Anyone Gone All the Way with LastPass?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Frank2012
Posts: 50
Joined: Fri Jan 25, 2013 7:16 pm

Anyone Gone All the Way with LastPass?

Post by Frank2012 » Sun Jan 14, 2018 10:21 am

My apologies for yet another LastPass question, but I'm interested to know if any Bogleheads have put ALL their passwords in LastPass. I have most of my passwords in LastPass, except for my banking, credit cards and 401k passwords.

From what I can gather, LastPass is virtually unhackable with current hacking technologies (though nothing is 100% secure). LastPass is a much better alternative than a notebook, which can get lost, stolen or destroyed. Also better than an excel file on my computer which I can't access when I'm away from home. I supposed storing passwords on an encrypted thumb drive would solve the mobility issue. But I like the convenience of LastPass features such as strong password generation, and being available on all devices when needed, etc.

And yet...I can't quite make the leap with my banking and retirement passwords. My brain says "Yes!" but I don't yet have the stomach to go all the way!

I'd be interested if anyone has the same hesitation, or if you feel LastPass is secure enough for all your passwords, even banking, retirement, etc.

Thanks!

User avatar
Peculiar_Investor
Posts: 1110
Joined: Thu Oct 20, 2011 12:23 am
Location: Calgary, AB
Contact:

Re: Anyone Gone All the Way with LastPass?

Post by Peculiar_Investor » Sun Jan 14, 2018 10:31 am

Essential yes, although I still have some older accounts/passwords in TurboPasswords (Chapura), from my days of using a Palm Pilot, that I've long intended to migrate into LastPass.

Wherever possible I now utilize LastPass' ability to generate secure passwords for sites, particularly for financial institutions, so I don't actually know many of my passwords anymore. I just make sure to maintain a secure master password.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

KSM_Husker
Posts: 5
Joined: Sun Apr 02, 2017 12:12 pm

Re: Anyone Gone All the Way with LastPass?

Post by KSM_Husker » Sun Jan 14, 2018 10:33 am

I just put all my passwords on lastpass. Can't beat the combo of convenience and security it provides over the other options you listed (except for other password managers)

People worry that it got hacked in the past. However, the only thing that gets stolen is encrypted data. It would take a long time to decrypt the information stolen (if the hackers ever do decrypt it), so if it happens and you get alerted, you can just change your passwords and all will be fine.

rav2fi
Posts: 38
Joined: Fri Jan 02, 2015 11:15 am

Re: Anyone Gone All the Way with LastPass?

Post by rav2fi » Sun Jan 14, 2018 10:38 am

Yes 100%. All my passwords, credit cards and addresses (auto fill profiles) and secure notes are all in LastPass. It's all E2E encrypted on my device so I am not really worried about it.

User avatar
F150HD
Posts: 1603
Joined: Fri Sep 18, 2015 7:49 pm

Re: Anyone Gone All the Way with LastPass?

Post by F150HD » Sun Jan 14, 2018 10:39 am

https://www.dashlane.com/

its only 39.99 if you want to sync across all your devices.

They also don't store your data on their servers.

Bmac
Posts: 294
Joined: Sun Mar 03, 2013 8:58 am
Location: Seattle

Re: Anyone Gone All the Way with LastPass?

Post by Bmac » Sun Jan 14, 2018 10:40 am

Yes, but I am using 1Password. It works great.

User avatar
TimeRunner
Posts: 1388
Joined: Sat Dec 29, 2012 9:23 pm

Re: Anyone Gone All the Way with LastPass?

Post by TimeRunner » Sun Jan 14, 2018 10:43 am

Lastpass for all, with smartphone-based two factor authentication (time-generated codes), see: https://lastpass.com/multifactor-authentication/
"...There're just so many summers, and just so many springs." -Don Henley "What'd ya expect in an opera, a happy ending?" -Bugs Bunny

blueman457
Posts: 399
Joined: Sun Jul 26, 2015 12:19 pm

Re: Anyone Gone All the Way with LastPass?

Post by blueman457 » Sun Jan 14, 2018 10:51 am

The encryption of LastPass is probably very secure; the last issue with them was that there were bugs in the browser extension that allowed for stealing of passwords:

https://www.darknet.org.uk/2017/03/last ... passwords/

I still use LastPass but keep banking and government passwords in an encrypted file.

Blue man

ny_knicks
Posts: 193
Joined: Wed Jan 04, 2017 11:20 pm

Re: Anyone Gone All the Way with LastPass?

Post by ny_knicks » Sun Jan 14, 2018 10:52 am

Yes - I don't know a single one of my passwords! They are all managed through LastPass. The financial accounts were why I bought it. I could care less if someone gets into my Facebook.

