LastPass Password Manager

[PedroDaGr8]

So recently, there were some reports that Spotify might have had some of their passwords compromised. While it appears these leaked passwords might be through another service (reused logins and passwords)I decided to get proactive about my passwords.I knew for a long time reusing passwords and using weak passwords was stupid, it is HORRIBLE operational security and just plain dangerous. It was down to, Dashlane and LastPass, I ended up going with LastPass Premium mainly because it did what I wanted cheaply (Dashlane is $40/yr compared to $12/yr for LastPass). For $1/mo I get a password manager that works on my PC as well as my Android phone. If you only need the PC functionality then the service is entirelfree; so far I have to say it works brilliantly and is worth the $1/mo. Works quite well, the new password generator works very well and easily. It can also change weak passwords on a lot of sites for you automatically (this is more hit or miss, some sites it thinks it can, but fails). Overall, I now have all of my bank account passwords and the like individual. unique and secure; they all look something like this: R$bd%G&DD*mXfOfd@Az1rR(Yc2Gmv3rk. It has a few other nice features that can be useful in certain environments. For example, you can share login information with another lastpass user without them ever being able to see the login info; as a result, you can easily withdraw access as well. It also allows for two-factor authentication to help increase security. All in all, I feel MUCH better about my password security now. I remember one complex password (which is easy enough to do with a bit of work) and I am safe and secure.

[Darrell KSR]

Overall, I now have all of my bank account passwords and the like individual. unique and secure; they all look something like this: R$bd%G&DD*mXfOfd@Az1rR(Yc2Gmv3rk.

My son has been password sensitive for years, with all of his passwords looking like that, too--except his banking password. His bank permits 12 digit, alphanumeric passwords ONLY.

Here's a copy of what he sent the bank yesterday in a "satisfaction survey" they sent to him. Lest you think this is some little podunk bank--this in the NBA bank, and the bank that formerly sponsored the Birmingham Bowl (BBVA Compass).

BBVA SURVEY.jpg

[PedroDaGr8]

My son has been password sensitive for years, with all of his passwords looking like that, too--except his banking password. His bank permits 12 digit, alphanumeric passwords ONLY.

Here's a copy of what he sent the bank yesterday in a "satisfaction survey" they sent to him. Lest you think this is some little podunk bank--this in the NBA bank, and the bank that formerly sponsored the Birmingham Bowl (BBVA Compass).

BBVA SURVEY.jpg

Very well written and well thought out and everything he says is 100% correct! it is remarkable that their password limits are SO weak. Stunning actually.

[KSRBEvans]

Pedro--I've been wanting to try LastPass but want to be able to access websites from my work computer. Do you have to install something from LastPass on the computer?

I really wish we could go to a fingerprint reader model. More of the business apps (banks, insurance, etc.) are using it for mobile devices and I really like that. Secure and convenient. Wish we could do this on computers, too. I know some computers have fingerprint readers, but most don't and websites usually don't have fingerprint ID.

[PedroDaGr8]

Pedro--I've been wanting to try LastPass but want to be able to access websites from my work computer. Do you have to install something from LastPass on the computer?

I really wish we could go to a fingerprint reader model. More of the business apps (banks, insurance, etc.) are using it for mobile devices and I really like that. Secure and convenient. Wish we could do this on computers, too. I know some computers have fingerprint readers, but most don't and websites usually don't have fingerprint ID.

You can either use the online password vault or there is an installer that installs an extension into chrome/firefox/IE. It doesn't seem to require admin priviledges so it should install on your work PC just fine. Otherwise, if you use Chrome (which has an installer that still works on almost all work computers, you can install the extension right from inside chrome).

Fingerprints are not a bad idea, still fakeable but not as easily.

[PedroDaGr8]

Several more HUGE password breaches were just announced: Tumblr, MySpace and Fling. That is along with the LinkedIn breach. Makes it the 5th largest password release EVER. This stuff is serious folks. Over 360 million passwords in that myspace breach alone.

[CitizenBBN]

Tom is so going to get his identity stolen.

I have to look into the lastpass. Not sure how it works, need to edumacate myself.

[PedroDaGr8]

It is pretty good, not perfect but good enough. They offer a free plugin and account for PCs and if you want mobile function it is like $1/mo. I have converted a few people over to it and it works REALLY well. Namely, my mom uses it now instead of carrying around her big book o' passwords in her purse (yes she did that until last month).

