LastPass

Discussion in 'other software & services' started by Yash Khan, May 20, 2015.

  1. Yash Khan

    Yash Khan Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    1,837
    I have installed LP.

    Any suggestions, customizations, etc...?
     
  2. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Fill out forms, add checking account protection, credit card, you can also add notes- some websites like banks ask for security questions.
     
  3. Yash Khan

    Yash Khan Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    1,837
    Hope all these can be done in free version as I am using the free version.
     
  4. badsector

    badsector Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    51
    login vie lastpass website... not the plugin, then go to option > show advance settings > Password Iterations = 200000 (or more), and enable grid...
     
  5. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Yes, I have the free version too.
     
  6. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    162
    Yeah, fuhget about the Brooklyn bridge to sell ya... Crank that amp all the way up to P for paranoia. LastPass as a browser extension does not need to go through the aforementioned extreme measures to remain secure. Honestly, why bother otherwise. Just because somebody may be able to fiddle and tweak with the advanced settings doesn't make their advice in the least bit necessary; and in this particular case, even beneficial by a long shot. :confused:
     
    Last edited: May 20, 2015
  7. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    420
    Location:
    Terre Haute, IN
    If interested sharewareonsale.com has the Pro version as a 100% giveaway today.
     
  8. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    499
    AFAIK that promotion expired quite a while ago.
     
  9. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    420
    Location:
    Terre Haute, IN
    I am so sorry the information I posted earlier is incorrect.

    John
     
  10. Yash Khan

    Yash Khan Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    1,837
    There are couple downloads in the official site.

    Tried installer version. Vault shortcut was created on desktop. When I click the shortcut, browser opens. So it stores info local or cloud?

    Tried Firefox extension. Guess this will store info in the cloud, right?

    Tried Firefox portable. Does this stores info locally in the Firefox folder or USB folder or info in the cloud?

    If I use extension only then info will be stored in the cloud only, right?
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    A copy is always stored locally. When online an encrypted version is downloaded from the cloud and unencrypted locally. Cloud only deals with encrypted data (up/down).
    https://lastpass.com/how-it-works
     
  12. Yash Khan

    Yash Khan Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    1,837
    I guess this needs LP to be locally installed, right?

    If only extension is used i.e no local install then data is stored in the cloud only, right?

    What about portable i.e where is the data stored for portable LP?
     
  13. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    No, fax is right in that there is always a local copy somewhere. The cloud is used to store an up to date copy that the local copies are compared to / updated with when the user logs in.
     
  14. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Yeap, thanks HAN!
     
  15. Yash Khan

    Yash Khan Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    1,837
    I misunderstood the download section in the official site.

    I thought there is an installer & extensions too.

    But universal installer is just a quick way to install LP extensions in all the browser installed.

    And there is no seperate extension for Internet Explorer & universal installer installs IE extension.
    And universal installer adds an entry in add/remove & creates desktop shortcut for LP Vault.

    Where does on system LP stores data?

    If I use portable Chrome & portable LP for Chrome, where is the data stored i.e the location?
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    If you have a smart phone then enable two factor authentication (TFA) in LastPass using Google Authenticator. TFA is available in the free version. I would also recommend installing HitmanPro Alert (HMPA). The free version of HMPA will encrypt the data you type into the LastPass browser plugins (like KeyScrambler). FYI the Pro version of LastPass only costs $1/month.
     
  17. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Switch two-factor authentication on.
     
  18. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    Im not sure of the default settings for lastpass but double check that;

    "Country restriction" is enabled for only countries that you will use lastpass in.
    "Disallow Tor Networks" is checked
    You could increase "password Iterations"
    Enable 2 step authentication as mentioned previously, highly recommended.
     
  19. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    FYI from the LastPass manual:

    "By default, the x number of rounds that LastPass uses is 5000. LastPass allows you to customize the number of rounds performed during the client-side encryption process. If you log in to LastPass, open your LastPass vault from the LastPass Icon, and launch Account Settings, you will see the “Password Iterations” field displaying the current number of rounds used for your account. Although 5000 is currently the default number of rounds, your number may be lower if your account is older.


