[jtwrace]

Does anyone use this for their passwords? 

Thoughts?

https://lastpass.com/

[eclein]

I have been using it for about 6 months and its the best software/service of its kind that I've used. I'm probably going to start using the pay service next month. I haven't fully investigated the service yet but so far so good, I like it alot.

[mgalusha]

I like it enough to have paid for the premium version. 

Just make sure your main password is really strong. letters, numbers, punctuation, fugly.

[toddbagwell]

I've used it for six weeks. It works well and I enjoy not trying to remember challenging passwords!

Todd

[mgalusha]

IMO one the best features is having it generate a unique, nasty password for various sites and then never having to remember it. One of the worst things folks can do is use the same password on multiple places. The scumbags send out phishing email saying your password on sss site has been compromised and you should visit the via the 'secure' link provided to reset it. Presto, they have a set of credentials and then just start trying them on various places. What is sad is this is far too successful.

[jtwrace]

OK thanks guys.  I've signed up and have been going through all the sites.  I have one site that doesn't autofill no matter what I do.  It will only autofill if I right click on the user name area and then auto fill that way.  It doesn't have the user and password all filled in where I can just log in.

Any ideas?

So far, it seems pretty cool.  If it is actually as secure as they say it will be better. 

[Noseyears]

Maybe there's a wrong setting? check this thread on the lastpass forums..hopefully it helps to solve your problem.
http://forums.lastpass.com/viewtopic.php?f=13&t=15399

[skunark]

I would never use a online service or an applicaiton to store a password... it's like running with scissors...  For financial sites you should consider getting the RSA dongle or something similar, if your bank doesn't offer it I would suggest moving to one that does or avoid online banking.

[wilsynet]

Here's their more well known competitor:

https://agilebits.com/onepassword

[wilsynet]

I would never use a online service or an application to store a password... it's like running with scissors...  For financial sites you should consider getting the RSA dongle or something similar.

RSA key fobs work well for sites that offer it, but few places other than financial institutions offer such a thing.

What's wrong with using an online service + application to store your passwords?

As you probably know, the way most of this stuff works is that you pick a master password to encrypt the password store.  The password store is synchronized between your devices and backed up to either their service or a third party service (like Dropbox).  If someone breaks into their service, your passwords and keys aren't lost or compromised because it still requires your master password to unlock.

I don't see a significant or intolerable weakness here.

[skunark]

Like any site that has a password they are susceptible of getting hacked.   You can bet that Citibank, Sony and Nintendo all have a "master password" too, and there's just one password to crack to get your list of passwords.   If it's for sites where you don't have anything financially or personally invested, then sure it's probably fine.   

So if LastPass is hacked and you had an account that could 1-click order, sell/send/trade cash that a valid password was used, would LastPass cover any financial lost?  LastPass ToS leaves me to believe they are off the hook and that retailer will point out that you violated their ToS, point out it's not their problem and could even cancel your account with them.

I do agree it sucks to keep different passwords for various things and it's even more annoying that most places are moving to a unified login or requiring your email as the username, but caution should be exercised for solutions like LastPass.

[wilsynet]

So if LastPass is hacked and you had an account that could 1-click order, sell/send/trade cash that a valid password was used, would LastPass cover any financial lost?

I don't think I adequately communicated how LastPass and 1Password works.

What happens is that the "password store" (where your passwords go) is encrypted with your "master password".  The master password is not actually stored anywhere -- it's something you have to remember.  Only the encrypted password store is synchronized, copied, or backed up anywhere.  But it's encrypted.

A hacker can hack LastPass all day long and steal all of the encrypted password data.  But the master password is never stored at LastPass, so the hacker would not have the key to unlock the password store.  Of course, it is not impossible to crack the encrypted file, but it is computationally very hard.

[skunark]

I don't think I adequately communicated how LastPass and 1Password works.

What happens is that the "password store" (where your passwords go) is encrypted with your "master password".  The master password is not actually stored anywhere -- it's something you have to remember.  Only the encrypted password store is synchronized, copied, or backed up anywhere.  But it's encrypted.

They use something called asymmetric cryptography which is able to encrypt and decrypt data without the computer needing to store a copy of the master password.

A hacker can hack LastPass all day long and steal all of the encrypted password data.  But the master password is never stored at LastPass, so the hacker would not have the key to unlock the password store.

If you want an explanation in more detail, just let me know.

if your computer had a key logger, remote desktop hacked, or any number of ways there are to track what one is typing.    Hopefully LastPass doesn't also sign your keys as there would be two ways to crack the master passwords.

I assumed LastPass resembles PGP encryption, as there's never been a permanent crack, you can review wikipedia page about methods that have been reported to access the passphrase.     

It's a lot like using a credit card, increase usage increases the risk of getting it stolen.   
 

