ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    LastPass

    Scheduled Pinned Locked Moved IT Discussion
    lastpass
    65 Posts 12 Posters 16.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • thanksajdotcomT
      thanksajdotcom @gjacobse
      last edited by

      @g.jacobse said:

      @thanksaj said:

      I agree with @FiyaFly in saying I cannot deal without LastPass nowadays. I got my mother onto it and she loves it. It's true that your LastPass account is only as safe as your master password, so if you live at 123 Main Street and your dog's name is Wolfy, using Wolfy123 as your password is pretty weak. Make it something unrelated to common password triggers, like pet names, birthdays, spouse and children names, etc. Mine is 23 characters, fully complex, and not something related to anything in my life directly. It's easy to remember but pretty much impossible to guess. That's the key.

      Last time I did that I spent six hours trying to figure out what it was only to give up and have the password reset. I generally do a number/letter replacement, cap, symbol. Sadly and not related to a 'master password' some sites I have will only allow 8 characters, so to use a 16, 24, 31 character password is not possible.

      Years ago I came across someone in Cincinnati that used the maximum character length - 264 I would have been impressed if he didn't have to start over twice to type it in.

      LastPass has no limit on their master password, and the randomly generated passwords can be tailored per site based on the criteria. Otherwise, you can have one or two passwords with maybe the first letter capital in some and not others that is your "master password" for sites. That's what I had before LastPass. I went back later and changed a ton over to random passwords.

      1 Reply Last reply Reply Quote 0
      • T
        technobabble
        last edited by

        @Minion-Queen would you recommend Google Authenticator or Toopher?

        1 Reply Last reply Reply Quote 0
        • Minion QueenM
          Minion Queen
          last edited by

          I have used Google. But I am not as technical as some others around here. @Nic what do you suggest?

          1 Reply Last reply Reply Quote 0
          • thanksajdotcomT
            thanksajdotcom @coliver
            last edited by

            @coliver said:

            I've been using LastPass for 5 or 6 years. The one time they thought they had a breach of their database they emailed everyone as soon as it was even suspected and forced a password change. That alone proved they were a customer centric company, as most others would have tried to PR their way out of such a "breach"

            The app also encrypts your passwords with your key on the client end before it even goes to the cloud database. So even if someone managed to break in and get it they would just have the hashed values that would take a significant amount of time to figure out.

            Yup, there's this too. LastPass only decrypts your password database at the local level. It's always encrypted in-transit and on the cloud server.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller
              last edited by

              LastPass is extremely secure. But, as with anything, the end user is a point of risk that is very difficult to mitigate.

              thanksajdotcomT 1 Reply Last reply Reply Quote 1
              • DashrenderD
                Dashrender
                last edited by

                To the OP - the answer is (as @scottalanmiller and other have said) LastPass is only as secure as your Master Password, and possibly a second factor authentication.

                So first things first - use a long (16+ characters, including upper, lower, numeric and symbols) Master Password
                and second - use a second factor - YubiKey Google Authenticator Toopher Duo Security Transakt

                Additionally, you should consider printing out a few one time passwords and storing them in a safe place. Safety deposit box, safe at home - where ever you store important papers at home, etc.

                Personally I use a 16+ character password and Google Authenticator. I trust this system very much and have had little to no problems with it.

                I also gladly pay my $12/yr for mobile access - so I can continue to use secure passwords, even on my phone.

                1 Reply Last reply Reply Quote 1
                • thanksajdotcomT
                  thanksajdotcom @scottalanmiller
                  last edited by

                  @scottalanmiller said:

                  LastPass is extremely secure. But, as with anything, the end user is a point of risk that is very difficult to mitigate.

                  A.K.A you can't fix stupid.

                  1 Reply Last reply Reply Quote 0
                  • thanksajdotcomT
                    thanksajdotcom
                    last edited by

                    Also, I should add, that when HeartBleed came out, and sites like Facebook and Google were compromised, LastPass was unaffected because they were on a newer version. Just something to think about.

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @thanksajdotcom
                      last edited by

                      @thanksaj said:

                      Also, I should add, that when HeartBleed came out, and sites like Facebook and Google were compromised, LastPass was unaffected because they were on a newer version. Just something to think about.

                      And they payload is encrypted, not the tunnel. LastPass isn't SSL.

                      DashrenderD thanksajdotcomT 2 Replies Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by Dashrender

                        @thanksaj said:

                        And they payload is encrypted, not the tunnel. LastPass isn't SSL.

                        Actually LastPass is both.

                        @thanksaj said:

                        Also, I should add, that when HeartBleed came out, and sites like Facebook and Google were compromised, LastPass was unaffected because they were on a newer version. Just something to think about.

                        And I'm pretty sure they were affected, but it didn't matter since they use their own encryption on the endpoint before sending to the cloud.

