Is LastPass still top in security, any reason to switch?
Is LastPass still top in security, any reason to switch?
I use LastPass, so our whole life savings of passwords and security depends on the one software. I'm checking in to make sure if LastPass is still the recommended password manager to use. I've read some reviews for paid ones but didn't see a reason to switch. I use two factor with Microsoft authentication when possible btw. I also have Microsoft authenticator ask for my sign in fingerprint when opening it.
Re: Is LastPass still top in security, any reason to switch?
https://thewirecutter.com/reviews/best- ... -managers/
Looks like LastPass is still the #2 choice on Wirecutter. As long as you know how to use it and are satisfied, I see no reason to change.
Looks like LastPass is still the #2 choice on Wirecutter. As long as you know how to use it and are satisfied, I see no reason to change.
-
- Posts: 230
- Joined: Sun Jan 04, 2015 11:52 am
Re: Is LastPass still top in security, any reason to switch?
I switched to BitWarden and have been very happy. They are open source and had a third-party security audit at the end of last year-- https://blog.bitwarden.com/bitwarden-co ... 1cc81b6d33.
Re: Is LastPass still top in security, any reason to switch?
My recommendation is to write down financial services (e.g. banks and brokerage firms --- not so much CC companies) passwords in a safe place at home, and use LastPass for everything else.
Thank God for Wall Street Bets.
Re: Is LastPass still top in security, any reason to switch?
https://latesthackingnews.com/2019/09/17/lastpass-vulnerability-leaked-login-credentials-update-now/
Long is the way and hard, that out of Hell leads up to light.
Re: Is LastPass still top in security, any reason to switch?
This is my recommendation. Bitwarden has worked perfectly, but importing from LastPass was somewhat of a pain because LastPass doesn't properly encode some characters on the export. This has been a year or two ago, so maybe it's fixed.ShadowRegent wrote: ↑Mon Nov 11, 2019 4:42 pm I switched to BitWarden and have been very happy. They are open source and had a third-party security audit at the end of last year-- https://blog.bitwarden.com/bitwarden-co ... 1cc81b6d33.
I feel better using open source software and if you're really concerned you can self-host Bitwarden.
-
- Posts: 1000
- Joined: Wed Apr 26, 2017 12:03 am
Re: Is LastPass still top in security, any reason to switch?
I personally use and recommend 1Password.
I would never use LastPass, ever.
As I wrote in a previous thread: "All software has vulnerabilities. But not all password managers have had security breaches where customer data has been exfiltrated. LastPass has. 1Password hasn’t." In addition I find LastPass's interface to be really ugly and clunky.
I would never use LastPass, ever.
As I wrote in a previous thread: "All software has vulnerabilities. But not all password managers have had security breaches where customer data has been exfiltrated. LastPass has. 1Password hasn’t." In addition I find LastPass's interface to be really ugly and clunky.
Re: Is LastPass still top in security, any reason to switch?
A lot of financial hacking is the result of family, friends or others with physical access stumbling across written down passwords.
Re: Is LastPass still top in security, any reason to switch?
I think this is the most important part of the article:F150HD wrote: ↑Mon Nov 11, 2019 5:03 pm https://latesthackingnews.com/2019/09/17/lastpass-vulnerability-leaked-login-credentials-update-now/
All software has bugs. I think it's a good thing that researchers are discovering them and reporting them to the companies concerned.After discovering the bug, Ormandy privately reported it to Google. Hence, there seems no active exploitation of the vulnerability. Following the report, the latest version of LastPass is out with the patch. Users should ensure updating the product version to LastPass 4.33.0.
I do not use Lastpass myself, I use a different password manager. But I would not hesitate to use Lastpass due to security concerns. Any password manager is better than the write-it-down method of maintaining passwords.
Re: Is LastPass still top in security, any reason to switch?
A paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
Re: Is LastPass still top in security, any reason to switch?
I started with 1password because of wirecutters recommendation, but found it too intrusive, so I switched to lastpass. On computers, I prefer its chrome like non intrusive suggestion to save passwords, that I can choose to easily ignore if I want to.
-
- Posts: 3181
- Joined: Mon Feb 01, 2016 10:49 am
Re: Is LastPass still top in security, any reason to switch?