User avatar
Toons
Posts: 12970
Joined: Fri Nov 21, 2008 10:20 am
Location: Hills of Tennessee

Re: Anyone Gone All the Way with LastPass?

Post by Toons » Sun Jan 14, 2018 10:53 am

All Passwords are in LastPass.
For many years.
Taxes,,banking,,investing,,on and on.
Access from any device,,which I do,
All the time. :happy
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee

Broken Man 1999
Posts: 1445
Joined: Wed Apr 08, 2015 11:31 am

Re: Anyone Gone All the Way with LastPass?

Post by Broken Man 1999 » Sun Jan 14, 2018 10:58 am

All in LastPass.

My second go with them. I had to rebuild my entire LastPass password database a year or two ago.

Do NOT forget/lose you master password! :oops:

Though perhaps they have a recovery method now. :?:

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven than I shall not go. " -Mark Twain

stan1
Posts: 5917
Joined: Mon Oct 08, 2007 4:35 pm

Re: Anyone Gone All the Way with LastPass?

Post by stan1 » Sun Jan 14, 2018 11:20 am

I have no concern putting passwords into LastPass right now if you ARE NOT an individual likely to be targeted by foreign intelligence, organized crime (to include cyber crime syndicates), or domestic law enforcement. If you put your name in Google and it comes back with lots of hits associating you with something of value such as a patent or a business sale you might be high profile even if you aren't a politician or CEO.

Cybersecurity has become a lot more complex in recent years. There was a time where the focus was building a wall to keep bad guys out. That's not good enough because there can be human lapses and unknown vulnerabilities. Protection is still very important but focus is now on early detection of an intrusion and quickly taking steps to recover and prevent further loss. On that account LastPass has done better than many; they have disclosed prior breaches and been clear on what actions users should take. Can't say that's usually the case.

What I would do is change your most important passwords (such as Vanguard, 401K, Google/email) every 3-6 months. Vanguard's protections for fraud are loosely worded and they are not required by law to make you whole. Enable the features on the Vanguard website that email and text you whenever a transaction is entered on your account. The multi-day settlement process helps protect you against fraud if you can detect it early. My bigger concern with Vanguard isn't breach of user credentials but someone breaking into their servers. Have to assume they are heavily targeted by organized crime if not foreign intelligence.

I'm less worried about financial institutions where I just have credit cards. You just call them up and report fraud. At this point all of us have done that. You are protected by federal statute.

Change your LastPass master password at least once per year. Enable two factor authentication through a phone app (such as Google Authenticator or LastPass Authenticator).

User avatar
JaneyLH
Posts: 397
Joined: Wed Oct 16, 2013 7:16 pm

Re: Anyone Gone All the Way with LastPass?

Post by JaneyLH » Sun Jan 14, 2018 11:30 am

I have all of my 400+ unique, randomly constructed passwords in Dashlane. Syncs perfectly across my Windows laptop, Android phone, and iPad. Takes a bit of time to make the transition but I’m very happy I did. Works with both web and device apps.

lazydavid
Posts: 1822
Joined: Wed Apr 06, 2016 1:37 pm

Re: Anyone Gone All the Way with LastPass?

Post by lazydavid » Sun Jan 14, 2018 11:36 am

Broken Man 1999 wrote:
Sun Jan 14, 2018 10:58 am
All in LastPass.

My second go with them. I had to rebuild my entire LastPass password database a year or two ago.

Do NOT forget/lose you master password! :oops:

Though perhaps they have a recovery method now. :?:
If an encryption service has a recovery method, it is by definition not confidential/secure. If LastPass added this "feature", I would stop using it immediately.

lazydavid
Posts: 1822
Joined: Wed Apr 06, 2016 1:37 pm

Re: Anyone Gone All the Way with LastPass?

Post by lazydavid » Sun Jan 14, 2018 11:46 am

stan1 wrote:
Sun Jan 14, 2018 11:20 am
What I would do is change your most important passwords (such as Vanguard, 401K, Google/email) every 3-6 months.
[...]
Change your LastPass master password at least once per year. Enable two factor authentication through a phone app (such as Google Authenticator or LastPass Authenticator).
Regularly changing passwords is no longer considered good practice. I have never changed my LastPass/1Password master passwords, and absent evidence of compromise, don't ever intend to. Other passwords are only changed to make them more secure (correcting old accounts), or at vendors that still cling to the old trope of forcing periodic changes.

https://www.schneier.com/blog/archives/ ... _pass.html
https://securingthehuman.sans.org/blog/ ... ion-to-die
http://nvlpubs.nist.gov/nistpubs/Specia ... 00-63b.pdf

stan1
Posts: 5917
Joined: Mon Oct 08, 2007 4:35 pm

Re: Anyone Gone All the Way with LastPass?

