Do You Trust LAST PASS

Discussion in 'other software & services' started by Rainwalker, Oct 20, 2014.

  1. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    Everybody have their own flavor... as for me I use lastpass for most of my Internet activities... site login, forums, etc...
    but for most critical like banking, online shopping, paypal, etc... I use my own algorithm and never put it online
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    You don't have to put all your eggs in one basket, only the dull thinks that. I never use LastPass for important passwords like my email which is used for recovery purposes. And don't forget about 2-factor authentication.
     
  3. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    i guess you missed the OP's original question. so your answer to the OP is 'no i don't trust lastpass enough to store all my passwords'. if someone trusts lastpass then why wouldn't they put all their eggs in one basket? they would. you don't because you don't trust lastpass enough
     
  4. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Over at prismbreak they consider LastPass proprietary. https://prism-break.org/en/subcategories/windows-password-managers/ With proprietary anything it's all a matter of trust. That said, I think LastPass is a ton better than nothing. Personally, I use Keepass2 and want to play around more with KeepassX, and maybe Schneier's password safe. Having things stored on your own hardware gives you a bit more control. And if your own hardware is compromised with malware or whatever, well, it doesn't matter if your passwords are stored on LastPass or your hard drive- you have to assume someone has them by that point.

    But use whatever works for you and gets the job done. Any breaches or shady dealings at LastPass would be reported pretty quick I'd think.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Why would anyone put the password of the email they used to create their LastPass account on LastPass itself? I do trust LastPass more than I doubt it.
     
  6. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    because they trust lastpass and used lastpass to store their ridiculously hard to guess/remember email password. is that not the intended purpose of lastpass? to store passwords of abnormal complexity..?

    so you admit an element of doubt to the extent where (by your own admission) you don't use it for 'important' passwords. that is what the OP wanted an opinion on, to see if people trusted it. if the OP was not asking for an opinion on using lastpass to store 'important' passwords then i digress
     
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I meant the email account they used to create their LastPass account. Of course there is an element of doubt in (virtually) everything, including those you trust.
     
  8. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    they were pretty quick last time even if a breach was trivially small

    edit-
    they were pretty quick last time even if the likelyhood of a breach was trivially small
     
    Last edited: Oct 21, 2014
  9. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Leading password expert Jeremi Gosney uses Lastpass.

    https://twitter.com/jmgosney

    Gosney is CEO if a password cracking hardware company. Clearly he has good reasons for using Lastpass, and it's based on his engineering knowledge of Lastpass.

    https://sagitta.systems/
     
  10. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    but not to the extent where i act differently, ~removed analogy which will undoubtedly be used in a straw man~ if the doubt changes someones behavior (in your case to omit important passwords) then the doubt is not a small one indeed.

    i might be sounding frivolous now so i will leave it at that
     
  11. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    as the self proclaimed devils advocate (me). i say, isn't it in his best interest to promote an all in one solution like lastpass seeing as he owns a company that cracks passwords for the government? that's like an intelligence officer proclaiming he uses stock android (makes his companies job easier). there are also quite a few google results on the argument against using a 3rd party password storage facility if you search for that instead, especially online storage ones like lastpass
     
  12. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
  13. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Treating your important password differently from your normal passwords is common sense, not some display of doubt. I know you doubt LastPass, but that doesn't mean you know how others doubt it.
     
  14. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Always a trade off.

    I can have nearly 100% secure passwords even against even brute force GPU. However it's not easy to manage them, and they aren't available on all of my devices. So I make a trade off.. Less security - how much less is debatable, but I can access my passwords anywhere (w/TFAx2). I've tried nearly unbreakable options, but always end up being inconvenienced by them so I've learned to use more flexible solutions, and make adjustments to increase security of those flexible solutions. Lastpass works, and works well, and with TFAx2, and other methods, such as decaying password rules, etc. Help increase it's overall security for me.
     
  15. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    of course very true, a persons individual idea of convenience and requirements will ultimately decide what route they take. i only use around 30 passwords so an algorithm stored in my head is no brainier. only through time can we ultimately judge the correctness of our decisions.
     
  16. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    not according to lastpass which is what this thread is about.

    i don't claim to know how others doubt it, i only claimed that you did doubt lastpass due to post #27. if i am wrong then why make the statement that you did? you don't doubt lastpass but yet refuse to use them for your 'important' passwords?
     
  17. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    74
    I think it's highly, highly unlikely your average or even sophisticated hacker will gain access to your LastPass data; the top notch encryption methods in place will prevent that. Not keeping all your eggs in one basket is a valid argument, but it is not one that prevents you from using LastPass. Your most sensitive passwords can be kept in your head or printed to paper and kept in an inconspicuous place in your home, absolutely.