Not sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.Ice-9 wrote: ↑Tue Nov 12, 2019 10:00 amA paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
"One of the funny things about stock market, every time one is buying another is selling, and both think they are astute" - William Feather
Re: Is LastPass still top in security, any reason to switch?
Many sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla"BogleMelon wrote: ↑Tue Nov 12, 2019 10:32 amNot sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.Ice-9 wrote: ↑Tue Nov 12, 2019 10:00 amA paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
Re: Is LastPass still top in security, any reason to switch?
In addition to dcabler's response about the security questions, it's also not about one password. I store scores of them in my password manager, they are all unique and purposefully difficult beyond reasonable ability to memorize, and most days I use the password manager to log into more than one. If that password manager suddenly failed for some reason, it would be a huge inconvenience to have to go through the lost password dialogue even for the passwords I might need just for one day, much less ALL of them.BogleMelon wrote: ↑Tue Nov 12, 2019 10:32 amNot sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.Ice-9 wrote: ↑Tue Nov 12, 2019 10:00 amA paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
Re: Is LastPass still top in security, any reason to switch?
Ice-9 wrote: ↑Tue Nov 12, 2019 10:00 am A paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
So.... solutions..... if you cannot trust the people around you:
Vanguard
Username: BH
Written down Password: DiJI-EblMe&r=yAParA7
Actual Password with fixed offset and word only user knows : DiJI-EblBOGLEHEADSMe&r=yAParA7
Written passwords, done properly, are more secure than LastPass any day of the week. However, LastPass makes it much easier to manage especially if away from home.
You all are free to laugh at me.
Thank God for Wall Street Bets.
-
- Posts: 1000
- Joined: Wed Apr 26, 2017 12:03 am
Re: Is LastPass still top in security, any reason to switch?
Please never, ever answer security questions truthfully. The answers to many (not all) security questions can be found either online, by knowing someone even casually, or via social engineering. Just use a set of random words as the answer to security questions. (All stored in your password manager of course.)dcabler wrote: ↑Tue Nov 12, 2019 11:07 amMany sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla"BogleMelon wrote: ↑Tue Nov 12, 2019 10:32 amNot sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.Ice-9 wrote: ↑Tue Nov 12, 2019 10:00 amA paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
Re: Is LastPass still top in security, any reason to switch?
What Rose said! There have been hacks upon hacks. The most pertinent was the US government Office of Personnel management hack (the security clearance breach). Those forms contain everything the "security" questions might want an answer to. Of course the problem is remembering what you said...which is also added to the pw manager and subject to compromise, or written on a paper also subject compromise.ARoseByAnyOtherName wrote: ↑Tue Nov 12, 2019 9:43 pm
Please never, ever answer security questions truthfully. The answers to many (not all) security questions can be found either online, by knowing someone even casually, or via social engineering. Just use a set of random words as the answer to security questions. (All stored in your password manager of course.)
Let's be careful out there.
Re: Is LastPass still top in security, any reason to switch?
Good point and I don't. Point is there is no way I'm going to remember what I answered - hence it's stored, encrypted, and backed up...ARoseByAnyOtherName wrote: ↑Tue Nov 12, 2019 9:43 pmPlease never, ever answer security questions truthfully. The answers to many (not all) security questions can be found either online, by knowing someone even casually, or via social engineering. Just use a set of random words as the answer to security questions. (All stored in your password manager of course.)dcabler wrote: ↑Tue Nov 12, 2019 11:07 amMany sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla"BogleMelon wrote: ↑Tue Nov 12, 2019 10:32 amNot sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.Ice-9 wrote: ↑Tue Nov 12, 2019 10:00 amA paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
-
- Posts: 1000
- Joined: Wed Apr 26, 2017 12:03 am
Re: Is LastPass still top in security, any reason to switch?
