lastpass noob question

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
BlindPursuit
Posts: 10
Joined: Tue Jan 22, 2019 9:58 pm

lastpass noob question

Post by BlindPursuit » Wed Oct 09, 2019 9:50 am

I finally signed up for a password manager (lastpass). I made my bogleheads login my first test case just so I could get used to how lastpass works.

Well, first thing, I go to login at bogleheads. I click login and see my username and password are filled in (password is ***starred out***).

How is this helping me? Doesn't anybody with access to my computer now have access to my login and password information for any account that I "store" with lastpass?

I feel less secure with lastpass than I do with my current password management system, i.e., keeping all my passwords written down on a piece of paper that I tuck into a book on my bookshelf.

What am I missing?

02nz
Posts: 2348
Joined: Wed Feb 21, 2018 3:17 pm

Re: lastpass noob question

Post by 02nz » Wed Oct 09, 2019 9:53 am

From Lastpass.com: ''Local-only encryption. Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass."

Nothing is 100% secure. But Lastpass is about a million times more secure than writing down passwords.

Topic Author
BlindPursuit
Posts: 10
Joined: Tue Jan 22, 2019 9:58 pm

Re: lastpass noob question

Post by BlindPursuit » Wed Oct 09, 2019 10:03 am

02nz wrote:
Wed Oct 09, 2019 9:53 am
From Lastpass.com: ''Local-only encryption. Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass."

Nothing is 100% secure. But Lastpass is about a million times more secure than writing down passwords.
Thanks, but I'm not worried about someone breaking in to my lastpass vault. Why would they need to, when lastpass is already giving them my username and password by autofilling it in at whatever website I might want to log in to?

User avatar
jhfenton
Posts: 4189
Joined: Sat Feb 07, 2015 11:17 am
Location: Ohio

Re: lastpass noob question

Post by jhfenton » Wed Oct 09, 2019 10:05 am

BlindPursuit wrote:
Wed Oct 09, 2019 9:50 am
How is this helping me? Doesn't anybody with access to my computer now have access to my login and password information for any account that I "store" with lastpass?
BlindPursuit wrote:
Wed Oct 09, 2019 10:03 am
Thanks, but I'm not worried about someone breaking in to my lastpass vault. Why would they need to, when lastpass is already giving them my username and password by autofilling it in at whatever website I might want to log in to?
You should limit access to Lastpass on your computer with a strong master password. (My Lastpass master password is quite a bit over 25 characters and is written down or stored nowhere else in the universe.)

You can have Lastpass log out when all browser windows are closed and/or after a specified period of inactivity.

You can use two-factor authentication with Lastpass. I primarily use a Yubikey, with a fallback on mobile to Lastpass Authenticator (and TouchID/FaceID once I've logged into Lastpass on that device.)

You can protect your computer and mobile devices with strong memorized passwords. I have a long, unique alphanumeric+symbols password that is only used on my iPhone and iPad. (Those are stored locally and not in the cloud, so I do use the same password for both.) Those are also not stored anywhere else.

So for the price of 3 or 4 memorized passwords, Lastpass is locked down fairly well. Everything else is locked in Lastpass.

mighty72
Moderator
Posts: 627
Joined: Fri May 04, 2018 11:22 pm
Location: Somewhere in the West

Re: lastpass noob question

Post by mighty72 » Wed Oct 09, 2019 10:20 am

the goal is to have only one very strong password to remember. This is your lastpass master password. The rest of passwords are auto-generated and filled using lastpass. N

Now, if your computer is used by multiple folks, then I would suggested that you don't click 'remember password' when you log into lastpass on that computer. It will ask you for the password every time you open the browser. It is always a good idea to close the browser after you are done using it on a shared computer.

You can further secure it by enabling 2 factor authentication using a hardware or software based solutions
https://support.logmeininc.com/lastpass ... n-lp030010

User avatar
Tyler Aspect
Posts: 1561
Joined: Mon Mar 20, 2017 10:27 pm
Location: California
Contact:

Re: lastpass noob question

Post by Tyler Aspect » Wed Oct 09, 2019 10:35 am

I use a software program called "Password Safe" because its data file is stored locally on the computer. I do not trust the situation where there is a centralized server involved.
Past result does not predict future performance. Mentioned investments may lose money. Contents are presented "AS IS" and any implied suitability for a particular purpose are disclaimed.

lazydavid
Posts: 2527
Joined: Wed Apr 06, 2016 1:37 pm

Re: lastpass noob question

Post by lazydavid » Wed Oct 09, 2019 10:38 am

BlindPursuit wrote:
Wed Oct 09, 2019 10:03 am
Thanks, but I'm not worried about someone breaking in to my lastpass vault. Why would they need to, when lastpass is already giving them my username and password by autofilling it in at whatever website I might want to log in to?
Anyone who has access to your browser while you are logged into lastpass has access to all of your credentials. The bolded part is important. Every morning when I boot my work PC, I have to log into my vault using my 30+ character master password. As long as I am sitting at my PC or lock it when I step away (assuming no one has that password), I'm fine. If someone steals my laptop out of my car or at an airport, they've got nothing.

