be an annoyance at times. But it's sheer lunacy for 1,600.
at no point did i say you need to remember multiple passwords, you only need to remember the algorithm (singular).
you don't need to remember the area of every circle, you just need to remember what Pi is. similar concept
however if using a password manager is more convenient than remembering a single algorithm (and for 1600 passwords i can see why) then more power to you
I use an algorithm for my passwords also. This way I can "remember" many passwords and don't have to use the same password for multiple logins. I use offline password manager only for storing purposes.
That's fine if you have a good system in place. For instance do you have redundancy? - if you have a power surge/lightening strike and the computer and external disk become toast do you have an off-site backup? Are your password backups encrypted, and if so how/where do you store a copy of the password to decrypt them? A service like LastPass handles all of this.
External disk is not connected to computer. I connect it only when I make backup. I have additional encrypted backup on another location, just in case of fire... Password are encrypted by KeePass and Truecrypt. Both password for decryption are stored only in my head. I understand that online service can be convenient but with passwords I prefer safety over convenience.
Separate names with a comma.