dcabler wrote: ↑Wed Nov 13, 2019 5:55 amGood point and I don't. Point is there is no way I'm going to remember what I answered - hence it's stored, encrypted, and backed up...ARoseByAnyOtherName wrote: ↑Tue Nov 12, 2019 9:43 pmPlease never, ever answer security questions truthfully. The answers to many (not all) security questions can be found either online, by knowing someone even casually, or via social engineering. Just use a set of random words as the answer to security questions. (All stored in your password manager of course.)dcabler wrote: ↑Tue Nov 12, 2019 11:07 amMany sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla"BogleMelon wrote: ↑Tue Nov 12, 2019 10:32 amNot sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.Ice-9 wrote: ↑Tue Nov 12, 2019 10:00 am
A paper with written passwords presents new vulnerabilities. I recommend a digital record of the passwords separate from the password manager that is kept in an encrypted file or container. Such a spreadsheet can actually be exported directly from LastPass or most other password managers and then placed in an encrypted volume.
Re: Is LastPass still top in security, any reason to switch?
I keep thinking of things like retinal scans - then I remember a movie where the bad guys killed the good guy and pulled his eyeball out and used it for the scanner.ARoseByAnyOtherName wrote: ↑Wed Nov 13, 2019 6:02 amdcabler wrote: ↑Wed Nov 13, 2019 5:55 amGood point and I don't. Point is there is no way I'm going to remember what I answered - hence it's stored, encrypted, and backed up...ARoseByAnyOtherName wrote: ↑Tue Nov 12, 2019 9:43 pmPlease never, ever answer security questions truthfully. The answers to many (not all) security questions can be found either online, by knowing someone even casually, or via social engineering. Just use a set of random words as the answer to security questions. (All stored in your password manager of course.)dcabler wrote: ↑Tue Nov 12, 2019 11:07 amMany sites I use ask a large number of extra security questions of their choosing - I include all of that in lastpass because I can't remember if I entered "Toyota, Toyota Carolla, or just Carolla"BogleMelon wrote: ↑Tue Nov 12, 2019 10:32 am
Not sure why would anyone need to back up his passwords. If I lost a password (that is saved in my password manager), I would simply click "forgot password" at the website I want to access and follow the prompts.
Re: Is LastPass still top in security, any reason to switch?
Curious why KeePass has fallen out of favor; I believe I heard about it from recommendations here.
Re: Is LastPass still top in security, any reason to switch?
Following with interest. Haven't yet taken the step to use a password manager due to security concerns over software bugs. I currently have a notebook handy with password clues written into it, and a separate list of full passwords kept in a home safe. I have photos of the "clue" pages on my phone. I use 2FA for financial accounts.
Nothing is perfect.
Nothing is perfect.
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Is LastPass still top in security, any reason to switch?
I use KeePass. Works great for me.
Trade the news and you will lose.
- Quercus Palustris
- Posts: 215
- Joined: Sun Apr 08, 2018 12:31 pm
- Location: N. Virginia
Re: Is LastPass still top in security, any reason to switch?
I use KeePass on my Linux desktop and KeePass2Android on my phone, syncing the password database via Dropbox. I like it very much but setup was a bit convoluted (mainly to do w/ Dropbox API keys).
DW still uses a notepad for passwords which is fine except when she's away from home (and in an effort to mitigate that, a lot of her passwords are very similar and not super secure). I may see about getting her set up on 1Password or maybe I'll look into Bitwarden (first I'm hearing of it, love that this site teaches me new non-financial things too!).
My main hesitation is not wanting to be tech support for DW if things go wrong, haha. I'd pick 1Password over LastPass because LP seems to keep winding up in the news for stupid, stupid IT mistakes.
-
- Posts: 1000
- Joined: Wed Apr 26, 2017 12:03 am
Re: Is LastPass still top in security, any reason to switch?
Software bugs are definitely a valid concern and as you said nothing is perfect. That said I expect using a reputable password manager would be a security improvement over your current setup. While your setup sounds reasonable a password manager would let you have stronger, totally random passwords and totally ditch the notebook. You could still keep physical printouts in your home safe if you were so inclined.dowse wrote: ↑Wed Nov 13, 2019 8:51 am Following with interest. Haven't yet taken the step to use a password manager due to security concerns over software bugs. I currently have a notebook handy with password clues written into it, and a separate list of full passwords kept in a home safe. I have photos of the "clue" pages on my phone. I use 2FA for financial accounts.
