Possible way to leak your password from Lastpass

Hi guys. I know there are many Lastpass users here so I'd like to ask you a question : What are the possible ways that all your passwords are obtained by a hacker?

I mean imagine the worst situations:

1. A hacker has got my master password?

2. My windows system is hacked?

And..?

What can we do to make Lastpass the most safe?

Thank you!

 

The Master Password is the point of vulnerability. I feel the best way to protect it is dual authentication (requires LastPass Premium). I use Google Authenticator (on my cell phone) to generate one time codes to use in conjunction with the master password on untrusted computers. If you don't want to use dual authentication on a trusted computer you need to make sure the system is protected against keylogging. Make sure that master password changes produce email notifications and are reversible (check the LastPass settings for these options). It's also a good idea to have a hard copy of all your logon user/password credentials so that in the worst case you could still access all of your site accounts.

 

Hi Victek. I'm using dual authentication, the free grid one. And I'm using Google mail as the recover mail with two steps authentication too. But I don't let Lastpass to store my google accout password, since if one of them is compromised, the other could be in danger. So all I need to remember is a Lastpass master password and then a google account password. I think that's pretty good. I'm still simulating to hack my own password when one of my major passwords is in the bad guy's hand. Don't know why but I seem very paranoid.

 

Yes, not all LastPass dual authentication (DA) modalities require the paid product. I originally decided to subscribe so I could use a flashdrive for DA, but Google Authenticator is much easier. That's a good point about not having LastPass save the password for the email recovery account - that hadn't occurred to me. The problem I see with using a master password is it needs to be reasonably easy to remember and type, which means you can't use an insanely long, random mess of letters/numbers/symbols (well, I can't ). Still, using a 16-20 character password + DA puts you way ahead of the game. I think one way LastPass security could be improved is to require an email confirmation for master password changes. At the moment they only notify you.

 

Will maybe the speed of computer is high rocketing beyond my understanding?
I think a password that consists of 8-10 characters with numbers/letters/special characters/upper case letters are hard enough for brutal force. So I never care for making a very long password. Brutal forcing my password is the least threat I may encounter in my opinion. Remembering two password is really not that hard. I actually have 3-5 set of passwords in my head and a little twist to each according to the different websites. Now sometimes I could have a little trouble. That's why I finally come to Lastpass.

Quite the contrary, the reason I switch from Keepass to Lastpass is I think I do need to save the database in the cloud, in case that I lose it on my computer.

 

In fact even an 8-10 character password will take quite a while to calculate.

 

I notice that Lastpass can offer to remember both your email account and master password. Does anyone know where it stores that information and how?

Thanks.