Autofill is mostly a convenience feature, but also adds a small layer of security. If you get tricked into going to a phishing link that looks just like bogleheads but isn't, lastpass will not recognize the domain, and will not auto-fill your credentials. Whereas if everything looked ok to you, you might type in your credentials and give them to the bad guy.

MathWizard
Posts: 3561
Joined: Tue Jul 26, 2011 1:35 pm

Re: lastpass noob question

Post by MathWizard » Wed Oct 09, 2019 10:53 am

I use a different password manager, but the behavior you are seeing might be from the browser remembering your password, not lastpass.

To test this, go into your browser and delete the history.
In Chrome, in the advanced settings, a box with autofill
passwords can be checked so that Chrome will remember and
fill it in for you. My default install of Chrome did not have it,
but my Firefox came with "Ask to save logins and passwords for websites"
checked on. If you ever say yes, it remembers until
you clear this in your history.

nvambith
Posts: 39
Joined: Tue Aug 08, 2017 11:18 am

Re: lastpass noob question

Post by nvambith » Wed Oct 09, 2019 11:01 am

First thing to note, it is much more likely for a website that has your logins to get hacked than for your computer to get hacked, or your sheet of paper to get stolen (e.g. see the big hacks at yahoo, equifax, etc in recent years).

The real value of lastpass to me is the ability to use different strong (autogenerated) passwords for every website. Before lastpass, I would recycle the same 5 or 6 passwords everywhere. If any one of the hundreds of websites I have login credentials at got hacked, then the hackers would also get access to my login at many other websites. With lastpass, if any website gets hacked, the damage is limited to that single website.

zlandar
Posts: 146
Joined: Wed Apr 10, 2019 8:51 am

Re: lastpass noob question

Post by zlandar » Wed Oct 09, 2019 12:53 pm

BlindPursuit wrote:
Wed Oct 09, 2019 9:50 am
How is this helping me? Doesn't anybody with access to my computer now have access to my login and password information for any account that I "store" with lastpass?
You can set Lastpass to always prompt for your master password for specific websites. Open your lastpass vault, select the website, and double click. Under "advanced settings" click "require master password reprompt".

Your brokerage and banking websites would be good ones to always require reprompt if you have random people wandering around your home.

TheDDC
Posts: 456
Joined: Mon Jan 08, 2018 11:11 am

Re: lastpass noob question

Post by TheDDC » Wed Oct 09, 2019 1:01 pm

nvambith wrote:
Wed Oct 09, 2019 11:01 am
First thing to note, it is much more likely for a website that has your logins to get hacked than for your computer to get hacked, or your sheet of paper to get stolen (e.g. see the big hacks at yahoo, equifax, etc in recent years).

The real value of lastpass to me is the ability to use different strong (autogenerated) passwords for every website. Before lastpass, I would recycle the same 5 or 6 passwords everywhere. If any one of the hundreds of websites I have login credentials at got hacked, then the hackers would also get access to my login at many other websites. With lastpass, if any website gets hacked, the damage is limited to that single website.
And if lastpass gets hacked? What then? That's a "website".

And what do I use to manage my master password?

And on and on it goes...

-TheDDC
Refreshingly, a double barrel shotgun blast of truth...

wilshuer
Posts: 201
Joined: Tue Dec 11, 2012 10:40 pm

Re: lastpass noob question

Post by wilshuer » Wed Oct 09, 2019 1:25 pm

With lastpass, another level of security is to use a secondary device along with the master password, such as a yubikey. Then you can also set the country level security so it only works in the US. A few more added steps to minimize intrusion efforts.

Tortoisesque
Posts: 39
Joined: Sun Mar 24, 2019 3:43 pm

Re: lastpass noob question

Post by Tortoisesque » Wed Oct 09, 2019 1:31 pm

LastPass is highly configurable. For example, if you're really paranoid, you can go into the settings and configure things so that you have to type in your master password every time you use saved usernames/passwords on any web site.

Just configure your LastPass settings in a way that strikes the right balance for you between security and convenience.

Hockey10
Posts: 588
Joined: Wed Aug 24, 2016 12:20 pm
Location: Philadelphia suburbs

Re: lastpass noob question

Post by Hockey10 » Wed Oct 09, 2019 1:32 pm

I stay logged out of the LastPass browser extension on my computer almost all of the time and only log in when I need access to a specific site. When I no longer need any LastPass passwords, I immediately log out of the LP browser extension.

I also sometimes log into a site by looking up the password on LastPass on my Iphone (using Touch ID), then by manually typing in the password on the site.

