Anyone Gone All the Way with LastPass?

[Frank2012]

My apologies for yet another LastPass question, but I'm interested to know if any Bogleheads have put ALL their passwords in LastPass. I have most of my passwords in LastPass, except for my banking, credit cards and 401k passwords.

From what I can gather, LastPass is virtually unhackable with current hacking technologies (though nothing is 100% secure). LastPass is a much better alternative than a notebook, which can get lost, stolen or destroyed. Also better than an excel file on my computer which I can't access when I'm away from home. I supposed storing passwords on an encrypted thumb drive would solve the mobility issue. But I like the convenience of LastPass features such as strong password generation, and being available on all devices when needed, etc.

And yet...I can't quite make the leap with my banking and retirement passwords. My brain says "Yes!" but I don't yet have the stomach to go all the way!

I'd be interested if anyone has the same hesitation, or if you feel LastPass is secure enough for all your passwords, even banking, retirement, etc.

Thanks!

[Peculiar_Investor]

Essential yes, although I still have some older accounts/passwords in TurboPasswords (Chapura), from my days of using a Palm Pilot, that I've long intended to migrate into LastPass.

Wherever possible I now utilize LastPass' ability to generate secure passwords for sites, particularly for financial institutions, so I don't actually know many of my passwords anymore. I just make sure to maintain a secure master password.

[KSM_Husker]

I just put all my passwords on lastpass. Can't beat the combo of convenience and security it provides over the other options you listed (except for other password managers)

People worry that it got hacked in the past. However, the only thing that gets stolen is encrypted data. It would take a long time to decrypt the information stolen (if the hackers ever do decrypt it), so if it happens and you get alerted, you can just change your passwords and all will be fine.

[rav2fi]

Yes 100%. All my passwords, credit cards and addresses (auto fill profiles) and secure notes are all in LastPass. It's all E2E encrypted on my device so I am not really worried about it.

[F150HD]

https://www.dashlane.com/

its only 39.99 if you want to sync across all your devices.

They also don't store your data on their servers.

[Bmac]

Yes, but I am using 1Password. It works great.

[TimeRunner]

Lastpass for all, with smartphone-based two factor authentication (time-generated codes), see: https://lastpass.com/multifactor-authentication/

[blueman457]

The encryption of LastPass is probably very secure; the last issue with them was that there were bugs in the browser extension that allowed for stealing of passwords:

https://www.darknet.org.uk/2017/03/last ... passwords/

I still use LastPass but keep banking and government passwords in an encrypted file.

Blue man

[ny_knicks]

Yes - I don't know a single one of my passwords! They are all managed through LastPass. The financial accounts were why I bought it. I could care less if someone gets into my Facebook.

[Toons]

All Passwords are in LastPass.
For many years.
Taxes,,banking,,investing,,on and on.
Access from any device,,which I do,
All the time.

[Broken Man 1999]

All in LastPass.

My second go with them. I had to rebuild my entire LastPass password database a year or two ago.

Do NOT forget/lose you master password!

Though perhaps they have a recovery method now.

Broken Man 1999

[stan1]

I have no concern putting passwords into LastPass right now if you ARE NOT an individual likely to be targeted by foreign intelligence, organized crime (to include cyber crime syndicates), or domestic law enforcement. If you put your name in Google and it comes back with lots of hits associating you with something of value such as a patent or a business sale you might be high profile even if you aren't a politician or CEO.

Cybersecurity has become a lot more complex in recent years. There was a time where the focus was building a wall to keep bad guys out. That's not good enough because there can be human lapses and unknown vulnerabilities. Protection is still very important but focus is now on early detection of an intrusion and quickly taking steps to recover and prevent further loss. On that account LastPass has done better than many; they have disclosed prior breaches and been clear on what actions users should take. Can't say that's usually the case.

What I would do is change your most important passwords (such as Vanguard, 401K, Google/email) every 3-6 months. Vanguard's protections for fraud are loosely worded and they are not required by law to make you whole. Enable the features on the Vanguard website that email and text you whenever a transaction is entered on your account. The multi-day settlement process helps protect you against fraud if you can detect it early. My bigger concern with Vanguard isn't breach of user credentials but someone breaking into their servers. Have to assume they are heavily targeted by organized crime if not foreign intelligence.