    • 5000 rounds provides a good balance between increased security and the inconvenience of longer pauses when logging in to your account. While it’s tempting to point to the number of rounds when comparing implementations of PBKDF2 across services, this is essentially an apples to oranges comparison, as other services may be using SHA-1, which is less computationally intense than SHA-256. In other words, SHA-256 is a more intensive process than SHA-1, so a lower number of rounds can still be a higher level of security against brute-force attacks.

      In terms of usability, the number of rounds used only affects the process of logging in to your LastPass account. Once you gain access to your account, the implementation of these changes will not affect your browsing experience.


    • Note: LastPass supports a diverse set of platforms which vary greatly in speed. In order to utilize all of them, we recommend you do not exceed 10,000 rounds. A change from 5000 rounds to 10,000 rounds may not be perceptible to you on most platforms. However, while we permit users to increase their rounds all the way to 200,000 rounds, you may start to notice problems when logging in via certain browsers or platforms when you go above 5,000 rounds. For example, Internet Explorer 7 will be very slow with such a higher number of rounds. Logging into m.lastpass.com on a smart phone (where the rounds are done in JavaScript only) may not work at all"
     
  20. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    Im sorry, Im not sure where you are going with this. Was this to support my suggestion to increase password iterations, or to leave it as it is? As " In terms of usability, the number of rounds used only affects the process of logging in to your LastPass account. Once you gain access to your account, the implementation of these changes will not affect your browsing experience".

    regards.
     
  21. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    I recommend 100,000 iterations, no problem whatsoever with it.
     
  22. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    I posted it so people would understand what "password iterations" means. Also 5,000 is the current default but that wasn't always the case, so longtime LastPass users should check that setting and increase the number if necessary (I discovered my number was lower than 5000). Last the notes state that a number larger than 5,000 may cause the LastPass Android app to fail logon so it would be important to test after increasing iterations above 5,000.

    More generally though the notes don't help us decide how many iterations is enough. How long would it take to brute force a master password encrypted with 5,000 iterations? One year, ten years? I have no idea. What about 100,000 or the max 200,000 iterations? I'm all for more security, but I like to know what the numbers mean.
     
    Last edited: May 24, 2015
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    726
    I don't think that a general answer is possible. It not only depends on the number of the PKBDF2 iterations but also on the quality of your master password, of course. The number of iterations chosen by you ultimately depends on your hardware and on your patience ;). I'm using 50,000 iterations, and it's still fast enough for my desktop computer and my iPad 4. I'm not using Lastpass on my mobile phone so I don't know if it would be overchallenged. I'm afraid that you have to experiment yourself.

    EDIT: Here's an interesting discussion with good links.
     
    Last edited: May 24, 2015
  24. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    Thanks, this provides some perspective :)

    "Brute Force

    We start with a 128-bit symmetric key. Assuming the algorithm (e.g. AES) isn't yet broken, we have to look at power consumption. Assuming 100% efficient computation devices whose technology far exceeds any computer, ASIC, graphics card, or other key-cracking device you can dream up, there's a minimum energy requirement for just flipping the bits to count that high. Wikipedia has done the math for us, and it comes out to, for a 128-bit key, the minimum energy requirement demanded by physics is approximately 1018 joules, or 30 Gigawatts for one year. Obviously with "real" hardware, the requirement would be several hundred thousand times that; more than the energy production of the entire world. So that's well outside the capability of any existing terrestrial body.


    But if we move to a 256-bit key, the math gets more serious. Schneier did the math on this one in Applied Cryptography, and it's been discussed here before. To avoid boring you with repeated details, I'll simply cut to the conclusion: our sun does not produce enough power to accomplish this task."


    The whole read is here:

    https://security.stackexchange.com/...terations-to-pbkdf2-provide-no-extra-security
     
    Last edited: May 24, 2015
  25. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Lol.. Thanks.