Living Free
Posts: 341
Joined: Thu Jul 19, 2018 7:31 pm

Re: lastpass noob question

Post by Living Free » Wed Oct 09, 2019 1:40 pm

I agree with above recommendations to make sure that lastpass will auto log-out after a specified period and upon closing the browser. And make sure that your browser has not remembered the username/password for lastpass

User avatar
jhfenton
Posts: 4189
Joined: Sat Feb 07, 2015 11:17 am
Location: Ohio

Re: lastpass noob question

Post by jhfenton » Wed Oct 09, 2019 1:50 pm

TheDDC wrote:
Wed Oct 09, 2019 1:01 pm
And what do I use to manage my master password?
Your brain! I suggest a long, possibly silly, but easy to remember pass-phrase. Just sitting here looking out my office window, for example, I might come up with a passphrase like "A green flag! It perches on top of the tower amid white clouds." A bit shorter would be OK too. 51 characters is overkill. :twisted: Mine is somewhere between 25 and 50. You can always follow the xkcd "correct horse battery staple" model too.
TheDDC wrote:
Wed Oct 09, 2019 1:01 pm
And if lastpass gets hacked? What then? That's a "website".
1. You should use secure 2FA with Lastpass (physical token and/or TOTP). That is not available with most websites. Even Vanguard falls back to SMS if you don't have your Yubikey or log on from a browser that doesn't support it (e.g. Safari on Mac or iOS). I also use account-level 2FA wherever available.

2. Lastpass's security is better than most companies'. Password data is encrypted locally and transmitted to Lastpass only in its encrypted form. It shouldn't matter if the data is hacked on their end.

3. Nothing is 100% secure. Lastpass has had vulnerabilities discovered (most often in their browser extensions) and fixed. Do the best you reasonably can.

CFM300
Posts: 1619
Joined: Sat Oct 27, 2007 5:13 am

Re: lastpass noob question

Post by CFM300 » Wed Oct 09, 2019 5:16 pm

BlindPursuit wrote:
Wed Oct 09, 2019 9:50 am
What am I missing?
Here's what you're missing:

1. Click on the LastPass extension icon in your browser.
2. Click on Account Options > Extension Preferences
3. Under Security enable "Log out when all browsers are closed"

Then make sure that you close your browser after each use.

There are myriad other security options as well, including enabling 2FA, and preventing LastPass from autofilling, etc.

Topic Author
BlindPursuit
Posts: 10
Joined: Tue Jan 22, 2019 9:58 pm

Re: lastpass noob question

Post by BlindPursuit » Wed Oct 09, 2019 6:38 pm

Thank you everyone for all your help. As I said, my concern was not that lastpass would be hacked; it was that anyone with access to my computer can now log in to any website I visit. So if someone steals my laptop, or say my deadbeat brother-in-law tries to get into my bank account while I'm in the next room (which I wouldn't put past him), all they have to do is surf to whatever website, click log in, and lastpass will literally give them my login credentials. Still seems crazy to me.

Clearly my concern is more how do I secure my computer, not how do I secure lastpass.

I will add (sheepishly) that up until now I have never set a password to get into my laptop. I know, I know. That plus two-factor authentication on my more sensitive websites should assuage most of my fears. As for the rest, well, if someone posts something obnoxious or stupid under my account here on bogleheads, I can always say it was the brother-in-law!

ARoseByAnyOtherName
Posts: 206
Joined: Wed Apr 26, 2017 12:03 am

Re: lastpass noob question

Post by ARoseByAnyOtherName » Wed Oct 09, 2019 9:45 pm

BlindPursuit wrote:
Wed Oct 09, 2019 6:38 pm
Thank you everyone for all your help. As I said, my concern was not that lastpass would be hacked; it was that anyone with access to my computer can now log in to any website I visit. So if someone steals my laptop, or say my deadbeat brother-in-law tries to get into my bank account while I'm in the next room (which I wouldn't put past him), all they have to do is surf to whatever website, click log in, and lastpass will literally give them my login credentials. Still seems crazy to me.
A good password manager will make you authenticate using your master password before auto-filling website credentials the first time you try to auto-fill, and then again after a configurable amount of time (say15 minutes or so). This is the way 1Password works.

I have tried LastPass recently and I really don’t understand why people like it. To me the interface is ugly and not at all intuitive to use.

I strongly suggest you try 1Password instead of LastPass. It’s much better in every way.

CFM300
Posts: 1619
Joined: Sat Oct 27, 2007 5:13 am

Re: lastpass noob question

Post by CFM300 » Wed Oct 09, 2019 10:13 pm

ARoseByAnyOtherName wrote:
Wed Oct 09, 2019 9:45 pm
A good password manager will make you authenticate using your master password before auto-filling website credentials the first time you try to auto-fill, and then again after a configurable amount of time (say15 minutes or so). This is the way 1Password works.

I have tried LastPass recently and I really don’t understand why people like it. To me the interface is ugly and not at all intuitive to use.

I strongly suggest you try 1Password instead of LastPass. It’s much better in every way.
You can configure LastPass to log out after x minutes of inactivity and to not auto-fill on webpages.

CFM300
Posts: 1619
Joined: Sat Oct 27, 2007 5:13 am

Re: lastpass noob question

Post by CFM300 » Wed Oct 09, 2019 10:15 pm

BlindPursuit wrote:
Wed Oct 09, 2019 6:38 pm
all they have to do is surf to whatever website, click log in, and lastpass will literally give them my login credentials. Still seems crazy to me.
As explained above, you can configure LastPass to require your master password on first use after opening your browser, to also require 2FA, to automatically log you out of LastPass after x minutes and/or when you close your browser, and also to not auto-fill. It's all under Extension Preferences.

