Is password security at just $1/month too expensive for most? With major breaches regularly turning up a prevalence of laughably predictable passwords, you'd think that the likes of password locker LastPass should find it easy to sell its wares for US$1 a month. But even that price looks to be a hard sell: why else would the company have taken features from its Premium product and made …
People really use throw-away hotmail accounts? What on earth for?
Back on topic - check out Password Safe - it addresses all these concerns. The db is encrypted and stored locally, but you can automatically sync via your preferred cloud service *if* you choose (Dropbox support is built in directly), the db never hits their servers, dunno how a limit on users could even be implemented when, as just stated, you can share the db anyway and of course its free and always has been.
This ain't an ad - it's just based on my experience of having to manage zillions of passwords which I have to change quite often.
Ditto KeePass(X). Offline but syncable, and cross-platform without having to use WINE or whatever.
It supports a "key file" as well as/instead of a password. This can be used to get a sort of poor man's two-factor auth. I have it set up to use Dropbox, with a strong password on the database file and an additional key file that never touches the cloud.
You don't control your bank, but they still hold your online banking details....
It comes down to the usual choice between security and usability. An offline password manager is more secure, but you'll need a workaround if you need access to your passwords when you're on holiday (for example). An online password manager gives you access even if your home computer and backups are lost/inaccessible, but an attacker only needs to guess your password and defeat the 2fa to get all your passwords.
Or you could write down all your passwords, but then backups become an issue. If you've got a good memory you could try memorising all your passwords, but not many people can remember multiple, long, random passwords.
Personally I've just set all my passwords to "password5" no one will ever guess that!
*edit* If you're using Dropbox to backup/share an offline password DB, isn't that putting all your passwords in the hands of a single cloud provider anyway?
"You don't control your bank, but they still hold your online banking details...."
Yes, but if my bank were to be breached, only my banking information would be leaked. If Lastpass gets breached, -everything- gets leaked.
If one of my banks were to be breached, I would legal recourse and the bank would be required, by law, to either reverse any transactions in progress or to refund the stolen funds (FDIC requirement if its shown to be their fault for the breach). That is also assuming that they'd somehow gain access to my email account so they can get the tokens to authorize logins / transactions (Email is encrypted between the banks' and my email servers). And even then, I'd still be fine since only one of my bank accounts would be affected (I have a personal bank account for my day-to-day expenses, my retirement account that I can borrow against in an emergency, and my investment accounts; all of which are protected by various laws if the bank if found responsible).
All of those protections go away if the passwords were to be leaked by Lastpass which would include the details to all my bank accounts and the email accounts used for two-step authentication. Also, since its not the fault of the banks, they have no legal requirement to do anything (Other than re-issue my cards and reset my passwords after I report the problem). All I'd get from Lastpass is maybe a few free months of an identity theft protection service, a few months worth of free service and a letter from their PR team that is nothing more than "Sucks to be you" coated in diplomatic fluff.
I carry around an encrypted thumb drive (a 16-GB IronKey) on a chain around my neck with a portable copy of KeyPass(X) and a hardened version of FireFox for accessing security-sensitive websites. I figure that that level of protection is well beyond the level of effort someone would want to exert to acquire my passwords.
What next? LastPass was bought a year ago by LogMeIn, who announced a merger with Citrix GoTo only about 3 months ago. I can't get over the mental hurdle of giving critical data to a company that's going through such change. I don't know who will own them tomorrow. How would I feel if IBM bought them for example?
""For the rest of us freeloading, the gratis edition has added a “Security Challenge” that looks for weak and duplicated passwords, then suggests you change them.""
The security challenge has been part of the free product for at least a year and a half, probably longer. I believe the security challenge exposes your passwords to Logmein (after you supply your master password) and always seemed like the company's answer to providing the authorities your passwords.
The company claims that they never see your master password and that when you provide your master password all they send back is the encrypted vault.
https://lastpass.com/support.php?cmd=showfaq&id=6926
'Theoretically' that means that the bad guys have to decrypt your vault. Whether you believe them is up to your paranoia level.
That applies to the password vault only. When you preform the security check it happens at the URL https://lastpass.com/?securitychallenge=1&lpnorefresh=1&lang=en-US instead of at a URL like chrome-extension://hdokiejnpimakedhacdlhjegeplioahd/homelocal2.html . In theory the Chrome extensions being written in Javascript one could verify that the processing happens locally as Logmein states, when one uses the lastpass website one doesn't have that guarantee.
This post has been deleted by its author
They want your data, and they'll make the deal looking as sweet as it possibly can.
As Crazy (first poster) already mentioned: it's an online service, so all your stuff will be stored "in the cloud" and you get to hope that they're using a good encryption algorithm. But there's more: using the service like this would also give them a pretty much undeniable trace of all your activities. After all: surely you wouldn't recall a Google password if you weren't really using Google at that time.
That amounts to very precious and verifiable user data, and we all know that there are dozens of companies looking to monetize on that.
I'm not just saying so, just check their Terms of service, I quote: "LMI receives or is otherwise granted access to any Customer personal data while providing the Services, LMI agrees to (i) use such personal data solely for the purposes of providing the Services to Customer; (ii) process the personal data only in accordance with Customer’s instructions, which, unless expressly stated otherwise in a mutually agreed upon amendment to this Agreement, are represented in the form of this Agreement".
So what is required for providing this service? It would be easy to argue that maintaining their cloud is essential for this. And how does one do that? By generating revenue to pay for it. Now, sure, I can see that the intent of this service agreement is most likely different. They're probably referring to storing the data, possible backing it up and making it available again to the user(s). But even so: it doesn't rule out the other options either.