[JEaton]

IMO one the best features is having it generate a unique, nasty password for various sites and then never having to remember it. One of the worst things folks can do is use the same password on multiple places. The scumbags send out phishing email saying your password on sss site has been compromised and you should visit the via the 'secure' link provided to reset it. Presto, they have a set of credentials and then just start trying them on various places. What is sad is this is far too successful.

I tell this story a lot:

Years ago, I took over the development of a small web site that had a membership signup. Membership didn't do much other than let users manage their email preferences, choosing from a couple of different newsletters and notifications. The original developer chose to store user passwords in plain, unencrypted text. Many of the email addresses were through Yahoo, Hotmail and similar sites. One day, just for grins, I went to Yahoo and started trying to login using the passwords. At least 1/3rd of them worked.

So, yes, using the same password at multiple sites can be a very dangerous thing to do.

[wilsynet]

First, let me apologize for saying in my earlier post that LastPass likely uses asymmetric cryptography.  Thinking about it more carefully, I don't think that's the case.  Also, I don't think it helped that I was feeling nausea at the time I was writing the previous post.  I edited the posting later, but not before it was quoted.

if your computer had a key logger, remote desktop hacked, or any number of ways there are to track what one is typing.

That's absolutely correct.  But if they have installed malicious software to track what you are typing, then they're stealing your passwords anyway, whether or not you're using a password keeper like 1Password or LastPass.

Even if you're using two-factor authentication like an RSA key fob, if they have installed malicious software on your computer, they can hijack your web browser after you've logged in and do whatever they want.

Having said that, I agree that two factor authentication is better than password only security.  But a lot of this is a balance between ultimate security and good enough security.  You can always use 1Password to store only your non-critical passwords and, say, use an RSA key fob for your bank. 

Or you can trust that if someone has installed a key logger, you're probably compromised in so many ways already that whether you use 1Password or LastPass, it sort of doesn't matter.

For many, 1Password and LastPass, while imperfect, may very well be a *more* secure solution than re-using passwords, writing passwords down, etc.

[skunark]

A key fob changes every 45 seconds or so, so as long as you log out, that account is still secure, unless they crack they key fob.   Lastpass doesn't even offer that (but has some sort of 2nd form of authentication but appears to be fixed) and it's like having all your eggs in one basket with absolute no liability protection if it does get stollen.   

[wilsynet]

A key fob changes every 45 seconds or so, so as long as you log out, that account is still secure, unless they crack they key fob.

I know.  But if they have malware installed, they can detect that you have successfully logged in and after you've done that, they can hijack the secure session.  Yes, you can logout, but between when you've logged in and when you've logged out, they can do whatever they want.  They can also trick you into thinking you've logged out and keep the session active.  This is a *smaller* and less likely window of vulnerability, but I wouldn't say it was 100% safe either.

Also, RSA themselves were compromised some time ago and the seeds used to refresh  tokens was stolen.  So a hacker could have key logged your RSA PIN and regenerated the token on demand to log into your bank.  RSA needed to send out new key fobs to many, many of their customers.

Personally, I think LastPass and 1Password makes things better for the most common use cases.

[NewFitLife]

The best thing about LastPass is that you can use it with a YubiKey.

https://youtube.com/watch_popup?v=4JXzB-mHy2Y

A YubiKey is essentially a USB keyboard on your keychain.  When you press the button, it spits out a long stream of gibberish.  The first half is used to uniquely identify your particular YubiKey.  But, the second-half serves as a one-time password, and is different every single time the button is pressed.  If a keylogger captures this information, it is already expired.

Ideally, you have a "nasty" master password PLUS the YubiKey, so you cannot gain access without both something you have and something that you know.

Both the password and the "ID portion" of the YubiKey output are combined to form the key to your information.  Only the encrypted "blob" is stored in the cloud and synchronized across your devices.  The only known vulnerability is a brute force attack.  (I know, there could be an unknown attack, but I'm willing to take that chance.)

And, I agree with the comment that you might not want to put your "most absolutely critical" financial information in LastPass, just in case.

[MaxCast]

... so as long as you log out, that account is still secure...

What happens when you don't log out from a web site?  I never log out from a web site.  I also don't have any of my financial accounts online. 
If you don't log out and leave the page are you more susceptible to getting hacked in any way? 

[srb]

I use a password-protected spreadsheet to store passwords and hyperlinks to the websites.  The file is a hidden file with a non-descriptive filename and unrelated file extension. (not "passwords.xls")

The passwords are all strong passwords that
- are a minimum of eight characters
- contain upper and lower case letters
- contain at least one number and one symbol
- are not words found in a dictionary

I only accept cookies from trusted websites and run active anti-virus and anti-malware software to help prevent keylogging.

I also don't have any of my financial accounts online.

As vigilant as we try to be to protect our personal information, the greatest number of security breaches to financial institution accounts have occured because the institution's database was hacked, regardless whether or not the user had online access.

Steve