Post by stan1 » Sun Jan 14, 2018 11:57 am

lazydavid wrote:
Sun Jan 14, 2018 11:46 am
stan1 wrote:
Sun Jan 14, 2018 11:20 am
What I would do is change your most important passwords (such as Vanguard, 401K, Google/email) every 3-6 months.
[...]
Change your LastPass master password at least once per year. Enable two factor authentication through a phone app (such as Google Authenticator or LastPass Authenticator).
Regularly changing passwords is no longer considered good practice. I have never changed my LastPass/1Password master passwords, and absent evidence of compromise, don't ever intend to. Other passwords are only changed to make them more secure (correcting old accounts), or at vendors that still cling to the old trope of forcing periodic changes.

https://www.schneier.com/blog/archives/ ... _pass.html
https://securingthehuman.sans.org/blog/ ... ion-to-die
http://nvlpubs.nist.gov/nistpubs/Specia ... 00-63b.pdf
I'm going to respectfully disagree on the specifics. These articles are about forced password expiration and long random passwords that people are forced to write down on a piece of paper in order to remember. Absolutely agree forced password changes are worthless especially when people don't use password managers. However, with Vanguard's very loose fraud policy I'd want to be in a situation where if my account balance suddenly went to zero I could say to them "I changed my password two months ago" not "I changed my password 10 years ago". It takes 5 seconds to change my Vanguard password. I still do it. There is a possibility hashed and salted passwords have been breached and no one knows about it. There is a possibility a Vanguard employee has them on a laptop. To me that's a "known unknown" not an "unknown unknown".

User avatar
Sandtrap
Posts: 5332
Joined: Sat Nov 26, 2016 6:32 pm
Location: Hawaii😀 Northern AZ.😳 Retired.

Re: Anyone Gone All the Way with LastPass?

Post by Sandtrap » Sun Jan 14, 2018 11:58 am

I have done so with 1Password
j :D

User avatar
tuningfork
Posts: 385
Joined: Wed Oct 30, 2013 8:30 pm

Re: Anyone Gone All the Way with LastPass?

Post by tuningfork » Sun Jan 14, 2018 12:01 pm

All my passwords belong to LastPass. It's convenient and secure.

I also use two-factor authentication on my email account and financial sites when available, so if a bad guy somehow gets hold of my passwords, he can't get very far without me being alerted.

I take other measures to limit the chances of getting malware on my computer. Malware can install key loggers and other malicious software that can steal your passwords whether you use a password manager or if you keep your passwords written on paper. I use an ad blocker, more to avoid malicious ad networks than to block ads. I limit which browser extensions I use to just my ad blocker, privacy blocker, and password manager. If I need to use another browser extension, I enable it only when needed. My browser has plugins disabled so I don't run Flash. I don't install random software on my computer. I segregate some of my browsing activities into a separate Linux OS. I avoid clicking on links or opening attachments in emails. I avoid clicking on polls and memes in Facebook. I run the latest version of Windows and my browser with automatic updates. Probably more, but that's what I recall off the top of my head.

Insecure network connections are another way for bad guys to intercept your passwords, regardless of whether or not you use a password manager. I only login to financial sites from my home on a computer with a wired connection. My home wifi is properly secured and I would have no problem using it for financial sites, though I don't happen to use it that way. I never access a financial site from my phone or laptop on a wifi network away from home. In the rare case I might need to access a financial site away from home I would use my phone with a cellular data connection. In the extremely unlikely case where I might decide to access an important account from a public computer, I would make sure to change passwords as soon as I had access to a secure computer.

User avatar
midareff
Posts: 5745
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Anyone Gone All the Way with LastPass?

Post by midareff » Sun Jan 14, 2018 12:42 pm

Yes, all the way. Also have LastPass mobile but don't use it. Any site with financial information, even a credit card number is 15 or 16 character alpha numerical + symbol if applicable. 125 sites with passwords.

User avatar
bligh
Posts: 899
Joined: Wed Jul 27, 2016 9:13 pm

Re: Anyone Gone All the Way with LastPass?

Post by bligh » Sun Jan 14, 2018 12:49 pm

Yup, everything, but using 1Password instead.

User avatar
Doom&Gloom
Posts: 2250
Joined: Thu May 08, 2014 3:36 pm

Re: Anyone Gone All the Way with LastPass?

Post by Doom&Gloom » Sun Jan 14, 2018 12:51 pm

Not until the third date.