ARoseByAnyOtherName
Posts: 206
Joined: Wed Apr 26, 2017 12:03 am

Re: lastpass noob question

Post by ARoseByAnyOtherName » Thu Oct 10, 2019 5:42 am

CFM300 wrote:
Wed Oct 09, 2019 10:15 pm
BlindPursuit wrote:
Wed Oct 09, 2019 6:38 pm
all they have to do is surf to whatever website, click log in, and lastpass will literally give them my login credentials. Still seems crazy to me.
As explained above, you can configure LastPass to require your master password on first use after opening your browser, to also require 2FA, to automatically log you out of LastPass after x minutes and/or when you close your browser, and also to not auto-fill. It's all under Extension Preferences.
That this isn’t the default setting seems crazy to me. It should be. Most people either aren’t going to, or won’t know to, change this default setting.

Especially after past security issues (including at least one breach) I wouldn’t recommend LastPass to anyone. Stay away!

Gadget
Posts: 260
Joined: Fri Mar 17, 2017 1:38 pm

Re: lastpass noob question

Post by Gadget » Thu Oct 10, 2019 9:43 am

ARoseByAnyOtherName wrote:
Wed Oct 09, 2019 10:15 pm
BlindPursuit wrote:
Wed Oct 09, 2019 6:38 pm
all they have to do is surf to whatever website, click log in, and lastpass will literally give them my login credentials. Still seems crazy to me.
That this isn’t the default setting seems crazy to me. It should be. Most people either aren’t going to, or won’t know to, change this default setting.

Especially after past security issues (including at least one breach) I wouldn’t recommend LastPass to anyone. Stay away!
It's fine if you recommend different password managers. There are other good alternatives. But the average user likely wants this to be the default setting. Lastpass is catering to the normal user, which is why I use it (for my wife and family). If I was by myself I'd probably use Keepass, but it's not as user friendly. But if this wasn't the default setting, average users would probably just resort to recycling the same password for everything anyway.

And I don't know if you're familiar with software development. But I can guarantee you that all password managers have had vulnerabilities. I appreciate that Lastpass is willing to disclose vulnerabilities and that they have 3rd party audits. If you have a password manager that has never had a vulnerability, then you just have a password manager that isn't willing to tell you about them. Even open source password managers have vulnerabilities yet to be discovered by the good guys. It takes a team of developers to actively be looking at software for vulnerabilities in order to improve its cybersecurity posture. No software is perfect.
Last edited by Gadget on Thu Oct 10, 2019 1:03 pm, edited 1 time in total.

TheDDC
Posts: 456
Joined: Mon Jan 08, 2018 11:11 am

Re: lastpass noob question

Post by TheDDC » Thu Oct 10, 2019 12:11 pm

jhfenton wrote:
Wed Oct 09, 2019 1:50 pm
TheDDC wrote:
Wed Oct 09, 2019 1:01 pm
And what do I use to manage my master password?
Your brain! I suggest a long, possibly silly, but easy to remember pass-phrase. Just sitting here looking out my office window, for example, I might come up with a passphrase like "A green flag! It perches on top of the tower amid white clouds." A bit shorter would be OK too. 51 characters is overkill. :twisted: Mine is somewhere between 25 and 50. You can always follow the xkcd "correct horse battery staple" model too.
TheDDC wrote:
Wed Oct 09, 2019 1:01 pm
And if lastpass gets hacked? What then? That's a "website".
1. You should use secure 2FA with Lastpass (physical token and/or TOTP). That is not available with most websites. Even Vanguard falls back to SMS if you don't have your Yubikey or log on from a browser that doesn't support it (e.g. Safari on Mac or iOS). I also use account-level 2FA wherever available.

2. Lastpass's security is better than most companies'. Password data is encrypted locally and transmitted to Lastpass only in its encrypted form. It shouldn't matter if the data is hacked on their end.

3. Nothing is 100% secure. Lastpass has had vulnerabilities discovered (most often in their browser extensions) and fixed. Do the best you reasonably can.
Don't get me wrong, I use Lastpass Enterprise at work and appreciate it. However, these are questions we must ask ourselves. I consistently wonder what happens when a PW Manager site goes under/down or gets hacked. And it will happen some day and probably has already. I am not entirely convinced that everything is "encrypted" on someone else's server as you say. It makes using the spreadsheet method a bit more viable. :)

-TheDDC
Refreshingly, a double barrel shotgun blast of truth...

CFM300
Posts: 1619
Joined: Sat Oct 27, 2007 5:13 am

Re: lastpass noob question

Post by CFM300 » Thu Oct 10, 2019 12:42 pm

[edited - no longer relevant]
Last edited by CFM300 on Sat Oct 12, 2019 1:15 am, edited 1 time in total.

