Input on my setup; thinking about LastPass

First, thank you for these forums. I've lurked for a few years, but have never posted. The "what's your current setup" thread has been very helpful. Your site and Gizmo's are life-savers.

Purpose for my post: I'm considering the use of a password manager, (Lastpass, Keepass, or Dashlane). Right now I just keep a pen and paper list, which is probably the most secure, but the inconvenience is starting to get to me.

I'm relatively paranoid (maybe a 6 or 7 out of 10) when it comes to security, though, so if I'm going to do this, I feel like I need to take some extra steps to protect my system. This is where I'd like some helpful input. My knowledge-level is probably intermediate.

Here is my current setup:
-Antivirus >> Avast/ Windows Defender (not sure if this counts, lol)
-HIPS >> WinPatrol Free
-On Demand Scanning >> MBAM, SAS
-Browser (Firefox) Protection >> NoScript, AdBlockPlus, WOT, Keyscrambler, & Better Privacy ; always in Private Browsing Mode

I've also recently downloaded Neo's SmartKeys, which is really great, though I don't think I'll be able to use the "Hidden Mouse" mode as I just can't tell what key I'm hovering over. That's a problem for the anti-screen capture feature it is supposed to have.

We have 2 networked PCs in the house via wireless, using WPA2-PSK encryption, and a crazy-a** password. ShieldsUP says that we are good.

Basic Question:
What is missing from my setup that would be smart for me to have if I'm going to make this transition?

I'm trying to walk the line between enough security to make any attack very unlikely, and not so much security that programs will start to conflict with each other, bog down my system, etc. Caveat: any software suggestions must be free, as money is too tight right now.

A few specific concerns:

1. I feel like I might need more real-time monitoring for malware like keyloggers, screen/clipboard captures, etc. I couldn't find any solid info online about how effective WinPatrol is at monitoring this stuff. Is it sufficient? I've checked out Malware Defender, and it seems like it might be a bit much. Threatfire also seems popular over on Gizmo's, but with Symantec owning it now, I'm not willing to go there.

2. Firewall? I use the Windows Firewall & the one on our router. Would another be a good idea, or just more complicated and prone to conflicts?

3. Do I need additional precautions for online banking? I was just reading something about Trusted "something" and PrevX (?) and hadn't heard of them before. I figured everything I was already doing was sufficient

4. When on non-trusted computers is a portable browser + portable LastPass + portable Neo's Keys on a pin drive the best way to go? This is the situation that concerns me the most, and I want to minimize my risk as much as possible. Does anyone know if anything involving LastPass is put on the local HDD in this situation? I'm only talking if I log into a website via LastPass, not logging into LastPass itself. I was having trouble finding an answer to this, as well -- might have to post on their forums if nobody here knows.

Thanks to anyone who comments

 

Not very secure, no. That means anyone who finds the paper has access to everything. LastPass basically takes the 'pen and paper' idea but encrypts it with a master password so they need the pen, paper, and password.

LastPass is a great solution and I highly recommend it. Check out the settings, specifically how many rounds of PBDKF2 you use and make sure your master password has a full character set with 12+ characters.

I also suggest you use EMET as I see you haven't yet. It's probably the single best tool for preventing exploits on Windows.

 

If I left the house with them, I'd agree. However, they never leave my house, so I'd say there's a much greater chance of a malware attack on my computer than someone breaking into my home and stealing my passwords.

EMET = Enhanced Mitigation Experience Toolkit? Is this necessary if I keep my Windows and other software updated? I have some services turned off in Windows, also so I'd have to see if that is dependent on any of them, etc. I'm not familiar with it at all, so I'll have to do some research.

Thanks for the suggestion.

 

Hi moho!

I use Keepas to store my passwords. It stores all password in database on local disk but it is not integrated into browsers so you have to use copy/paste to input passwords.

I would add EMET (even if you update software regularly), Sandboxie and program to backup system to your overall setup.

Your concerns:
1. Malware Defender is not anti keylogger. It is classical HIPS with some anti KL functionalities. It is not easy to setup but it can protect your system from ever getting infected by keylogger.
2. Windows firewall is enough if you don't want to control outbound connections.
3. For OL banking you don't need additional protections. It also depends how is your bank implementing security (you can check in my signature all precautions my bank has integrated when doing online banking).
4. I would never do any sensitive tasks on computer I don't trust. PERIOD.