THe biggest bug is when it saves a site that you just added you need to double check that it saved the right info. Some sites it will not save the password or it will save your email address instead of the username. Honestly, it is pretty easy to check and do. As for entering passwords into sites it works flawlessly. Also, the integrated password generator works REALLY damn well. Most of my passwords are now 20-32 characters (full mix of upper case, lower case, numbers and symbols)

[CitizenBBN]

OK, I looked at lastpass. It seems to me that the problem here is that as these sites get hacked that your password is exposed, so it's not about having a great password they can't guess, but about not having that password used other places that they can then jump around and get to other things.

Sound like a fair summary?

The good news is I already scramble passwords across sites, and I have them in general categories so I have a couple of throwaways for non-critical sites, things that have no card info and such, then the passwords get tougher and less reused as we go up the scale. for things like bank accounts every login is different, even different emails.

I keep all of those in a file on one computer and that file is encrypted. So I kinda do what lastpass does in a way. Maybe not with generated passwords, but the basic concept seems the same.

[PedroDaGr8]

Fair summary, I use a very secure password for LastPass and for me the convenience outweighs the risk.

You might be happier with KeePass instead. I thought about suggesting that to you but forgot.

It is OpenSource, you store the KeePass file on your computer and you can use a variety of programs with it. Just an alternate option.

[CitizenBBN]

I'll check it out. Right now I just use a text file but encrypted with blowfish.

[Jeeepcat]

What is the risk of the provider site being hacked and allowing access to every password you have?

[PedroDaGr8]

What is the risk of the provider site being hacked and allowing access to every password you have?

They have actually been hacked before and the hackers got nothing. Their encryption was used properly and all of the passwords were hashed with AES256 so they basically had huge files of gibberish. So there was nothing for them to get. Now if you use a weak main password, then all bets are off. I should mention also that LastPass allows two-factor authentication. This means that it isn't enough to crack your password, that you have another means of verifying identity. They allow LastPass Authenticator(using the smartphone app), Google Authenticator, Toopher, Duo, Transakt and Grid for Free Users. For premium users they allow YubiKey (USB Device that generates one-time ID codes), fingerprint/smartcard authentication and sesame. Basically, if you are worried about your password being cracked, using two-factor authentication basically makes this virtually impossible. Even if they get your password, this means they have to crack the other half still to break into your account. The other factor is not based on a single static unchanging entry like a password, the second factor is based on a continuously changing code system. Meaning they have to hit a moving target which is virtually impossible.

Also, CBBN in a discussion on another site I read something that applied to you. Someone was doing something similar and someone responded: "your encrypted file is secure until you de-encrypt. Then your entire file is loaded unencrypted directly into memory, allowing any malicious programs to see your passwords in clear text." Apparently, it is very common for malware to try to find passwords in memory due to some programs using shoddy security. I should caveat this statement and say that this is just what I read as part of the discussion, I have no direct knowledge on this aspect. As a result of this though, most password managers obfuscate the passwords even in memory. I know that KeePass does this.

[CitizenBBN]

Makes sense Pedro. I'll check out keepass, that sounds like a good option for me.

[CGWildcat]

My bank contacted me thursday night. Wondering if I had made transfers from the UK and Ireland, plus a bunch of activity with Verizon and Boost Mobile, not to mention a bunch of google game purchases over the last few hours and a western union transfer. F&E#^s Luckily it was my separate account and not our joint. They still got about 700 bucks, USAA is putting back in my account, but of course takes up to 5 days.

[PedroDaGr8]

My bank contacted me thursday night. Wondering if I had made transfers from the UK and Ireland, plus a bunch of activity with Verizon and Boost Mobile, not to mention a bunch of google game purchases over the last few hours and a western union transfer. F&E#^s Luckily it was my separate account and not our joint. They still got about 700 bucks, USAA is putting back in my account, but of course takes up to 5 days.

This will be an odd question but by any chance do you use TeamViewer? It got hacked recently and I currently advise everyone to uninstall the software. The hackers can control computers and using thr passwords on the computers to order iTunes gift cards, transfer money with PayPal, etc.

Otherwise I wonder if you were part of the MySpace/LinkedIn hack. My bank account password is now the maximum entropy they allow and not even remotely shared with any other site.

I have heard great things about USAA I'm sure they will make you right soon.



Sent from my LG-ls990 using Tapatalk

[CGWildcat]

This will be an odd question but by any chance do you use TeamViewer? It got hacked recently and I currently advise everyone to uninstall the software. The hackers can control computers and using thr passwords on the computers to order iTunes gift cards, transfer money with PayPal, etc.

Otherwise I wonder if you were part of the MySpace/LinkedIn hack. My bank account password is now the maximum entropy they allow and not even remotely shared with any other site.

I have heard great things about USAA I'm sure they will make you right soon.