Helo80
Posts: 1022
Joined: Sat Apr 29, 2017 8:47 pm

Re: lastpass noob question

Post by Helo80 » Thu Oct 10, 2019 12:53 pm

02nz wrote:
Wed Oct 09, 2019 9:53 am
Nothing is 100% secure. But Lastpass is about a million times more secure than writing down passwords.
So..... I think it's a myth that writing down passwords is insecure.

Here's why...
1. Sure, if you mean writing down your domain password on a sticky note and putting it under the desk or keyboard at work, you're absolutely right.
2. If you mean writing passwords down at home, I think the risk is mitigated significantly. I do not think that most of us live in areas where we fear regularization on a regular basis.
3. If your home were burglarized, you would have to rely on the criminal noticing and grabbing your written down password.

But.... you can still have safe password writing password habits IF...
1. You write down the password in a unmarked journal
2. Secure the journal within a cabinet or desk drawer (does not have to be locked)
3. Then, fill journal with strong passphrase passwords.

But.... wait! Somebody finds the journal?
1. Ok, use passphrases on every one of your passwords.
2. But, leave out a keyword in the beginning or end of the password. E.g.... you have a random assortment of passwords for 20+ websites you regularly use... and they all end in "B0glehead", but you leave out said word in your journal


If you holistically take the above in, I would say that's far more secure than any password manager out there. With these password managers, you crack or gain access to the passphrase, and the keys to the kingdom are opened. Really, unless you're a HVT, hackers and criminals are not going to break into your home, photograph your password journal, and then leave without leaving a trace. For criminals, it's more time efficient to gain access to LastPass's system or trick a user into entering their Lastpass password than to burglarize a home.

Gadget
Posts: 260
Joined: Fri Mar 17, 2017 1:38 pm

Re: lastpass noob question

Post by Gadget » Thu Oct 10, 2019 1:16 pm

Helo80 wrote:
Thu Oct 10, 2019 12:53 pm

2. If you mean writing passwords down at home, I think the risk is mitigated significantly. I do not think that most of us live in areas where we fear burgularization on a regular basis.
I agree with you for the most part. But as someone with kids, burglers are probably not the highest risk to the password journal system (that my parents use no matter what I tell them). I walked into the study at my parents house over Christmas one day and my 2 year old was coloring all over a journal. I looked at it, and it was my parents book of passwords. I think they could still read most of them if they looked hard enough...

Fire/flood/tornado/hurricane/etc are probably a bigger chance of risk than burgler in most homes too.

User avatar
jhfenton
Posts: 4189
Joined: Sat Feb 07, 2015 11:17 am
Location: Ohio

Re: lastpass noob question

Post by jhfenton » Fri Oct 11, 2019 10:16 am

TheDDC wrote:
Thu Oct 10, 2019 12:11 pm
Don't get me wrong, I use Lastpass Enterprise at work and appreciate it. However, these are questions we must ask ourselves. I consistently wonder what happens when a PW Manager site goes under/down or gets hacked. And it will happen some day and probably has already. I am not entirely convinced that everything is "encrypted" on someone else's server as you say. It makes using the spreadsheet method a bit more viable. :)

-TheDDC
I agree that nothing is perfectly secure. Password Managers are neither perfect nor infallible. That's why I try to have multiple layers of security on important accounts and devices: phone, primary email account, financial institutions, etc.

But if you knock me unconscious before I have a chance to hit the emergency lock on my phone, you could probably use my phone and thumbprint to hijack most of our accounts. (For that matter, once you've knocked me unconscious and kidnapped me, torture would quickly get me to give up my device and Lastpass passwords. :twisted: )

For most people, though, password managers are more secure than most alternatives that they are likely to adhere to.

3-20Characters
Posts: 669
Joined: Tue Jun 19, 2018 2:20 pm

Re: lastpass noob question

Post by 3-20Characters » Fri Oct 11, 2019 10:59 am

Half these posts make zero sense to me. Why are people letting others into their computer user profile? Just set up a different profile for each user in your household. This is not a password issue. Let someone into your user profile and they see your browser history, can read your email, etc. It also makes no sense to share OS settings. Your daughter doesn’t like your desktop pic so she changes it to one of a boy band, you change it back, rinse, repeat.

Worried about lastpass and 1Password servers getting hacked and decrypted and the hacker knowing your master password as well but keeping passwords on a spreadsheet is Ok? Say what!?

Ignoring simple settings like having your password manager lock immediately after authorizing a log in (or some time period thereafter) and complaining that some untrustworthy family member may use your computer to log into your bank? You have sketchy people milling around, you don’t use a password to secure your computer log in, and you’re complaining about your password manager!? The password manager is not your problem here. Say you delete lastpass. So you’re still ok with your BIL finding all your bank statements, tax returns, reading your email, etc?

Use the settings and features, people. That’s what they’re there for.

User avatar
Elric
Posts: 217
Joined: Sat Dec 08, 2018 12:23 am
Location: Virginia
Contact:

Re: lastpass noob question

Post by Elric » Fri Oct 11, 2019 8:28 pm

TheDDC wrote:
Wed Oct 09, 2019 1:01 pm
And if lastpass gets hacked? What then? That's a "website".

And what do I use to manage my master password?

And on and on it goes...