Nothing is perfect.
Also, you and any others considering this move can dip your toes in the water over time. As you all have seen I am partial to 1Password (now is a good time to mention I have absolutely no affiliation with them, other than being a customer). They offer a free trial you could use with a few non-critical websites as a way to get your feet wet.
Ultimately though, using any good reputable password manager is the better than not, for most people in many cases.
EDIT: made it clear that I am a 1Password customer but that I don’t have any other affiliation with them. Sorry if that wasn’t clear at first.
Last edited by ARoseByAnyOtherName on Wed Nov 13, 2019 5:56 pm, edited 1 time in total.
-
- Posts: 936
- Joined: Tue Jan 17, 2017 7:46 pm
Re: Is LastPass still top in security, any reason to switch?
I don't like to use free software for security. The business model sees dicey to me. I pay for a password manager. It was $75 for 5 years, not worth worrying about.
Re: Is LastPass still top in security, any reason to switch?
I use KeePass on FreeBSD, Linux, Mac, iPad and Android. Mrs. Avei uses it on her PC. We do archive the pw files on our private little server. We like it and use it with both a password and a key file on a chip to open it. The chip can be removed and render KeePass unusable.Quercus Palustris wrote: ↑Wed Nov 13, 2019 11:43 amI use KeePass on my Linux desktop and KeePass2Android on my phone, syncing the password database via Dropbox. I like it very much but setup was a bit convoluted (mainly to do w/ Dropbox API keys).
DW still uses a notepad for passwords which is fine except when she's away from home (and in an effort to mitigate that, a lot of her passwords are very similar and not super secure). I may see about getting her set up on 1Password or maybe I'll look into Bitwarden (first I'm hearing of it, love that this site teaches me new non-financial things too!).
My main hesitation is not wanting to be tech support for DW if things go wrong, haha. I'd pick 1Password over LastPass because LP seems to keep winding up in the news for stupid, stupid IT mistakes.
The biggest problem we have is we do update passwords regularly, we each have separate keepass files, and there is no clear way to sync our separate accounts. If we could, then we could independently update passwords and sync as necessary without the need for coordination. I didn't see a clear way to do this in any of the others pw managers I've looked at.
-
- Posts: 1000
- Joined: Wed Apr 26, 2017 12:03 am
Re: Is LastPass still top in security, any reason to switch?
1Password has the concept of families, which contain one or more user accounts. Accounts in a family have passwords in vaults that only they can access, but accounts can also have shared vaults, and passwords in shared Vaults can be seen and updated by any any of the accounts that have access to the Vault. It’s very handy.avei wrote: ↑Wed Nov 13, 2019 7:55 pm The biggest problem we have is we do update passwords regularly, we each have separate keepass files, and there is no clear way to sync our separate accounts. If we could, then we could independently update passwords and sync as necessary without the need for coordination. I didn't see a clear way to do this in any of the others pw managers I've looked at.
https://support.1password.com/family-sharing/
-
- Posts: 396
- Joined: Tue Jul 11, 2017 6:36 pm
Re: Is LastPass still top in security, any reason to switch?
I have found LP has gone way downhill since they were acquired by logmein, or whoever. The UI is bad, and saved credit cards don't work most of the time. They also tripled the premium price from $12 to $36. I cancelled and am using the free version as long as it continues to suit me well enough.
Re: Is LastPass still top in security, any reason to switch?
Is the Apple keychain still a suitable choice or should a security-conscience person upgrade to something better?
I appreciate the discussion on this topic. Thanks for posting OP. Input from others in the field is very helpful
I appreciate the discussion on this topic. Thanks for posting OP. Input from others in the field is very helpful
-
- Posts: 1000
- Joined: Wed Apr 26, 2017 12:03 am
Re: Is LastPass still top in security, any reason to switch?
Apple Keychain is a suitable choice. Standalone password managers tend to offer more features, and Keychain is limited to the Apple ecosystem. Overall if it meets your needs it is a good choice.
Re: Is LastPass still top in security, any reason to switch?
“A Rose ...”, thank you for the advice. Much appreciated.
-
- Posts: 717
- Joined: Tue Jun 19, 2018 2:20 pm
Re: Is LastPass still top in security, any reason to switch?