 

I have used KeePass for many years but I recently switched to LastPass.

I checked out LastPass over the years but I never wanted to pay for it and I didn't like the idea of my passwords being in the clouds then I saw a link (on Wilders) that referenced a video of a guy explained why LastPass encryption could be trusted. I was convinced by the video but I still didn't like the idea of paying for it. Well, I checked the LastPass website and they changed their fee structure. The free version has more features than I could ever want. I tried it and I am hooked.....actually I was amazed at how user friendly and intuitive it is. I may even pay them I like it so much.

Good luck.


Note: Unless you hide your password paper very carefully, its a real bad idea. Heck, when I'm gone from home for any length of time I'm scared someone will break into my house and learn enough to steal my identity.

 

Staying up to date is probably the most important step for maintaining a secure system. But you are still vulnerable to 0day updates and if you're even a day late on a patch there's often malware out there making use of the exploit (metasploit usually takes about that long.)

EMET protects you against these situations.

 

+1 for LastPass and EMET. Staying up to date is... advisable, but I personally don't bother (convenience).

I like to minimize real-time apps and don't use a real time AV or behaviour blocker. I do use anti-execution and a firewall, which both have negligible overhead.

You seem to most specifically be worried about keyloggers. My personal experience with anti-keyloggers is that they are not very good at distinguishing normal use from keylogging, giving lots of popups and still not stopping every keylogging exploit.

For this reason (amongst others) I use an outbound firewall. I am currently using "TinyWall" which you can find right here on the forums (under the firewall section), it is a "wrapper" for the Windows firewall that adds outbound functionality (which Windows does not enable by default), simplifies rule creation, denies by default, and protects against tampering.

Keyscrambler, which I've not tried, should be fine by itself to stop keys being logged, but can't protect against screenshots if you would be worried about that.

With all the above I wouldn't worry about anything extra for online banking. If you are super worried you should be booting from a clean Linux distro to do your banking.

For untrusted computers eg net cafes, you can add to your arsenal LastPass's one-time password feature:

http://helpdesk.lastpass.com/security-options/one-time-passwords/

This way even if they log your master password for LastPass, it does them no good as they can not log into your account.

 

When I travel abroad I use the "Grid" or one time password that laspass offers, to log on to laspass on internet cafes. I have only 2 (home and work) trusted computers where my master password alone can get access to lastpass, so even if there is a keylogger on the computer and they get my master password it is useless on every other computer but the two I have authorized (and I can easily deauthorize them). I imagine that nothing that could compromise my laspass gets stored on the internet cafe computer.

Here is a plausible scenario that could compromise though:
1. I open the preferences on a passworded site while logged into lastpass site
2. I choose to show the password in plain letters in the prefereces.
3. and IF there is a automatic screen capture software that grabs the screen where the preferences I opened up is.

Never thought of using portable browser or portable Lastpass, maybe that is safer? but not as convinient imo.

 

I've been using LastPass (LP) for years and it has only gotten better. Currently you can use Google Authenticator along with LP Free for dual-authentication when logging into your password vault. If you have an android smartphone this is the way to go. If not I believe there is "grid" authentication with the free LP. I know you said "free" was a requirement, but note that LP Premium is only one dollar a month. It enables you to use a USB key and/or YubiKey for dual authentication. That's useful if you can't use Google Authenticator. "Premium" also adds support for mobile devices...

I would not trust Winpatrol to do what you're asking. I would recommend Webroot SecureAnywhere Essentials (WSA). A license for three PCs can be had for almost zero if you look around. In fact here's the complete version which includes (rebranded) LastPass Premium for free:

http://www.frys.com/product/6799515?site=sr:SEARCH:MAIN_RSLT_PG

Again WSA (formerly Prevx) is a good choice. Also, your bank may offer dual authentication. My bank sends a unique code in a text message to my phone to use in conjunction with my password every time I log in. There is also the free Trusteer Rapport, which may offered by your bank, but I would choose WSA since it can be had for free at the moment.

Last, I would agree with the comment about never exposing sensitive information on untrusted computers - just don't.

 

I would replace winpatrol with comodo D+ or just completely get rid of everything [except ondemand scanners] and install free comodo internet security. I have been using lastpass for couple of years now and highly recommend it