Don't use LastPass to generate your passwords

[Batu69]

Don't use LastPass to generate your passwords. Or if you do, do not trust the handy strength meter.

 

Password strength meters are notoriously unreliable and LastPass is unfortunately no exception. Depending on what options are configured, the password strength meter inside the LastPass browser plugin, or at lastpass.com will give completely misleading estimates. For instance, generating a purely numeric 14-digit password results in a green strength bar, although such a password is in fact extremely weak: with just 46 bits of entropy, it would be bruteforced in minutes by even a modest cracking rig.
 

Don't get burned. Just use a proper, native password manager.

 

PS. I had a pretty bad experience reporting a previous vulnerability to LastPass, so I won't bother doing that again, until they give their bug bounty program more attention.

 

Article source

[Holmes]

It says dont use lastpass strength meter it doesnt say dont use lastpass change the title of the thread its misleading.  At the bottom it says dont get burned use a proper native password manager again dont use the strength meter you can use lastpass this article is stupid as hell.

[tiliarou]

What is worrying is the last statement : " PS. I had a pretty bad experience reporting a previous vulnerability to LastPass, so I won't bother doing that again, until they give their bug bounty program more attention. "

Which could mean that they don't care about reported bug and/or are too slow to react. Or maybe the guy is just complaining for no bounty ?

[jango]

do you have recommended LastPass alternative?

[Vakdan]

Keepass

[Batu69]

1 hour ago, jango said:

do you have recommended LastPass alternative?

If you ask me.

Sorry, I'm not using any password manager, maybe Keepass good as suggested by vlefteriss.

[voidoid]

+1 for KeePass. Free, cross platform including Android and has always worked well over the 5 years or so that I have been using it.

[SnakeMasteR]

He seems mad because Last Pass didn't grant him several thousand dollars in Bug bounty. ?

 

In regard to the meter, it's a pretty valid complaint, the blog reads:

 

"The strength meter uses an algorithm that measures unique characters as well as number of different characters such as letters, numbers, symbols, including uppercase and lowercase."

.

https://blog.lastpass.com/2012/02/resolutions-with-lastpass-10-strengthen-your-master-password.html/

[straycat19]

There was an article posted here in the last couple weeks about password security and recommendations made by an original member of L0pht.  In that article he stated that passwords 15 characters long were 3 million times as secure as an 8 character password that included lower and upper case, numerals, and symbols.  This has to do with the 25 year old encryption technology in Windows.  So while you may not think that number in the original post is secure it will take far longer to break than you think because all the password breakers use an algorithm that includes lower case, upper case, numerals, and symbols and it goes thru them in that order replacing one character each time, starting out usually with a 3 character password and working up to whatever maximum the user defines. It isn't as easy or simple as some make it out to be and requires a very fast dedicated computer.  

 

I think the original author just has a corncob up his ass and is showing a lack of knowledge on password length in relation to security.  I have never used LastPass, we recommend Keepass and require it for all our users, but I wouldn't bash it because it says 14 characters is strong, because that is pretty accurate.  Just don't make the 14 characters 012345676543210, which if you knew a system required 14 characters would be a natural guess such as 123456, password, pass, etc.

[Sylence]

a more secure alternative would be closing your eyes, type on keyboard using (shift + numbers + space + uppercase + lower case + symbols + switching between different writing languages) buttons to make at least a 20 characters random password for each and every site and save them to a text document and encrypt it. there you go. 

[DKT27]

I think the argument that Lastpass thinks that just numerical letters makes for a good password is surprising itself. It does not matter if it's easier to hack or not, it's just surprising Lastpass can suggest such things to be fine here.