I'm less worried about financial institutions where I just have credit cards. You just call them up and report fraud. At this point all of us have done that. You are protected by federal statute.

Change your LastPass master password at least once per year. Enable two factor authentication through a phone app (such as Google Authenticator or LastPass Authenticator).

[JaneyLH]

I have all of my 400+ unique, randomly constructed passwords in Dashlane. Syncs perfectly across my Windows laptop, Android phone, and iPad. Takes a bit of time to make the transition but I’m very happy I did. Works with both web and device apps.

[lazydavid]

All in LastPass.

My second go with them. I had to rebuild my entire LastPass password database a year or two ago.

Do NOT forget/lose you master password!

Though perhaps they have a recovery method now.

If an encryption service has a recovery method, it is by definition not confidential/secure. If LastPass added this "feature", I would stop using it immediately.

[lazydavid]

What I would do is change your most important passwords (such as Vanguard, 401K, Google/email) every 3-6 months.
[...]
Change your LastPass master password at least once per year. Enable two factor authentication through a phone app (such as Google Authenticator or LastPass Authenticator).

Regularly changing passwords is no longer considered good practice. I have never changed my LastPass/1Password master passwords, and absent evidence of compromise, don't ever intend to. Other passwords are only changed to make them more secure (correcting old accounts), or at vendors that still cling to the old trope of forcing periodic changes.

https://www.schneier.com/blog/archives/ ... _pass.html
https://securingthehuman.sans.org/blog/ ... ion-to-die
http://nvlpubs.nist.gov/nistpubs/Specia ... 00-63b.pdf

[stan1]

What I would do is change your most important passwords (such as Vanguard, 401K, Google/email) every 3-6 months.
[...]
Change your LastPass master password at least once per year. Enable two factor authentication through a phone app (such as Google Authenticator or LastPass Authenticator).

Regularly changing passwords is no longer considered good practice. I have never changed my LastPass/1Password master passwords, and absent evidence of compromise, don't ever intend to. Other passwords are only changed to make them more secure (correcting old accounts), or at vendors that still cling to the old trope of forcing periodic changes.

https://www.schneier.com/blog/archives/ ... _pass.html
https://securingthehuman.sans.org/blog/ ... ion-to-die
http://nvlpubs.nist.gov/nistpubs/Specia ... 00-63b.pdf

I'm going to respectfully disagree on the specifics. These articles are about forced password expiration and long random passwords that people are forced to write down on a piece of paper in order to remember. Absolutely agree forced password changes are worthless especially when people don't use password managers. However, with Vanguard's very loose fraud policy I'd want to be in a situation where if my account balance suddenly went to zero I could say to them "I changed my password two months ago" not "I changed my password 10 years ago". It takes 5 seconds to change my Vanguard password. I still do it. There is a possibility hashed and salted passwords have been breached and no one knows about it. There is a possibility a Vanguard employee has them on a laptop. To me that's a "known unknown" not an "unknown unknown".

[Sandtrap]

I have done so with 1Password
j

[tuningfork]

All my passwords belong to LastPass. It's convenient and secure.

I also use two-factor authentication on my email account and financial sites when available, so if a bad guy somehow gets hold of my passwords, he can't get very far without me being alerted.

I take other measures to limit the chances of getting malware on my computer. Malware can install key loggers and other malicious software that can steal your passwords whether you use a password manager or if you keep your passwords written on paper. I use an ad blocker, more to avoid malicious ad networks than to block ads. I limit which browser extensions I use to just my ad blocker, privacy blocker, and password manager. If I need to use another browser extension, I enable it only when needed. My browser has plugins disabled so I don't run Flash. I don't install random software on my computer. I segregate some of my browsing activities into a separate Linux OS. I avoid clicking on links or opening attachments in emails. I avoid clicking on polls and memes in Facebook. I run the latest version of Windows and my browser with automatic updates. Probably more, but that's what I recall off the top of my head.