TLDR
I’ve been using the free version of 1Password since forever (I don’t think the free version is still available but I’m not sure). I prefer the free over the paid version (I’ll explain why below). I tried lastpass twice but did not like the interface and had plenty of trouble importing data. That was a while ago so maybe it’s better now. I did a cost comparison and it comes out practically identical to 1Password. I’m not sure why it’s so popular among the BH crowd. All around, 1Password is a better choice for me. I’ve tried bitwarden, mSecure, dashlane and enpass. I have looked at the keepass website but I think it’s only for Windows and frankly, the whole idea seems like some heavy lifting for the user. So, not interested.
Of the above, I liked enpass the most but not enough to replace 1Password. With lesser known mangers like bitwarden, mSecure, and enpass, I’d be worried about support/upgrades due to small user base. How much that factors into the decision is up to the individual user.
I prefer a password manager that does not store passwords on their servers. I understand the precautions and encryption involved but would prefer to not have another account to lock down or worry about. Enpass provides this, has a very nice interface, handles autofill well on my Apple devices, and is not a subscription model (this can change in the future, of course). mSecure is also a one time purchase (not subscription but I like enpass better). If I were to dump 1Password, I would choose enpass.
Back to 1Password free version. It’s all I want or need in a password manger. Plus, free! The way the free version works is that you lose a few upscale features but nothing I care about. Otherwise, it works like the paid version on my iDevices. But...it’s hobbled on the Mac. You get all the syncing, so passwords are up to date but rather than autofill, you must copy/paste to website. You cannot add or modify records on the Mac version. This does not bother me as I do almost all my work on an iPad and sync is practically instantaneous. 1Password supports markdown in the notes section and that's nice because I keep a lot of notes and it helps to have them display nicely/clearly! Exporting from 1Password to most other password mangers is very well supported. So if I decide to switch, it should not be a problem. I’ve done some tests with excellent results.
This brings me to the “why use the free version of 1Password.” With the free version, I do not have to use a 1Password account and use their servers. 1Password works locally and uses iCloud for syncing. I like the way Apple has implemented security and 2FA for my iCloud account and I lock down that account very carefully already. Nothing new to do there. I can get into details on how hard it would be for someone to access my encrypted passwords on iCloud but I’ll spare you. I’ll just say that I feel quite secure with my set up and the price is right.
Conclusion: As much as I like enpass and that it’s not a subscription model, if I had to pay, I’d go with a 1Password subscription even though it breaks my rule of not storing data on their servers. I feel as though your choice of password manager is one of most important software decisions and I’d want a robust software, quick updates, good support. These generally need a large user base. Some will choose lastpass or dashlane for good reasons. I choose 1Password (subject to change as the landscape changes).
I’ve been using the free version of 1Password since forever (I don’t think the free version is still available but I’m not sure). I prefer the free over the paid version (I’ll explain why below). I tried lastpass twice but did not like the interface and had plenty of trouble importing data. That was a while ago so maybe it’s better now. I did a cost comparison and it comes out practically identical to 1Password. I’m not sure why it’s so popular among the BH crowd. All around, 1Password is a better choice for me. I’ve tried bitwarden, mSecure, dashlane and enpass. I have looked at the keepass website but I think it’s only for Windows and frankly, the whole idea seems like some heavy lifting for the user. So, not interested.
Of the above, I liked enpass the most but not enough to replace 1Password. With lesser known mangers like bitwarden, mSecure, and enpass, I’d be worried about support/upgrades due to small user base. How much that factors into the decision is up to the individual user.
I prefer a password manager that does not store passwords on their servers. I understand the precautions and encryption involved but would prefer to not have another account to lock down or worry about. Enpass provides this, has a very nice interface, handles autofill well on my Apple devices, and is not a subscription model (this can change in the future, of course). mSecure is also a one time purchase (not subscription but I like enpass better). If I were to dump 1Password, I would choose enpass.
