(Lastpass user here) No problem for me
But then I don't trust 100% to cloud services. I have an exported copy of my vault in an encrypted file on my carry-everywhere USB key.
You mean you didn't ?
Connectivity issues have left Brits unable to reliably access LastPass, the online password manager service, since Tuesday. In a series of updates to its official support account on Twitter, LastPass suggested that users should use "offline mode" as a workaround. The cause of the problem and when it might be resolved remains …
is why anyone would want an online password manager. It's another one of those cases where the idea of sticking it in the cloud brings little benefit and a ton of downsides, and has just been done 'because we can'.
I want my password manager + DB on a USB stick in a desk drawer, not a datacenter in Stockport.
"So that they can access their list of logins even if they don't have access to their home PC or the drawer containing the USB key I assume."
Well, except for when there's literally any connection problem between you and wherever the hell the company has decided to dump your data. Like, y'know, what just happened.
Combine with that the increased attack vectors when your password DB is always online and relying on the security regime implemented by the work experience kid of passvault company A, which in turn relies on the security regime implemented by the work experience kids at Cloud Company B, and you're looking at a whole bunch of downsides for the sake of not having to carry a 7 gram USB stick around with you.
Well, except for when there's literally any connection problem between you and wherever the hell the company has decided to dump your data. Like, y'know, what just happened.
Which is why LastPass has an offline mode which uses the cached local copy of the database so that users can still retrieve their passwords. On iOS this local DB is on the encrypted file system as well as being encrypted itself so well protected against breach.
While you can encrypt your USB key, can you always run the tool to gain access to the data? I know of no employer where I can connect my USB keyboard their PC let alone run the app to access it, so a USB key pretty much means I would have no access to my passwords during working hours.
Ultimately I don't store any critical passwords anywhere, I memorise them. It's the myriad of relatively trivial passwords in the password safe.
"(Or for businesses, so they can share credentials between several users, and revoke them at will etc.)"
Mmmm yes and no, 'cause I certainly would want to have that server on-premise. And while provisioning random passwords into users' stores might be interesting, you can't deprovision a password clientside.
And yes, I have briefly considered looking for site licenses for assword managers with support for the big 3+2 platforms while our glorious unified identity management approaches production with all the tenacity of a shambling glacier using Apple Maps, at which point our dozens of systems will develop new, exciting tentacles to delightify the user experience of around 30k people. (AC for obvious reasons)
For credentials used on portable/multiple devices, cloud should only be used for distribution of securely pre-encrypted logins, with a local, still-encrypted cache and available temporary space for downloading, encrypted, timestamped/versioned updates, so that on-line login database access issues do not prevent use of older logins unless invalidated by expiry data.
Sharing logins is WTF stupid, because it does not allow proper, separate, user level audit-logging and lock-out, so multiplies vulnerability, and multiples inconvenience if a shared login must be replaced. If shared credentials can't be avoided for use of something, it must be protected by a separate login access layer hiding those credentials from users!
This post has been deleted by its author
The Mooltipass link worked for me. It expects you to carry a smart card, a dongle, and (to use with a phone) a USB cable. I'm not convinced it's easier to use than, say, KeePass, which is software you can keep installed on any device that needs it, with an archive replicated via DropBox or similar.
Pretty neat, but it's another case of preaching to the choir.
Given the technical ability of the general public, it's far too fiddly. So the end result is it will mainly be used by the people who really don't need it, as they will already be aware of best-practices.
Same as password managers in general. Most folk I know who use them are well aware of the pitfalls and mitigate around them. The folk that don't use password managers are - again generally - completely unsavvy about password hygiene anyway.
Reminds me of an Ian Anderson quip at a Jethro Tull gig many years ago ...
(holding up signature guitar)
"Isn't it funny that when you can afford them, people give them to you for free"
>>>[LastPass] In a series of updates to its official support account on Twitter...
... whilst ignoring the countless "Last Pass not Working" threads on its support forums. Obviously sound-biting on Twatter is much more hipster and cool than actually directly addressing your paying customers' concerns.