                        LastPass utilizes OpenSSL for HTTPS/TLS/SSL encryption and we were therefore “vulnerable” to this bug.
                        http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • thanksajdotcomT
                          thanksajdotcom @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          @thanksaj said:

                          Also, I should add, that when HeartBleed came out, and sites like Facebook and Google were compromised, LastPass was unaffected because they were on a newer version. Just something to think about.

                          And they payload is encrypted, not the tunnel. LastPass isn't SSL.

                          True.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said:

                            @thanksaj said:

                            And they payload is encrypted, not the tunnel. LastPass isn't SSL.

                            Actually LastPass is both.

                            @thanksaj said:

                            Also, I should add, that when HeartBleed came out, and sites like Facebook and Google were compromised, LastPass was unaffected because they were on a newer version. Just something to think about.

                            And I'm pretty sure they were affected, but it didn't matter since they use their own encryption on the endpoint before sending to the cloud.

                            LastPass utilizes OpenSSL for HTTPS/TLS/SSL encryption and we were therefore “vulnerable” to this bug.
                            http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

                            Their website was affected, but not the application, AFAIK, which I think uses AES256.

                            thanksajdotcomT 1 Reply Last reply Reply Quote 0
                            • thanksajdotcomT
                              thanksajdotcom @scottalanmiller
                              last edited by

                              @scottalanmiller said:

                              @Dashrender said:

                              @thanksaj said:

                              And they payload is encrypted, not the tunnel. LastPass isn't SSL.

                              Actually LastPass is both.

                              @thanksaj said:

                              Also, I should add, that when HeartBleed came out, and sites like Facebook and Google were compromised, LastPass was unaffected because they were on a newer version. Just something to think about.

                              And I'm pretty sure they were affected, but it didn't matter since they use their own encryption on the endpoint before sending to the cloud.

                              LastPass utilizes OpenSSL for HTTPS/TLS/SSL encryption and we were therefore “vulnerable” to this bug.
                              http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

                              Their website was affected, but not the application, AFAIK, which I think uses AES256.

                              That's what I believe to be the case.

                              1 Reply Last reply Reply Quote 0
                              • JaredBuschJ
                                JaredBusch
                                last edited by

                                I have used LastPass since December 2008 and I have been a Premium subscriber since December 2009 when I first got an iPhone.

                                The service absolutely rocks and security is completely serious. Everything is encrypted locally prior to transmit so even on a insecure line you have security around your password.

                                I personally know 3 passwords. LastPass master password, my gmail password for my main account, and my bank account password. All three of those passwords are more than 16 characters long and more than jsut letters and numbers.

                                For the rest, they are random and were generated by LastPass.

                                1 Reply Last reply Reply Quote 0
                                • T
                                  technobabble
                                  last edited by

                                  Thanks everyone, I will be able to explain why LastPass is safe. I personally plan to upgrade so I can have it on my phone. I have a problem with one site, my hosted WHMCS billing platform. LastPass tries to override every user pass area on the program with my login to the program.

                                  DashrenderD 1 Reply Last reply Reply Quote 0
                                  • C
                                    Carnival Boy
                                    last edited by

                                    I didn't get on with LastPass. I'm a KeePass man. The main issue being the lack of an official iOS app for KeePass - I'm reluctant to trust 3rd party apps.

                                    thanksajdotcomT 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller
                                      last edited by

                                      KeePass is nice because it is free! It is really great as well.

                                      thanksajdotcomT 1 Reply Last reply Reply Quote 0
                                      • thanksajdotcomT
                                        thanksajdotcom @Carnival Boy
                                        last edited by

                                        @Carnival-Boy said:

                                        I didn't get on with LastPass. I'm a KeePass man. The main issue being the lack of an official iOS app for KeePass - I'm reluctant to trust 3rd party apps.

                                        Just cause you're paranoid doesn't mean they aren't out to get you...:P

                                        1 Reply Last reply Reply Quote 0
                                        • thanksajdotcomT
                                          thanksajdotcom @scottalanmiller
                                          last edited by

                                          @scottalanmiller said:

                                          KeePass is nice because it is free! It is really great as well.

                                          KeePass is good. I just like the cloud factor to LastPass.

                                          thanksajdotcomT 1 Reply Last reply Reply Quote 0
                                          • thanksajdotcomT
                                            thanksajdotcom @thanksajdotcom
                                            last edited by

                                            @thanksaj said:

                                            @scottalanmiller said:

                                            KeePass is nice because it is free! It is really great as well.

                                            KeePass is good. I just like the cloud factor to LastPass.

                                            I know some people keep their KeePass in their Dropbox or that, but I actually originally signed up for LastPass because they had a Windows 8 Phone app, which most don't.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 2 / 4
                                            • First post
                                              Last post