Internet Security LastPass

I use a free password tool for both my pc and phone. LastPass.com. You set up a master password and that is the only pw you need to know. Your pw’s are encrypted and remembers all your sites. It has extension for most browsers and works with phone apps as well. It can generate random passwords and user names and stores them online or locally.

If you are using the same username and password every where you are a perfect hacker target. For my financial sites I require the master password for those sites so if some one has access to your PC or phone they cannot just login to your accounts.

This app has simplified my digital life. There are several like fast lane and others.

LastPass also has secure notes so you can store your answering machine pw and my gun safe combination and other info like a garage door combo.

Do your self a favor and take internet security serious and use random usernames and passwords.

I agree - we should treat internet security seriously.

The only secure option, which unfortunately is mentally taxing, is to use different complex passphrases (not passwords) that are very long that are only known inside your head, and to enable two-factor authentication wherever possible.

The above solution sounds nice, but if I understand correctly, there is one inside-your-head master password that accesses a bank account but has also shared with a random online third party (lastpass.com). And only this third party (lastpass.com) knows all the passwords. In some way this just defers the security mistakes to an online entity. And these are never hacked or have data breaches, of course.

1 Like

It’s a complicated set of trade offs on not just the technology but also your likely human behaviour, a password manager of some sort is likely much better than none but which passwords to keep in it, which one to use and which devices to allow access is where the interesting questions lie. The key thing to remember if you use a password manager is that if the device you use it on is compromised, in most cases so is the password manager. A well implemented password manager does not allow the service operator to access any of your passwords, e.g. 1password

Here’s a post from Bruce Schneier (who literally wrote the books on crypto and security) https://www.schneier.com/blog/archives/2019/06/risks_of_passwo.html where he says:

My particular choices about security and risk is to only store passwords on my computer — not on my phone — and not to put anything in the cloud. In my way of thinking, that reduces the risks of a password manager considerably. Yes, there are losses in convenience.

The article his post links to;


is somewhat more detailed and security focussed review of the various options.

and just to be clear, I’m not suggesting that anyone here is in the “self proclaimed experts” category of his ranty first sentence.

I switched to Mooltipass a couple of years ago. It is a bit cumbersome to use with your mobile phone, with a USB cable when you are on the go, but they are coming out with a Bluetooth version of it early next year.

I’m a big fan of password managers but not so much Lastpass, as it’s commercial and closed-source. My strong preference is for Bitwarden which is open-source and self-hostable for those that prefer to do so.

This is a bit off. The third party doesn’t actually “know” the passwords. End-to-end encryption is applied to the passwords so that only your own devices ever see the passwords themselves.

This does apply somewhat but it’s not possible to just compromise Lastpass, you’d need to use your compromise of Lastpass to compromise Lastpass’s customers. Just getting access to the servers/databases wouldn’t be enough, you’d also need to compromise it to the point where you have the ability to push out a malicious update to all the clients (browser extensions, Android apps) that decrypts the passwords and sends them wherever you want to receive them.

This isn’t a defence of Lastpass, as I said, I prefer Bitwarden, but Lastpass isn’t the same as say putting all your passwords in a spreadsheet in Dropbox.

Whatever you do do something. I used to work on computers at people’s homes (Apple) and using your first initial and last name gives thieves half your credentials without even trying. Then simple phrases, address, pet name etc for pw is also easy pickens.

The most dangerous thing that you can do is use the same username and password everywhere. This site is hosted by a third party and maybe thier security is good but if our membership database is stolen thieves just got access to every online account you have. Just because you were lazy you could loose everything. How many little shopping sites have your login info and self host with basically a screen door for security on thier database. Wise up and change your behavior before you find out the hard way.

1 Like

As with anything, there are pros and cons to using a password manager. I use LastPass myself but I’m choosy about where I log into it from (never from my work computer) and I’m aware of the risks and tradeoffs (I’m an IT professional with 40 years experience).

If…

  • you only use it from safe, trusted computers (i.e. your home computer with good, up-to-date Antivirus and firewall software installed)
  • you NEVER, EVER, EVER use it from untrusted computers (i.e. public libraries, work, etc)
  • you NEVER, EVER, EVER login to it over public WiFi without using a GOOD VPN program
  • you choose a fairly gnarly master password to use to log into your password manager
  • you NEVER, EVER, EVER write that password down
  • you accept that, if you lose that password, you have to go change your password with EVERY SINGLE WEBSITE you log into
  • you understand that this is still not 100% reliable and safe

then go ahead and use a password manager. Otherwise, don’t bother. You’re practicing security theater, not real security.

