Possible way to leak your password from Lastpass

Discussion in 'other software & services' started by bonedriven, Jan 27, 2012.

Thread Status:
Not open for further replies.
  1. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Hi guys. I know there are many Lastpass users here so I'd like to ask you a question : What are the possible ways that all your passwords are obtained by a hacker?

    I mean imagine the worst situations:

    1. A hacker has got my master password?

    2. My windows system is hacked?

    And..?

    What can we do to make Lastpass the most safe?

    Thank you!
     
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    The Master Password is the point of vulnerability. I feel the best way to protect it is dual authentication (requires LastPass Premium). I use Google Authenticator (on my cell phone) to generate one time codes to use in conjunction with the master password on untrusted computers. If you don't want to use dual authentication on a trusted computer you need to make sure the system is protected against keylogging. Make sure that master password changes produce email notifications and are reversible (check the LastPass settings for these options). It's also a good idea to have a hard copy of all your logon user/password credentials so that in the worst case you could still access all of your site accounts.
     
  3. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Hi Victek. I'm using dual authentication, the free grid one. And I'm using Google mail as the recover mail with two steps authentication too. But I don't let Lastpass to store my google accout password, since if one of them is compromised, the other could be in danger. So all I need to remember is a Lastpass master password and then a google account password. I think that's pretty good. I'm still simulating to hack my own password when one of my major passwords is in the bad guy's hand. Don't know why but I seem very paranoid. :argh:
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Yes, not all LastPass dual authentication (DA) modalities require the paid product. I originally decided to subscribe so I could use a flashdrive for DA, but Google Authenticator is much easier. That's a good point about not having LastPass save the password for the email recovery account - that hadn't occurred to me. The problem I see with using a master password is it needs to be reasonably easy to remember and type, which means you can't use an insanely long, random mess of letters/numbers/symbols (well, I can't :) ). Still, using a 16-20 character password + DA puts you way ahead of the game. I think one way LastPass security could be improved is to require an email confirmation for master password changes. At the moment they only notify you.
     
  5. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Will maybe the speed of computer is high rocketing beyond my understanding?
    I think a password that consists of 8-10 characters with numbers/letters/special characters/upper case letters are hard enough for brutal force. So I never care for making a very long password. Brutal forcing my password is the least threat I may encounter in my opinion. Remembering two password is really not that hard. I actually have 3-5 set of passwords in my head and a little twist to each according to the different websites. Now sometimes I could have a little trouble. That's why I finally come to Lastpass.

    Quite the contrary, the reason I switch from Keepass to Lastpass is I think I do need to save the database in the cloud, in case that I lose it on my computer.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    In fact even an 8-10 character password will take quite a while to calculate.
     
  7. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    I notice that Lastpass can offer to remember both your email account and master password. Does anyone know where it stores that information and how?

    Thanks.
     
Loading...
Thread Status:
Not open for further replies.