Last year Google Project Zero researcher Tavis Ormandy quickly found some "obvious" security problems in the popular password manager LastPass, and now he's done it again. Last week Ormandy mentioned finding an exploit in one version of its extension for Firefox, before following that up with a new bug that affected both Chrome and Firefox, and finally a third vulnerability that could allow "stealing passwords for any domain."
What is better to use? I researched some but thought after weighing all pros and cons that lastpass was the best. I literally just ordered the yubico and lastpass premium. I havnt received the key yet or created my lastpass. I also just read how yubico went closed source. Thoughts? Should i return?
Keepass is good, but it's saved locally rather than in the cloud (which is better from a security standpoint, anyway). If you want it to sync between multiple devices, you'll have to upload it to some kind of cloud storage.
No offence but that statement is ridiculous. How in God's name do you expect people to remember unique passwords to over 100 sites?
It has nothing to do with being lazy, it's just not feasible for the average person to possess a photographic memory.
I use LastPass to manage the passwords for most of the websites I am a member of. However I resort to memorization for the few passwords I use for key critical resources, such as my main Email, Bank account, Paypal, Steam account etc....in Total 7 unique strong passwords. If for whatever reason LastPass is compromised no big deal, I can just change the passwords through Email conformation which is not tied to my LastPass.
I stopped using LastPass after the last breach. I use PASS with a firefox plugin and QtPass (also availble for Windows) as it's GUI. It's better to save passwords locally than in the cloud.
Pick a word or phrase you can remember.
translate it into a foreign language.
phonetically spell in language of choice.
Add special character
Add number
Add capital letter.
Do this for 1-3 phrases.
Though of course the problem will always be initiative.
Pick a word or phrase you can remember.
translate it into a foreign language.
phonetically spell in language of choice.
Add special character
Add number
Add capital letter.
Do this for 1-3 phrases.
Though of course the problem will always be initiative.
Sure, that's great for a few services, but try to remember one of these for each site you use, it's impossible. I use a password manager for the vast majority of sites, but since I switched I've come across quite a few websites that I simply didn't remember signing up for. If I don't even remember using them, how would I ever remember a unique password?
Quote:
Originally Posted by sepiashimmer
Using a password manager itself is a security risk, only the most laziest of people use it, I think.
Using a password manager with a password generator is the current best practice, not a security risk. Cloud storage might be a risk, but password managers in general are not.
Quote:
Originally Posted by spinFX
KeePass or KeyPass, one of them is completely local. There is no cloud storage of passwords.
Keep it on a usb stick which then acts as your "key" that you take around with you.
Im signed up to maybe 2 dozen services and have yet to have any issues remembering their phrases. I have more problems with region locks than I do with passwords.
Im signed up to maybe 2 dozen services and have yet to have any issues remembering their phrases. I have more problems with region locks than I do with passwords.
What point? I have a system too, but that doesn't make it easy to remember, just easier. Two dozen really isn't that many. I have well over 100 accounts.
That doesn't seem like a very good solution in a time where 70% of most people's internet usage is happening on the go. Carrying around all your passwords on your person is an invitation for trouble.
What point? I have a system too, but that doesn't make it easy to remember, just easier. Two dozen really isn't that many. I have well over 100 accounts.
No, that's not how LastPass works. Maybe if everything was just stored in plaintext somewhere (perhaps even on paper?), then yeah. LastPass is backed with a ridiculous amount of encryption and scrambling so that even if the raw data somehow gets accessed, it's still useless without the master password.
As for the browser extension issues, it looks like they jumped in and fixed them ridiculously fast. That's some pretty remarkable support on their part.
No, that's not how LastPass works. Maybe if everything was just stored in plaintext somewhere (perhaps even on paper?), then yeah. LastPass is backed with a ridiculous amount of encryption and scrambling so that even if the raw data somehow gets accessed, it's still useless without the master password.
As for the browser extension issues, it looks like they jumped in and fixed them ridiculously fast. That's some pretty remarkable support on their part.
That saying does hold true for many things, but it starts falling apart pretty fast when it comes to password management (see the part about "scrambling"). LastPass and services like it are certainly not ideal solutions, but they offer a great balance between security and convenience. In the case of LastPass, they're targeted quite often, but they're also very popular. If anything, that's only strengthened their bragging rights about security. Look at how fast they fixed this specific issue. That was a turnaround of barely half a day, wasn't it? And for a service that's predominantly free. Bugs and unseen vulnerabilities are always inevitable. But they've at least shown solid commitment to nailing them almost immediately. Heck, even the more recent issues for which they've come under fire were mostly caused by the old version of the Firefox addon, which is slated to be discontinued permanently in April. They still fixed the vulnerabilities anyway though, because something something commitment again.
No, that's not how LastPass works. Maybe if everything was just stored in plaintext somewhere (perhaps even on paper?), then yeah. LastPass is backed with a ridiculous amount of encryption and scrambling so that even if the raw data somehow gets accessed, it's still useless without the master password.
As for the browser extension issues, it looks like they jumped in and fixed them ridiculously fast. That's some pretty remarkable support on their part.
No offence but that statement is ridiculous. How in God's name do you expect people to remember unique passwords to over 100 sites?
It has nothing to do with being lazy, it's just not feasible for the average person to possess a photographic memory.
I use LastPass to manage the passwords for most of the websites I am a member of. However I resort to memorization for the few passwords I use for key critical resources, such as my main Email, Bank account, Paypal, Steam account etc....in Total 7 unique strong passwords. If for whatever reason LastPass is compromised no big deal, I can just change the passwords through Email conformation which is not tied to my LastPass.
Well you know... we store everything on pen and paper in a fireproof safe.
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Related Threads
?
?
?
?
?
Ask a question
Ask a question
Overclock.net
27.8M posts
541.2K members
Since 2004
A forum community dedicated to overclocking enthusiasts and testing the limits of computing. Come join the discussion about computing, builds, collections, displays, models, styles, scales, specifications, reviews, accessories, classifieds, and more!