LastPass

[shajt]

Great software , if you're not familiar with it then enjoy this fine review :)

[Maxhedroom]

Been considering lastpass for a good while...maybe it's time to give it a go. Thx for the vid!

[kadrex]

I've been using it, but... it was suspected of a possible hack few months ago.

http://www.pcworld.com/article/227268/lastpass_ceo_explains_possible_hack.html

[fortheloveof***]

Is lastpass a good program that works for the average person without requiring any technical skill to use? Yes. Is Lastpass a step in the right direction when it comes to security policy? Not really.

We have seen the level of sophistication around code such as stuxnet and since there is no transparency in the code used for lastpass, locally or server side, you would never know unless it was disclosed publicly if your info was compromised or the program had a vuln (credit for how they handled the previous incident linked above). No one can say your info is safe in the cloud. This is because they are using security standards in proprietary code. When it comes to things like AES it has been known that the weakest link is the actual implementation of AES and not AES itself. The attack vector is the developers implementation of the security functions and in a closed environment with proprietary code we do not now what checks and balances are in place for code development and similar unless the developers agree to sign up to meet certain standards of development and testing.

That is why I personally think open source is the only choice when it comes to the implementation of things like AES. The code has to be open to scrutiny from experts in the field. Example : TrueCrypt

but also meeting certain standards or peer review is acceptable to some extent. Sort of depends on your needs.

Phil Zimmerman

"I'm a firm believer in publishing the source code for cryptographic software for peer review, to build public confidence that it contains no back doors, a tradition I started in 1991 with PGP. PGP is a proprietary product, even though the source code is available for peer review. Publishing the source code for peer review is not the same as making it available under an open source license."

I do like the idea of lastpass but I do not think it is an acceptable compromise when compared to the say the experience of Roboform (unpatched) and lack of known exploitable vulns or the opensource Keepass for managing a master database of valuable info. For that I use keepass. With all the news about android key loggers, Government sanction spying, do you really think the cloud is the place for this kind of info to be? it is like Facebook all over again.

and on the actual video, he does not mention that there is no easy way to manage local backups of info or that the local encryption is done through java in the browser. So this is really a "i like it because it is shiny" review and has no bearing on it merits as a security/privacy application.

[Tax Man]

Nothing is completely secure and any site can get hacked. That said, I don't think LastPass is any less secure than any other third party account which has access to one or more of your encrypted passwords. However unlikely, there is always a danger that somebody can get in and steal something.

Basically it's a matter of trust and I need to trust the companies behind the security software I use, whether it be AV, anti-malware, firewall, operating system, or password encryption. I was an avid Roboform user and recommended it right up until they reneged, with no warning, on their lifetime license promise. Siber Systems are a bunch of liars, so why should I trust them with my personal passwords. Fortunately LastPass can (with some effort) import all your Roboform passwords and you can, if you want, get rid of Roboform and transfer all Roboform's functionality to LastPass.

It's a personal choice and for now, I'm pleased with LastPass.

And if LastPass is secure enough for shajt, it's safe enough for me.

[shajt]

Well, I don't know is it a bulletproof or not, what I like about it is that I can use it on different platforms.

Makes life easier.

Plus, I don't really care if someone hack my passwords for forums, skype, twitter, google, youtube and such.

For banking and everything else dealing with money, I use my memory for passwords :D

Besides, I think LastPass is secure enough and tough to break, even if you hack their servers you still need to decrypt crypted passwords, and if your master password is long enough then that task is close to impossible.

[DKT27]

And we have it frontpaged too. :)

Agreed. Having a powerful master password is enough. Also, LastPass also has things in offline mode.

[Maxhedroom]

Fwiw...the login deets and other data are encrypted client side before ever being sent to their servers...takes away some of the worry in my mind anyway.

[Sonar]

Ive been using this for ages.

I have over 50 stored pages/forums from all around the internet (with some personal information) and my data has never been affected.

email/passwords & stuff like my name/address are logged into lastpass (anything to do with my bank card is typed manually).

I love this addon over the basic firefox password manager!

Edit

It does have some isues with the Betas/unstable builds of firefox - Sometimes Last Pass "times out" and tells you, you need to log back in.