Back to 1Password free version. It’s all I want or need in a password manger. Plus, free! The way the free version works is that you lose a few upscale features but nothing I care about. Otherwise, it works like the paid version on my iDevices. But...it’s hobbled on the Mac. You get all the syncing, so passwords are up to date but rather than autofill, you must copy/paste to website. You cannot add or modify records on the Mac version. This does not bother me as I do almost all my work on an iPad and sync is practically instantaneous. 1Password supports markdown in the notes section and that's nice because I keep a lot of notes and it helps to have them display nicely/clearly! Exporting from 1Password to most other password mangers is very well supported. So if I decide to switch, it should not be a problem. I’ve done some tests with excellent results.
This brings me to the “why use the free version of 1Password.” With the free version, I do not have to use a 1Password account and use their servers. 1Password works locally and uses iCloud for syncing. I like the way Apple has implemented security and 2FA for my iCloud account and I lock down that account very carefully already. Nothing new to do there. I can get into details on how hard it would be for someone to access my encrypted passwords on iCloud but I’ll spare you. I’ll just say that I feel quite secure with my set up and the price is right.
Conclusion: As much as I like enpass and that it’s not a subscription model, if I had to pay, I’d go with a 1Password subscription even though it breaks my rule of not storing data on their servers. I feel as though your choice of password manager is one of most important software decisions and I’d want a robust software, quick updates, good support. These generally need a large user base. Some will choose lastpass or dashlane for good reasons. I choose 1Password (subject to change as the landscape changes).
- Lacrocious
- Posts: 378
- Joined: Thu Mar 22, 2007 9:45 pm
- Location: Wisconsin
Re: Is LastPass still top in security, any reason to switch?
Don't answer correctly - make something up and put it in your password manager of choice. What is the model of your first car? That would be "Purple Soda", or was it "Grumpy Grandpa" or maybe "Baby Beluga Bubblegum". Maybe your answer above was for "What was the name of your favorite high school teacher?", in which case it could be a good answer!
If you have to tell someone the word during a phone call to access your account - you may sound silly - but better that than a truthful answer that is the same on multiple websites.
- L
EDIT - I was behind a bit in reading the forum and see that this was already discussed. All good points!
-
- Posts: 717
- Joined: Tue Jun 19, 2018 2:20 pm
Re: Is LastPass still top in security, any reason to switch?
My answer to security questions is a six digit pin which I store in the notes section of my 1Password login record.Lacrocious wrote: ↑Wed Nov 13, 2019 10:24 pmDon't answer correctly - make something up and put it in your password manager of choice. What is the model of your first car? That would be "Purple Soda", or was it "Grumpy Grandpa" or maybe "Baby Beluga Bubblegum". Maybe your answer above was for "What was the name of your favorite high school teacher?", in which case it could be a good answer!
If you have to tell someone the word during a phone call to access your account - you may sound silly - but better that than a truthful answer that is the same on multiple websites.
- L
EDIT - I was behind a bit in reading the forum and see that this was already discussed. All good points!
Example:
Favorite color=956238 (not the actual answer).
Thankfully, less and less sites use security questions any longer.
Re: Is LastPass still top in security, any reason to switch?
I've used 1Password, LastPass and Dashlane and I'm currently using KeePass.
I prefer KeePass (specifically KeePassXC, the cross-platform variant) for a couple of reasons:
I prefer KeePass (specifically KeePassXC, the cross-platform variant) for a couple of reasons:
- It's open source, thus the code has lots of eyeballs auditing it. I don't really trust closed source software, especially for security.
- It's cross-platform. Works on Windows, Mac, Linux, Android, iPhone
- You have complete control over whether your data stays on your computer, or is synced via the cloud (via Dropbox or Google Drive).
- It works with things other than websites -- for example it autofills desktop applications like Moneydance, Evernote and even terminal-based Unix/Linux credentials.
- It doesn't use browser plugins to do the "autofill" stuff. The browser integrations are where LastPass has had some security vulnerabilities, and appears to be where much of the risk is. Moreover, I found the 1Password/Dashlane/LastPass autofill only worked about 70% of the time. KeePass uses its own native OS program to provide keyboard input into the websites password fields. For most websites, that means you type {USERNAME}{TAB}{PASSWORD}{ENTER}, and this auto-typing sequence is customizable per website. I can't think of a website that doesn't work (though some websites are a chore to get to work because they ask for usernames/passwords in several different ways).