-TheDDC
Unlike far too many businesses, LastPass and other good password managers only store your passwords in encrypted form AND they don't store your master password. So if there is a breach, the thieves only get a heavily encrypted file.

And it's much easier to create and remember one secure master password than fifty or more.
"No man is free who works for a living." | Illya Kuryakin

User avatar
Elric
Posts: 217
Joined: Sat Dec 08, 2018 12:23 am
Location: Virginia
Contact:

Re: lastpass noob question

Post by Elric » Fri Oct 11, 2019 8:36 pm

Helo80 wrote:
Thu Oct 10, 2019 12:53 pm
02nz wrote:
Wed Oct 09, 2019 9:53 am
Nothing is 100% secure. But Lastpass is about a million times more secure than writing down passwords.
So..... I think it's a myth that writing down passwords is insecure.

Here's why...
1. Sure, if you mean writing down your domain password on a sticky note and putting it under the desk or keyboard at work, you're absolutely right.
2. If you mean writing passwords down at home, I think the risk is mitigated significantly. I do not think that most of us live in areas where we fear regularization on a regular basis.
3. If your home were burglarized, you would have to rely on the criminal noticing and grabbing your written down password.

But.... you can still have safe password writing password habits IF...
1. You write down the password in a unmarked journal
2. Secure the journal within a cabinet or desk drawer (does not have to be locked)
3. Then, fill journal with strong passphrase passwords.

But.... wait! Somebody finds the journal?
1. Ok, use passphrases on every one of your passwords.
2. But, leave out a keyword in the beginning or end of the password. E.g.... you have a random assortment of passwords for 20+ websites you regularly use... and they all end in "B0glehead", but you leave out said word in your journal


If you holistically take the above in, I would say that's far more secure than any password manager out there. With these password managers, you crack or gain access to the passphrase, and the keys to the kingdom are opened. Really, unless you're a HVT, hackers and criminals are not going to break into your home, photograph your password journal, and then leave without leaving a trace. For criminals, it's more time efficient to gain access to LastPass's system or trick a user into entering their Lastpass password than to burglarize a home.
I don't disagree, but how many people will generate unique strong passwords for each site they visit using this method? And then how do you handle access when on the road, or even on a PC on a different floor? Or when using a.smart phone? Password managers meet a clear need.
"No man is free who works for a living." | Illya Kuryakin

Helo80
Posts: 1022
Joined: Sat Apr 29, 2017 8:47 pm

Re: lastpass noob question

Post by Helo80 » Fri Oct 11, 2019 8:40 pm

Elric wrote:
Fri Oct 11, 2019 8:28 pm
Unlike far too many businesses, LastPass and other good password managers only store your passwords in encrypted form AND they don't store your master password. So if there is a breach, the thieves only get a heavily encrypted file.

Reading this makes me want to create a dummy Lastpass account, log on via FireFox or Chrome, and then memory dump the entire RAM and see what I come up with... Though, that takes more time than I think is worth, and it goes to my comment earlier about us not being HVTs.

I can imagine LastPass does a lot of things correctly opsec wise, it's still written and run by humans.

Helo80
Posts: 1022
Joined: Sat Apr 29, 2017 8:47 pm

Re: lastpass noob question

Post by Helo80 » Fri Oct 11, 2019 8:45 pm

Elric wrote:
Fri Oct 11, 2019 8:36 pm
I don't disagree, but how many people will generate unique strong passwords for each site they visit using this method? And then how do you handle access when on the road, or even on a PC on a different floor? Or when using a.smart phone? Password managers meet a clear need.
Password managers do meet a clear need. The upside far outweighs the downside. The downside is huge as you get the master password, the kingdom falls.

lotusflower
Posts: 249
Joined: Thu Oct 24, 2013 12:32 am

Re: lastpass noob question

Post by lotusflower » Fri Oct 11, 2019 9:14 pm

Helo80 wrote:
Fri Oct 11, 2019 8:40 pm
Reading this makes me want to create a dummy Lastpass account, log on via FireFox or Chrome, and then memory dump the entire RAM and see what I come up with... Though, that takes more time than I think is worth, and it goes to my comment earlier about us not being HVTs.

I can imagine LastPass does a lot of things correctly opsec wise, it's still written and run by humans.
But remember, it's the day job of a majority of the people at that particular company to worry about this. Do you think they don't already pen-test (penetration test) their own stuff? I use Keypass instead, but I imagine that all the password-storage products have very good security designed by experts and they regularly reassess the risks and keep a very good attitude about security.

Sure there is still a human factor. Maybe it's a shell company owned by a rogue nation state, not sure you can really rule that out. But I think the odds are good that most of the popular companies are trustworthy and it's very hard to do better on your own.

ARoseByAnyOtherName
Posts: 206
Joined: Wed Apr 26, 2017 12:03 am

Re: lastpass noob question

Post by ARoseByAnyOtherName » Fri Oct 11, 2019 9:38 pm

Gadget wrote:
Thu Oct 10, 2019 9:43 am
ARoseByAnyOtherName wrote:
Wed Oct 09, 2019 10:15 pm
BlindPursuit wrote:
Wed Oct 09, 2019 6:38 pm
all they have to do is surf to whatever website, click log in, and lastpass will literally give them my login credentials. Still seems crazy to me.
That this isn’t the default setting seems crazy to me. It should be. Most people either aren’t going to, or won’t know to, change this default setting.