Sent from my LG-ls990 using Tapatalk

No, I'm not familiar with TeamViewer at all. I believe somewhere along the way I got lazy and left something open and vulnerable.

[Darrell KSR]

KeePass vulnerability?

http://lifehacker.com/keepass-vulner...-pa-1781486764

[CitizenBBN]

Apparently they say they can't move to https right now. No idea why that would be the case other than being on some hosted site that doesn't allow https setup.

[UKFlounder]

My desktop computer is kaput and all I currently use is a tablet. Do any of these work for tablet only? I tried one, maybe lastpass, and it needed access to my desktop, but that is not available.

[PedroDaGr8]

Apparently they say they can't move to https right now. No idea why that would be the case other than being on some hosted site that doesn't allow https setup.

Likely one of the dependencies in KeyPass is the reason, the dependency doesn't support HTTPS for some reason. They are likely looking for other options but at this time that might require a signficant rewrite. This is honestly not THAT big of a deal if you keep things up to date yourself.

My desktop computer is kaput and all I currently use is a tablet. Do any of these work for tablet only? I tried one, maybe lastpass, and it needed access to my desktop, but that is not available.

Lastpass works just fine on my phone, but I use it strictly for password entry. On the phone does require the $1/mo premium option.

[Darrell KSR]

Likely one of the dependencies in KeyPass is the reason, the dependency doesn't support HTTPS for some reason. They are likely looking for other options but at this time that might require a signficant rewrite. This is honestly not THAT big of a deal if you keep things up to date yourself.

What does this part mean, Pedro?

I'm going to join the ranks of something like this very soon. LastPass is leading, but KeyPass had my attention because the price was even better (free!). I'll be fine with free if whatever keeping things up to date yourself is pretty simple, but maybe not if it requires effort or brainpower, neither of which I possess much of these days.

[PedroDaGr8]

What does this part mean, Pedro?

I'm going to join the ranks of something like this very soon. LastPass is leading, but KeyPass had my attention because the price was even better (free!). I'll be fine with free if whatever keeping things up to date yourself is pretty simple, but maybe not if it requires effort or brainpower, neither of which I possess much of these days.

KeyPass is not NEARLY as user-friendly as services like LastPass. Basically, what I mean by keeping it up to date yourself means going to the website, downloading the updates, confirming their integrity, etc.

[Darrell KSR]

KeyPass is not NEARLY as user-friendly as services like LastPass. Basically, what I mean by keeping it up to date yourself means going to the website, downloading the updates, confirming their integrity, etc.

Yech.

[CitizenBBN]

Yech.

Big baby.

[PedroDaGr8]

Yech.

yeah, KeyPass is intended more for people like CBBN because it is so customizable and everything is in the end users control. That being said, it is not really intended for the every day user.

Another nice thing I found out about LastPass (1Password likely has a similar function) is that I can unlock it using the fingerprint reader on my new phone, instead of entering the password. This makes using it much easier (though the password can still be entered if need be).

[UKFlounder]

Thanks Pedro. My memory was wrong - it was not Lastpass I had tried before, but I will now.

[CitizenBBN]

Thanks Pedro. My memory was wrong - it was not Lastpass I had tried before, but I will now.

This brings up an interesting point. I could really use a lastpass type solution for my memory itself.

[Darrell KSR]

Now free to use across multiple platforms!

http://lifehacker.com/you-can-now-us...ree-1788458452

[PedroDaGr8]

Right before going to bed, I received notice that my Uber password had been changed. Admittedly, this was one of my weak, heavily reused passwords. I am not sure how they got a hold of it, but my suspicion is a rogue wifi hotspot (long story but I think it happened with my fiancee at her home airport in Vietnam, as she used my Uber account to get to her sisters house). Anyways, no more than 5 minutes after that, I start getting around a dozen two-factor authentication SMS messages from my bank, saying someone was trying to logon from an unknown device. I think the fact my bank requires 2FA by default (2FA = two factor authentication, where you have to enter a code from an SMS to login) truly saved my ass. I also had 2FA enabled on my google account, the person tried to access that as well. So far so good, but I will be watching my accounts for the next couple of weeks like a hawk. Preemptively, I have gone ahead and changed all of my financial services passwords. I just wrote this post to remind everyone, that a good password alone is NOT enough. Enable two-factor authentication on all of your important accounts. Yes it takes you 20 seconds longer to login, but it might just save you from a catastrophe.

Two-factor authentication can be anything from an SMS you receive on your phone, to a dongle that generates one-time codes, dongles that plug-in or connect to your computer/phone via bluetooth, apps on your phone that generate one-time use codes, etc. Google has its own free Google Authenticator 2FA app, which is included in most sites that support 2FA.