Re: Is LastPass still top in security, any reason to switch?
What exactly does open source mean? I'll admit I honestly don't know. Can't some expert Russian hackers look at the code and insert malicious code and hide it?Tarkus wrote: ↑Thu Nov 14, 2019 3:19 pm I've used 1Password, LastPass and Dashlane and I'm currently using KeePass.
I prefer KeePass (specifically KeePassXC, the cross-platform variant) for a couple of reasons:
- It's open source, thus the code has lots of eyeballs auditing it. I don't really trust closed source software, especially for security.
- TimeRunner
- Posts: 1939
- Joined: Sat Dec 29, 2012 8:23 pm
- Location: Beach-side, CA
Re: Is LastPass still top in security, any reason to switch?
Switched from Lastpass to Bitwarden a year ago, on Win10, Chromebook and android phone. Super-reliable and doesn't try to fill in fields (wrongly) like Lastpass did. Simple, effective, and free.
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
Re: Is LastPass still top in security, any reason to switch?
I don’t like the idea of my passwords being in the cloud, so I use keepass.
-
- Posts: 1000
- Joined: Wed Apr 26, 2017 12:03 am
Re: Is LastPass still top in security, any reason to switch?
This is a good strategy for handling security questions.3-20Characters wrote: ↑Wed Nov 13, 2019 10:57 pmMy answer to security questions is a six digit pin which I store in the notes section of my 1Password login record.Lacrocious wrote: ↑Wed Nov 13, 2019 10:24 pmDon't answer correctly - make something up and put it in your password manager of choice. What is the model of your first car? That would be "Purple Soda", or was it "Grumpy Grandpa" or maybe "Baby Beluga Bubblegum". Maybe your answer above was for "What was the name of your favorite high school teacher?", in which case it could be a good answer!
If you have to tell someone the word during a phone call to access your account - you may sound silly - but better that than a truthful answer that is the same on multiple websites.
- L
EDIT - I was behind a bit in reading the forum and see that this was already discussed. All good points!
Example:
Favorite color=956238 (not the actual answer).
Thankfully, less and less sites use security questions any longer.
Another good strategy is to have an answer that is a random sentence. For example if this question is "What street did you grow up on?" your answer would be something like "I didn't know he chair had a lemon dog."
What you want to avoid is answering a security question with a long string of random characters. Long strings of random characters, as long as possible, is what you want for your password, but answering your security questions this way potentially opens you up to a social engineering attack. If an attacker is trying to impersonate you over the phone, and customer service asks them for the answers to your security questions, they could say something like "oh it's just a bunch of nonsense" and try to get around answering. Admittedly it's hard to know how real of a possibility this is, but might as well use one of the strategies above instead.
You also wrote:
Worth noting that in 1Password, when you're in edit mode, you can create new fields of any type including new password fields. So you could create a new password field where the field label is the security question, and the password entry is the answer. It's a little more structured than dumping this info into the notes field, and makes it faster to copy/paste when needed.is a six digit pin which I store in the notes section of my 1Password login record.
-
- Posts: 717
- Joined: Tue Jun 19, 2018 2:20 pm
Re: Is LastPass still top in security, any reason to switch?
The free version of 1Password (which I use) doesn’t have this feature. Notes work for me. I use mark up to create styled text in order to make it easy to read my notes.ARoseByAnyOtherName wrote: ↑Thu Nov 14, 2019 8:57 pm
Worth noting that in 1Password, when you're in edit mode, you can create new fields of any type including new password fields. So you could create a new password field where the field label is the security question, and the password entry is the answer. It's a little more structured than dumping this info into the notes field, and makes it faster to copy/paste when needed.
-
- Posts: 1000
- Joined: Wed Apr 26, 2017 12:03 am
Re: Is LastPass still top in security, any reason to switch?
Makes sense.3-20Characters wrote: ↑Thu Nov 14, 2019 9:19 pmThe free version of 1Password (which I use) doesn’t have this feature. Notes work for me. I use mark up to create styled text in order to make it easy to read my notes.ARoseByAnyOtherName wrote: ↑Thu Nov 14, 2019 8:57 pm
Worth noting that in 1Password, when you're in edit mode, you can create new fields of any type including new password fields. So you could create a new password field where the field label is the security question, and the password entry is the answer. It's a little more structured than dumping this info into the notes field, and makes it faster to copy/paste when needed.