I have not used LastPass, but I put everything into KeePass the first day I installed it. I would almost certainly do the same with LastPass if KeePass did not exist or I decided to quit using it.

mhalley
Posts: 6074
Joined: Tue Nov 20, 2007 6:02 am

Re: Anyone Gone All the Way with LastPass?

Post by mhalley » Sun Jan 14, 2018 12:53 pm

I don’t trust ANY online service to be unhackabke, so I use KEEpass and keep my file local.

KNMLHD
Posts: 74
Joined: Sat Jul 09, 2016 7:57 am

Re: Anyone Gone All the Way with LastPass?

Post by KNMLHD » Sun Jan 14, 2018 1:04 pm

stan1 wrote:
Sun Jan 14, 2018 11:20 am
Change your LastPass master password at least once per year. Enable two factor authentication through a phone app (such as Google Authenticator or LastPass Authenticator).
What's interesting... NIST (National Institute for Standards and Technology) not too long ago recommended against changing of passwords (assumes one uses a pseudo random generator).

EDIT: My bad... I see this was discussed earlier in the thread.

w/re to Lastpass, I'm probably 99% converted over... and over time when changing passwords to increase the length of the pseudo generated PW... it became such a PITA when having to log into mobile apps (I was using the free version)... I finally broke down and started paying to get access to their passwords from their app. Haven't looked back.

I've also found a number of apps that have included integration with the third party PW managers (Dropbox, Coursera, others...).

Aside: As part of the above effort, I made sure my spouse knew how to access everything. She's "slowly" converting... I haven't sold her quite yet.

stan1
Posts: 5917
Joined: Mon Oct 08, 2007 4:35 pm

Re: Anyone Gone All the Way with LastPass?

Post by stan1 » Sun Jan 14, 2018 1:17 pm

djdube525 wrote:
Sun Jan 14, 2018 1:04 pm
stan1 wrote:
Sun Jan 14, 2018 11:20 am
Change your LastPass master password at least once per year. Enable two factor authentication through a phone app (such as Google Authenticator or LastPass Authenticator).
What's interesting... NIST (National Institute for Standards and Technology) not too long ago recommended against changing of passwords (assumes one uses a pseudo random generator).
NIST is not recommending against changing passwords, they recommend against IT policies that force users to change passwords frequently (such as every 30 or 60 days). When users change their passwords frequently without access to a password manager they end up writing them down on scraps of paper. I think this is an acknowledgement that leaving the password unchanged and memorized is better than writing it down on a post-it. Many corporations IT policies do not allow users to have password managers.

Vanguard - Read their fraud policy. Decide for yourself where you want to be if you wake up to find your account empty one morning and Vanguard says "you last changed your password 5 years ago, we aren't going to make you whole". To me its worth the 5 seconds it takes to change my password.

Other issue is insider threats. An employee of Vanguard or LastPass could make a mistake or decide to accept an offer of money to do something unethical or illegal.

Changing passwords for very important accounts helps guard against hashed and salted passwords being out in the open then potentially broken by a foreign intelligence or cyber crime syndicate (maybe not now but in the future). Vanguard and LastPass may not know this data has been exfiltrated for years. Again its a very small effort on my part that helps protect against an unlikely but devastating situation. Read Vanguard's fraud policy again.

User avatar
heartwood
Posts: 1262
Joined: Sat Nov 23, 2013 1:40 pm

Re: Anyone Gone All the Way with LastPass?

Post by heartwood » Sun Jan 14, 2018 1:28 pm

Pretty much all in except for Vanguard. Without looking it up, I recall that Vanguard's fraud immunization policy has language that says you might have to demonstrate that you haven't saved your logon details anywhere online? Just did take a quick look and can't find it. Anyone?

edit: OK, here: https://personal.vanguard.com/us/help/S ... ontent.jsp

under "your Responsibilities"; "Never store your user name, password, or answers to security questions in your browser." Not a PW manager prohibition, but storing it in your browser.

stan1
Posts: 5917
Joined: Mon Oct 08, 2007 4:35 pm

Re: Anyone Gone All the Way with LastPass?

Post by stan1 » Sun Jan 14, 2018 1:42 pm

Easy to get into gray areas with Vanguard:
Never share your user name, password, or other account-related information with anyone.
Never store your user name, password, or answers to security questions in your browser.
Note the use of the word "anyone". Is that a person or an entity? It leaves open to interpretation whether an account aggregator such as Personal Capital or a password manager is "anyone". If you put your password into a password manager then share it with a person that's clearly in violation.

Right now there is a large body of expert guidance that using a password manager is a best practice. There's no such body of guidance stating that using an account aggregator is a good idea.

Hopefully its all worry about a situation that never happens. If it happens to millions of Vanguard customers overnight we'll all be out of luck.

Post Reply