BTW, that “still not 100% reliable and safe” proviso…real, hard-core crackers can still crack your accounts even if you use 15 character, upper case, lower case, special character, numeric passwords. It just takes them longer…or causes them to social engineer you if they really want to hit you. Using a password manager is akin to getting a security system for your house. The real pros can still get in. The amateurs will move on to lower hanging fruit.

Just my opinion… Oh…and anywhere Bruce Schneier disagrees with me, go with HIS advice over mine. I’m a general IT guy. He is THE IT security expert.

The other recommendations make sense but I’d change this one to “use the native apps and browser extensions, never the web app”.

With a hostile WiFi network, your main opponents are DNS spoofing and connection downgrade attacks, both of which can be combatted through proper application of TLS (making sure that the connection is HTTPS whether the server says it wants it or not and making sure the certificate is valid).

The native apps and extensions should ensure that TLS is being used properly for the connection, so they’ll combat any spoofing or downgrading attempts that a hostile WiFi network might be attempting.

I’d consider a VPN to be a reduction in security, even on a public WiFi network, unless that VPN connects you to a network you can truly trust, like your employer’s network or your own home network. Retail VPN services are no better than public WiFi in my opinion, if not worse.

I disagree. Even if you don’t practice that level of security, a password manager can be an improvement on the approach many people have: just use the same password for literally everything. At least with the password manager, you only lose your passwords if your password manager is compromised. With password reuse, you lose your password if that little forum you signed up to 10 years ago when you were 15 is compromised.

Assuming the character set is 96 characters and truly random, that’s 96^15 different combinations, which is 5.42 x 10^29. Even with a weak hash like NTLM and a beast of a system to crack it, we’re still only looking at 330 GH/s, so to crack a 15-character password would take 52 billion years. “It just takes them longer” is a bit of an understatement :slight_smile:

Real, hard-core hackers (i.e. nation states) can definitely crack your passwords no matter the length, they just use more… Traditional… Means of extracting them.

2 Likes

I agree with you about using the local app or browser extension. But I’d still fire up a VPN connection first. The password you type in to the local app is still communicated back home for verification. And a VPN isn’t really supposed to protect you end-to-end. What it does do is encrypt your communication locally and then dump them out far away. So the guy sniffing WiFi in your local Starbucks can’t get anything that happens to be sent in the clear - encrypted passwords get essentially double-encrypted.

But again…the idea is to not be low-hanging fruit. Make yourself hard enough to hack that the script-kiddies and amateurs look elsewhere.

Try searching on google for “lastpass vunerabilities”. Often there’s no need for malicious external entities to compromise them. They can make enough mistakes themselves.

I’ve worked in similar companies. Everyone there is a good guy and has the best interests of their customers at heart, but often this means they take self-confident liberties with their customer’s data. It’s not stretching reality to suggest that someone at lastpass has seen clear-text versions of a random customer’s passwords at some stage during a feature rollout or testing. I’ve certainly seen lots of data I know I wasn’t supposed to see.

I’m sure these are fine solutions and the faults are rare. I was just trying to examine the wisdom of the notion of trusting an arbitrary cloud entity with the sensitive things you don’t trust yourself to manage.

1 Like

Over a TLS connection, so it’s irrelevant what kind of network you’re using and what kind of trust level it has. You should be able to log in to your password manager using a native app or browser extension on the floor of DEFCON.

These days you can even (and perhaps should) protect your DNS requests using DoH. Here are instructions for various browsers and devices.

A VPN replaces the trust you’d place in the WiFi network with trust in the VPN-provider’s network. If you’re using a retail VPN provider, I can’t say that trust is well-placed. VPN networks are juicy targets and their security measures are unverifiable.

If you want to use a VPN to protect yourself, I’d recommend running your own.

For a cloud server, there are user friendly options like Outline, which has a super easy process for setting up a server at DigitalOcean, which is a cheap cloud provider that’s fairly user-friendly and has a wide range of geographic locations available.

For accessing your home network, I think setting up a Raspberry Pi is probably the easiest way. There’s a nice guide to that here.

It’s possible but I wouldn’t take it as a given either. Given the number of business/enterprise customers Lastpass has, I’d expect big money to go “poof” if something like that came out and I expect it would come out during audits.

Still, I’d recommend Bitwarden over Lastpass. It’s open source, which can give you a bit more confidence that truly stupid stuff isn’t happening.