Re: Is LastPass still top in security, any reason to switch?
I agree in spirit, but open source isn’t magic. OpenSSL still had Heartbleed. Bash had been open source for over 2 decades and you still had ShellShock. Those were massive vulnerabilties.
It has been a source of vulnerabilities, but it’s also a key anti-phishing feature. Unless the URL matches exactly what’s in Lastpass, 1Password, or other password managers with browser extensions, it won’t fill the credentials in the site. If you get accustomed to copying and pasting credentials into websites, the stats aren’t in your favor if you come across a clever phishing campagin.
- Quercus Palustris
- Posts: 215
- Joined: Sun Apr 08, 2018 12:31 pm
- Location: N. Virginia
Re: Is LastPass still top in security, any reason to switch?
It means anyone can see or use the source code. There's still an "official" or mainline version of the application which is distributed by the maintainers. So any sneaky code would have to pass a code review (hopefully), and anyone looking at the code would wonder why some rando added code sending passwords over the network (so I suppose they'd have to be really sneaky and hide it somehow). The idea is you can't hide things when you're in the open.
I did some experimenting on the Go language libraries for KeePass, so I can say I know the program is encrypting its data the way the authors say it is. LastPass could just be encrypting all my data with password "1234" for all I know (though I have no reason to doubt they aren't doing what they say they are - but it's all on faith).
As SpaethCo says though, open source is no guarantee there aren't bugs (and the bugs could be devastating, or glaringly embarrassing). Open source folks tend to feel it's better to have them open (where anyone could find them, but also figure out fixes). By contrast, you're depending / hoping Apple/MS/Cisco/etc will find and fix vulnerabilities in good faith (there was a recent dust-up between Google and Apple's security teams regarding how long it was taking them to fix vulnerabilities).
Re: Is LastPass still top in security, any reason to switch?
This is true. KeePass's autotype system will protect you from accidentally entering your credentials into the wrong site, but it doesn't offer as much protection against a malicious phishing site, especially if the site specifically targeted the KeePass autotype system. The autotype feature is a definitely a convenience and not a security feature.SpaethCo wrote: ↑Thu Nov 14, 2019 11:12 pmIt has been a source of vulnerabilities, but it’s also a key anti-phishing feature. Unless the URL matches exactly what’s in Lastpass, 1Password, or other password managers with browser extensions, it won’t fill the credentials in the site. If you get accustomed to copying and pasting credentials into websites, the stats aren’t in your favor if you come across a clever phishing campagin.
I can also say that LastPass has once saved me from carelessly entering credentials into a phishing site, so this is perhaps not a trivial issue.
- Dan-in-Virginia
- Posts: 841
- Joined: Sat Apr 16, 2011 5:33 am
- Location: Virginia
Re: Is LastPass still top in security, any reason to switch?
I have used lastpass since 2012 and have over 400 accounts in there along with secure notes. It’s great. I also use the LastPass Authenticator which is terrific because it backs up to your vault.
I do not, however, enable integration with any web browsers. I mainly use it on my phone with web login as an option. I pay for the family plan. Being able to have a shared “Household” folder or share individual account passwords is nice.
I do not, however, enable integration with any web browsers. I mainly use it on my phone with web login as an option. I pay for the family plan. Being able to have a shared “Household” folder or share individual account passwords is nice.
Re: Is LastPass still top in security, any reason to switch?
I've been using LastPass for several years now as well. Almost 300 individual sites stored in there. It works just fine for me. Don't know how I'd manage without a password manager.
Real Knowledge Comes Only From Experience
Re: Is LastPass still top in security, any reason to switch?
I have and like the family plan for the shared folders too. I suggest you submit a help ticket to add the ability to do the Lastpass security challenge on shared folders. I complained that it only checked non shared folders to find duplicate and bad passwords/etc. They told me that no one else had requested that feature and they would look into it in the future. But it's been like that since they released families and they've never fixed that bug.