Insecure network connections are another way for bad guys to intercept your passwords, regardless of whether or not you use a password manager. I only login to financial sites from my home on a computer with a wired connection. My home wifi is properly secured and I would have no problem using it for financial sites, though I don't happen to use it that way. I never access a financial site from my phone or laptop on a wifi network away from home. In the rare case I might need to access a financial site away from home I would use my phone with a cellular data connection. In the extremely unlikely case where I might decide to access an important account from a public computer, I would make sure to change passwords as soon as I had access to a secure computer.

[midareff]

Yes, all the way. Also have LastPass mobile but don't use it. Any site with financial information, even a credit card number is 15 or 16 character alpha numerical + symbol if applicable. 125 sites with passwords.

[bligh]

Yup, everything, but using 1Password instead.

[Doom&Gloom]

Not until the third date.

I have not used LastPass, but I put everything into KeePass the first day I installed it. I would almost certainly do the same with LastPass if KeePass did not exist or I decided to quit using it.

[mhalley]

I don’t trust ANY online service to be unhackabke, so I use KEEpass and keep my file local.

[KNMLHD]

Change your LastPass master password at least once per year. Enable two factor authentication through a phone app (such as Google Authenticator or LastPass Authenticator).

What's interesting... NIST (National Institute for Standards and Technology) not too long ago recommended against changing of passwords (assumes one uses a pseudo random generator).

EDIT: My bad... I see this was discussed earlier in the thread.

w/re to Lastpass, I'm probably 99% converted over... and over time when changing passwords to increase the length of the pseudo generated PW... it became such a PITA when having to log into mobile apps (I was using the free version)... I finally broke down and started paying to get access to their passwords from their app. Haven't looked back.

I've also found a number of apps that have included integration with the third party PW managers (Dropbox, Coursera, others...).

Aside: As part of the above effort, I made sure my spouse knew how to access everything. She's "slowly" converting... I haven't sold her quite yet.

[stan1]

Change your LastPass master password at least once per year. Enable two factor authentication through a phone app (such as Google Authenticator or LastPass Authenticator).

What's interesting... NIST (National Institute for Standards and Technology) not too long ago recommended against changing of passwords (assumes one uses a pseudo random generator).

NIST is not recommending against changing passwords, they recommend against IT policies that force users to change passwords frequently (such as every 30 or 60 days). When users change their passwords frequently without access to a password manager they end up writing them down on scraps of paper. I think this is an acknowledgement that leaving the password unchanged and memorized is better than writing it down on a post-it. Many corporations IT policies do not allow users to have password managers.

Vanguard - Read their fraud policy. Decide for yourself where you want to be if you wake up to find your account empty one morning and Vanguard says "you last changed your password 5 years ago, we aren't going to make you whole". To me its worth the 5 seconds it takes to change my password.

Other issue is insider threats. An employee of Vanguard or LastPass could make a mistake or decide to accept an offer of money to do something unethical or illegal.

Changing passwords for very important accounts helps guard against hashed and salted passwords being out in the open then potentially broken by a foreign intelligence or cyber crime syndicate (maybe not now but in the future). Vanguard and LastPass may not know this data has been exfiltrated for years. Again its a very small effort on my part that helps protect against an unlikely but devastating situation. Read Vanguard's fraud policy again.

[heartwood]

Pretty much all in except for Vanguard. Without looking it up, I recall that Vanguard's fraud immunization policy has language that says you might have to demonstrate that you haven't saved your logon details anywhere online? Just did take a quick look and can't find it. Anyone?

edit: OK, here: https://personal.vanguard.com/us/help/S ... ontent.jsp

under "your Responsibilities"; "Never store your user name, password, or answers to security questions in your browser." Not a PW manager prohibition, but storing it in your browser.

[stan1]

Easy to get into gray areas with Vanguard:

Never share your user name, password, or other account-related information with anyone.
Never store your user name, password, or answers to security questions in your browser.

Note the use of the word "anyone". Is that a person or an entity? It leaves open to interpretation whether an account aggregator such as Personal Capital or a password manager is "anyone". If you put your password into a password manager then share it with a person that's clearly in violation.

Right now there is a large body of expert guidance that using a password manager is a best practice. There's no such body of guidance stating that using an account aggregator is a good idea.

Hopefully its all worry about a situation that never happens. If it happens to millions of Vanguard customers overnight we'll all be out of luck.