    However, I still believe my privacy/security would be compromised in other ways before my LastPass account is. It seems at this point if the NSA wants access to your, say, email or bank account, it's going to get it—and not by using your password. Furthermore, if you are being targeted by the government (and not by dragnet), you're already in deep **** anyway.
     
  18. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    This is VERY true. For example even if you have extremely complex passwords, and lockdowns on your router/appliance, I can likely still get into it. All of them, including Fortigate have alarming backdoors in them. Fortigate for example I can access your serial number, and then use 'maintainer' backdoor. In Cisco I can use Bad Secrets to break in. These aren't complex, and certainly aren't the full extent of these. So to compromise these things folks like the NSA don't even really care about your security measures, they walk right through it. It's great to assign a 40char P/W, disable HTTP/HTTPS/PING/SSH, Restrict Admin to Subnet IP, and other crap, but when someone can walk right through as maintainer, you've lost the game before it began. Bottom line - if the big boys want your stuff, they already have it, or can get it almost immediately from the innumerable 'leaks' you already sprung.

    Now if you take a password database, 2-Cipher it, then toss it on a biometric ironkey you carry in your pocket, then the NSA is out of luck. But you give up some conveniences by doing this, and also you risk losing your data. I've lost many USB sticks over the years, and thankfully they were all encrypted, but it doesn't mean I didn't NEED things on them.

    For 'General' everyday passwords, Lastpass is absolutely sufficient. If you want additional security for more sensitive passwords then develop your own algorithm for those specific ones. One additional tip.. You COULD keep an algorithm system passwords in Secure Notes within Last Pass. If you develop a proper method, you could keep 'hidden in plain sight' passwords, because you know how they decrypt. Nobody would have a clue what they are, or how to decode them as they are based entirely on your proprietary method - but there they are - in LastPass's secure vault.
     
    Last edited: Oct 21, 2014
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Tell me what LastPass states then.

    Honestly, there's no getting through stubbornness to the degree of boycott. Let's just say our definition of "trust" and "doubt" are different.
     
  20. Kirk Reynolds

    Kirk Reynolds Registered Member

    Joined:
    May 8, 2011
    Posts:
    262
    I don't use it right now because I don't need it. I've used it before.

    Weren't LastPass the pioneers to storing them in the cloud? I'm thinking that most everyone else in that business have been following in their footsteps, including companies that specialize in security. It's not just LastPass that does it that way now.

    If I needed that service, I think I would trust it enough to use it as long as I was using multi-factor authentication with a strong master password. I don't trust anything 100%.
     
  21. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    says the person who calls those not subscribing to the same philosophy as you 'dull'. i go by the dictionary definitions
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Marketing 101 duh. The idea of either putting all or none of your eggs in one basket isn't dull now? The dictionary definition is an ideal that isn't realistic. Since it's obviously futile arguing pointless semantics, I will refrain from giving a damn before it gets in my head.
     
  23. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    might want to look up the meaning of dull, surely its more exciting than dull. futile now? you gave it a good go though
     
  24. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,088
    Location:
    USA
    Regarding TFA a practical problem I see is there's no way to use it when the primary device is a smartphone. TFA typically uses the phone to provide the second factor, but for instance if you log into LastPass on the phone there's no secondary device. Has anyone addressed this? The LastPass android app includes a number of safeguards, such as auto-log-off and PIN protection, but that's after the fact.
     
    Last edited: Oct 22, 2014
  25. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    As for the cloud. Evidence is suggesting the cloud is more secure overall. Compare the breaches/exploits to hosted vs non-hosted infrastructures and you may find the results interesting. Part of the reason the cloud is bearing out as being more secure is because you have a centralized system, with extensive physical security, and fully trained experts in intrusion prevention/detection, as well as a consolidated approach to security on several levels. Anyone that has dealt with companies with localized IT, and localized security knows it's generally a mess. Nothing is standardized, a wide range of 'gear' is used, and they employ people of varied experience ranging from the total idiot to the guru, and everything in between. The result is often very ugly, severe security lapses, and worse. With cloud/hosted, you often find state of the art equipment, scalable security/threat responses, and highly trained people.

    It's the same for your passwords to some extent.. If you self-host them, are you entirely sure of your capabilities to manage your security, network, and infrastructure? Do you have advanced security measures in place like deep IPS, and Flow Through scanning? Or are you better off relying on the expertise of people that make it their business to ensure you are 100% secure? I advocate the cloud for the simple reason I'm a trained cloud engineer (CU, Rackspace, and VMware VCP), and I have seen the difference between competent cloud systems, and their specialists vs the consumer, small business, and at times even large corporations with localized IT. Private Blocks are almost always more compromised than hosted clouds in my experience.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.