Especially after past security issues (including at least one breach) I wouldn’t recommend LastPass to anyone. Stay away!
It's fine if you recommend different password managers. There are other good alternatives. But the average user likely wants this to be the default setting. Lastpass is catering to the normal user, which is why I use it (for my wife and family). If I was by myself I'd probably use Keepass, but it's not as user friendly. But if this wasn't the default setting, average users would probably just resort to recycling the same password for everything anyway.

And I don't know if you're familiar with software development. But I can guarantee you that all password managers have had vulnerabilities. I appreciate that Lastpass is willing to disclose vulnerabilities and that they have 3rd party audits. If you have a password manager that has never had a vulnerability, then you just have a password manager that isn't willing to tell you about them. Even open source password managers have vulnerabilities yet to be discovered by the good guys. It takes a team of developers to actively be looking at software for vulnerabilities in order to improve its cybersecurity posture. No software is perfect.
All software has vulnerabilities. But not all password managers have had security breaches where customer data has been exfiltrated. LastPass has. 1Password hasn’t.

I appreciate responsible disclosure but I don’t appreciate security breaches.

Stay away from LastPass.

3-20Characters
Posts: 669
Joined: Tue Jun 19, 2018 2:20 pm

Re: lastpass noob question

Post by 3-20Characters » Fri Oct 11, 2019 10:56 pm

Helo80 wrote:
Fri Oct 11, 2019 8:45 pm
Elric wrote:
Fri Oct 11, 2019 8:36 pm
I don't disagree, but how many people will generate unique strong passwords for each site they visit using this method? And then how do you handle access when on the road, or even on a PC on a different floor? Or when using a.smart phone? Password managers meet a clear need.
Password managers do meet a clear need. The upside far outweighs the downside. The downside is huge as you get the master password, the kingdom falls.
You seem to have your mind made up. You somehow project that one master password stored in your head is just as (or more) vulnerable than a scheme involving pass phrases. I disagree completely. I have used a similar scheme to what you described up thread—using a decrypt key and the website name. You’d need the decrypt key to get the password. It’s a wholly inadequate strategy in this day and age because you can’t control the passwords and PINs you need to memorize and there will be many exceptions to your rule.

Where do you store the PIN that equifax assigned you to unfreeze your credit? BTW, you will need this PIN because the equifax website login is broken for many of us (search for the thread on this). X4 if you add experian, TransUnion, and Chex and that’s just for the credit agencies.

How about sites with very restricted password options? Your pass phrase will be rejected and you will have to memorize a different scheme for that site X the number of sites it comes up.

How about sites that still insist on “security questions?” What HS did you attend, etc? You could answer “lollipop” for all of them (assuming they allow the same answer for each question—many don’t). Or you could use a password manager to store a unique 6 digit code for each question in the notes of that login.

Wouldn’t it be nice for your partner—should you suddenly become incapacitated—to have access to all crucial accounts logins and info in one place? This is not just logins but PINS, etc. it’s a good practice to have a secure password to log into your computer, does your partner know it? How many such passwords will you need to make available to him/her in case of emergency? What about the decryption key on your back up disk? It may never be needed so just chuck it, I suppose. Or, just make sure he/she has the master password to your password manager and it’s done.

Many more examples exist. I just need to look through the notes in my 1Password file to realize it’s impossible to keep all this straight unless I take many shortcuts and don’t use the most secure passwords possible. Even then, information will go missing, be forgotten, or exposed to prying eyes. While I think it’s safe to store passwords on the cloud, if that’s your beef, use a manger that will allow you to store locally only.

There’s theory and there’s reality. In theory, many schemes will work fine. In fact using something like a decryption key seems great until you actually try to apply it to over 100 logins. Reality tells me that it’s a poor substitute for a password manager.

Maybe some biometric technology will rid us of this burden in the future but for now, it’s here to stay.

User avatar
ThereAreNoGurus
Posts: 328
Joined: Fri Jan 24, 2014 11:41 pm

Re: lastpass noob question

Post by ThereAreNoGurus » Fri Oct 11, 2019 11:36 pm

3-20Characters wrote:
Fri Oct 11, 2019 10:56 pm
Helo80 wrote:
Fri Oct 11, 2019 8:45 pm
Elric wrote:
Fri Oct 11, 2019 8:36 pm
I don't disagree, but how many people will generate unique strong passwords for each site they visit using this method? And then how do you handle access when on the road, or even on a PC on a different floor? Or when using a.smart phone? Password managers meet a clear need.
Password managers do meet a clear need. The upside far outweighs the downside. The downside is huge as you get the master password, the kingdom falls.
You seem to have your mind made up. You somehow project that one master password stored in your head is just as (or more) vulnerable than a scheme involving pass phrases. I disagree completely...
All good points 3-20Characters.