Reading those Terms of service, I think in some respects we are reaching a point where in keeping the data protection legalise relatively simple and technically (legal nit-picking), we are losing precision.
So looking at the LastPass service, the Terms of Service have to cover what the local application does: so as a user you need to consent to that application accessing whatever personal data you wish to give it and/or permit it to access and for the application to process such data to store and retrieve it from it's vault. Then because the local application sends the (encrypted) vault of personal data to cloud servers, the ToS also needs to cover the transfer of (unspecified) personal data. When read in this way, the ToS seem quite innocent, however, when reading in isolation they do allow for the creation of a significantly more intrusive service.
Security concerns aside, it's the subscription model that people don't like. I'm happy to pay a subscription for a newspaper or veg box cos I get new stuff every time I pay. I'm not happy paying for software this way cos I don't get new stuff every time I pay. Assuming I want the product then charge me a one off price, or a price per x passwords stored and I'll pay it. I'm not rational about this - the one-off cost could well be more than I'd pay on a subscription model - I just see software subscription as a rip off.
Well, I've been using the subscription version for a couple of years now and I'm pretty ok with the company's assurance that my master password, and therefore the stored passwords, are safe because they never leave my devices. It's a lot better to have long gibberish passwords, different for every site, than to rely on my old method of a single long password with a brief site-specific suffix - break one and you could have guessed the rest.
No, password manager is definitely the way to go, and the sort of paranoid security scares in previous comments won't sway me unless there's definitive proof of danger. Which there isn't.
The problem with that style of thinking, however, is that if definitive proof does show up, it's way, way too late to do anything about it.
Paranoia doesn't necessarily mean that they aren't out to get you and in the case of a password manager, I'd say that it's pretty well guaranteed that some expensive people are trying to get their hands on your high-value data.
LastPass has been compromised in some ways (according to the IT press) at least once this year. Given that, a lot of the people I know refuse to use it unless forced to (for work purposes).
We use it at work, and I personally find the whole thing clunky, and awkward to use, and at least one person in my office has shown a flaw to our security team.
and I personally find the whole thing clunky, and awkward to use,
I think I understand what you mean. I've noticed in the last few months an increase in the number of sites that now give LastPass problems, specifically, it either no longer auto-files credential fields or just doesn't see them, necessitating me performing a cut-and-paste to/from the LastPass vault.
I've not dug into it to ascertain whether the problem is due to security improvements in either the browser or website. But either way, something that was helpful for managing large numbers of (non-financial) website logins is becoming less convenient than the little black book with handwritten entries...
LastPass has been hacked in the past but, as far as I know, no leaked credentials have been related to this breach so far. This makes me somewhat confident in their overall security architecture since I am always expecting that data will be stolen at some point.
I use it but don't put on my e-mail or bank account passwords, ever. That way if the worst happens I can recover everything.
Sure people could order stuff using paypal/amazon etc but it'd be covered under fraud and those are the accounts I'm most likely to change regularly and quickly once I heard lastpass was potentially compromised.
I clear out lastpass info regularly so there's only sites I give a damn about on there, makes it easier to manage.
My problem with the "vault" model (well other than eggs and baskets) is that it _needs_ to be cloud-based, otherwise it can fill in passwords only on the single device it resides on - typing the truly gibberish passwords that are the whole point of this by hand is just not going to happen; of course, one could try setting up some sort of a personal server or some other DIY scheme of syncing the vault around, but that's too much of a hassle for me - and I would still be locked out of every account I have on any ad-hoc "alien" device.
I think a USB device masquerading as a keyboard that could type in credentials into any hardware that has a USB socket would be superior - if only the task of requesting a specific password would finally be integrated into one of these - scrolling through passwords with tiny buttons on the USB key itself (as most of these seem to want you to do) is just Not Going To Happen as far as I'm concerned. Also, much too often these keys expect you to keep them secure and have no other means of authentication (unsurprising considering they have practically no UI) which is completely unacceptable IMHO (and no, I don't see potential built-in fingerprint readers as much of an improvement).
From talking with friends, a lot of them seem pissed off with the notion of paying monthly for software instead of a one off payment. They would happily pay £50 for Lastpass but do not want to pay £1 a month or whatever it is. They are a bit jaded by Photoshop and other software going that way, so they can continuously milk their customers.
They seem to be happy with the KeePass or 1Password solutions suggested to them though.
LastPass were hacked in the past and all the vaults stolen, likely by a state actor who has the resources to crack them. It's the perfect goody bag for them having everyone store their passwords in one place.
This year it was also found that any website configured correctly could read users Lastpass passwords simply by the user visiting the page, due to an issue with the browser plugin. Who knows how many more unknown bugs there.
People are now aware of the mass surveillance on their internet use and the way American companies (and no doubt other countries too) will work with them to give access to all your stuff, so maybe that plays a part too when it comes to giving your passwords to an american company. LastPass got bought out by LogMeIn who had a free service but then gave all customers 7 days notice that they would have to pay or lose access to the service. Yet another reason why some might not even want to try their free service.
I use LastPass, its extremely convenient, but doesn't mean I have to use it for everything. I layer my email addresses and passwords - junk combo for throw away sites, medium combo for websites which have no exposure, both in Lastpass. And thirdly my main email address and a strong password based on a sentence which I memorise for banking and sensitive stuff which will never see any sort of password vault ever. If someone hacked my lastpass it would be inconvenient, but they'd get nothing..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