I find a password manager indispensable.

I use KeePass and keep my password db on an encrypted flash-drive. Keeping passwords on paper would be an insane practice for me. I travel a lot. I keep that flash-drive on my keychain.

Even if my master password was compromised, one would still have to get hold of my flash-drive... good luck with that. And even if one miraculously obtains both, I have 2FA and voice-id on my brokerage accounts. After a few phone calls, the accounts are frozen and I change passwords. Can't imagine that scenario ever happening to me, however.
Last edited by ThereAreNoGurus on Sat Oct 12, 2019 2:07 am, edited 1 time in total.
Trade the news and you will lose.

CFM300
Posts: 1619
Joined: Sat Oct 27, 2007 5:13 am

Re: lastpass noob question

Post by CFM300 » Sat Oct 12, 2019 1:11 am

Helo80 wrote:
Fri Oct 11, 2019 8:45 pm
Password managers do meet a clear need. The upside far outweighs the downside. The downside is huge as you get the master password, the kingdom falls.
Kingdom remains standing just fine if you also use 2FA on important accounts, including the password manager itself.

shess
Posts: 221
Joined: Wed May 17, 2017 12:02 am

Re: lastpass noob question

Post by shess » Sat Oct 12, 2019 2:38 am

BlindPursuit wrote:
Wed Oct 09, 2019 9:50 am
I finally signed up for a password manager (lastpass). I made my bogleheads login my first test case just so I could get used to how lastpass works.

Well, first thing, I go to login at bogleheads. I click login and see my username and password are filled in (password is ***starred out***).

How is this helping me? Doesn't anybody with access to my computer now have access to my login and password information for any account that I "store" with lastpass?
You should never login to any important accounts from a computer which other people use unless you GREATLY trust the technical abilities of those people. I don't mean that you trust them to do good by you, like if they were your loving spouse or your dear sibling who you entrust with your life. I mean you need to trust that they won't install dubious software which will compromise the entire computer, including your account. If they don't know what they're doing, it doesn't matter if they have your best interests at heart.

If you don't trust them and are allowing them to use your computer account, there are many things they could do to capture any of the information you view using that computer, without knowing your password.

Helo80
Posts: 1022
Joined: Sat Apr 29, 2017 8:47 pm

Re: lastpass noob question

Post by Helo80 » Sat Oct 12, 2019 3:53 am

3-20Characters wrote:
Fri Oct 11, 2019 10:56 pm
You seem to have your mind made up. You somehow project that one master password stored in your head is just as (or more) vulnerable than a scheme involving pass phrases. I disagree completely. I have used a similar scheme to what you described up thread—using a decrypt key and the website name. You’d need the decrypt key to get the password. It’s a wholly inadequate strategy in this day and age because you can’t control the passwords and PINs you need to memorize and there will be many exceptions to your rule.

Funny, I read your response and I think that you have your mind made up about the point I am making. I personally would not view password managers as infallible solutions that are created and tested by cybersec "pros" much like I would not approach physicians as being infallible and always 100% accurate on a diagnosis. There's a margin for error and nobody is perfect. (note: this is not a knock on professions, but rather highly trained and highly skilled professionals will fall short when you play the game long enough...)

I never said that I did not use a password manager. Feel free to read all of my replies, holistically, again. If I'm not mistaken, I did say that upsides outweigh the downsides, but there is one major downside.

For shopping, forums, and credit cards, I do not see issues with storing passwords in a password manager. However, I personally would not store bank and financial institution information within a password manager. (Note: credit cards would likely fall under a "financial institution" to you, but all of my CCs are issued outside of my primary bank. I've had my CC lifted so many times online that I honestly do not give a c*** about it being stolen anymore... every time it happens, I laugh and then wonder which site in the last 6 months had insecure practices or bad employees)

othermike27
Posts: 46
Joined: Mon Jun 13, 2016 7:14 am

Re: lastpass noob question

Post by othermike27 » Sat Oct 12, 2019 6:52 am

Helo80 wrote:
Sat Oct 12, 2019 3:53 am

For shopping, forums, and credit cards, I do not see issues with storing passwords in a password manager. However, I personally would not store bank and financial institution information within a password manager.
This is how I have used LastPass for several years. I need to track too many online account passwords to do it without a password manager. However, access info for my asset-bearing accounts is kept only in a spreadsheet on a local computer, not on LastPass. The spreadsheet is stored in a more secure form than just plaintext. But the important point is that even the "plaintext" version is itself encoded using keywords and cues that are meaningful only to me. If a bad actor got access to the plaintext version, it would still not be enough to threaten any assets. Example: the list entry for a password might be "CPC" which is shorthand for a 22-character passphrase that must be entered as the password for some account. That passphrase is unlikely to be guessed even by family members, so I have a full explanation stored in some other safe place in case I croak or lose my marbles.

As others up-thread have suggested, I try to use a layered approach to account security, tailored to the value of what is being secured. For anyone who wants to learn more about strong passphrases, I suggest checking out Diceware and the writings of Bruce Schneier and other cryptographers.

Post Reply