Potent LastPass exploit underscores the dark side of password managers

ch33zw1z

Lifer
Nov 4, 2004
39,541
20,188
146
Thanks for the link. I use Safe-in-Cloud without the browser extension, but still....it's scurry.
 

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
Didn't click the link, but I've always felt that an online password manager is a target for hackers.

I have a complex base password I can remember with some parts where I dynamically substitute some characters. I only have to remember which characters I chose for that particular site/service. If I have to write it down, I don't need to write down the entire password. Just the chosen substitutions, which I can obfuscate.
 

Ajay

Lifer
Jan 8, 2001
16,094
8,112
136
I'm getting tired of making secure passwords and keeping them in a small notepad, so I've been considering Dashlane and Lastpass which seem to be the most highly rated. I was leaning toward Dashlane and this incident (the second for lastpass) will probably solidify my decision.
 

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
I'm getting tired of making secure passwords and keeping them in a small notepad, so I've been considering Dashlane and Lastpass which seem to be the most highly rated. I was leaning toward Dashlane and this incident (the second for lastpass) will probably solidify my decision.
Dashlane's ads made it seem like copycat shovelware.
 

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
Even the paid version?
I dunno. While visiting my mother I saw ads on Fox News. It seemed like those ones where they advertise "mylife dot com" to elderly people who might not know about Facebook or whatever.
 

bononos

Diamond Member
Aug 21, 2011
3,928
186
106
The security of keepass can only be as safe as the security of the OS. There are a few hacking tools that can extract passwords like keefarce and probably other password managers.
 

ch33zw1z

Lifer
Nov 4, 2004
39,541
20,188
146
Thanks bono, that's a good observation.

What I'd like to see is some detailed responses why people support what they do.

I preferred SiC for these reasons:

- doesn't get stored on their side
- 256 bit encryption
- Even if you mobile device isn't encrypted, the DB on the phone still is encrypted
- ease of use, $5 to sync from desktop to cloud to mobile
- can use quite a few different cloud sync solutions (i am storing my DB on google drive)
 

ch33zw1z

Lifer
Nov 4, 2004
39,541
20,188
146
anyone else?

seriously, identifying strengths and weaknesses from our experience is a good thing.
 

Ajay

Lifer
Jan 8, 2001
16,094
8,112
136
I don't have a problem with lastpass, I have a problem with anything that automatically fills in my user/pass. I have this disabled. So if you can spoof the URL and fish me, that's my fault not the fault of my password manager.

Interesting point. Had thought to see how password managers deal with spoofing. But, I will pick up something - keeping a pocket notebook filled with usernames and passwords isn't fun and isn't conducive to changing password as often as I should.
 

lxskllr

No Lifer
Nov 30, 2004
59,460
9,973
126
Thanks bono, that's a good observation.

What I'd like to see is some detailed responses why people support what they do.

I preferred SiC for these reasons:

- doesn't get stored on their side
- 256 bit encryption
- Even if you mobile device isn't encrypted, the DB on the phone still is encrypted
- ease of use, $5 to sync from desktop to cloud to mobile
- can use quite a few different cloud sync solutions (i am storing my DB on google drive)
I use Keepass variants because they're libre software, and on every platform I expect to be on. I keep my database backed up on mega/spideroak, and I can boot to a live cd on a foreign machine, access my passwords, then leave without a trace.
 

ch33zw1z

Lifer
Nov 4, 2004
39,541
20,188
146
Cool, thanks. How do you like spideroak? Been looking at that for a while..
 

lxskllr

No Lifer
Nov 30, 2004
59,460
9,973
126
Cool, thanks. How do you like spideroak? Been looking at that for a while..
I'm just using their free tier(2gb iirc), and it works well. It's never been unavailable when I needed it. Sensitive files I gpg encrypt before upload.

I also use mega, primarily for work files. I trust mega less, but their free tier is much more generous(50gb). I don't tend to trust "cloud" computing in general, but it's sometimes useful. I'm always cognizant of what I'm moving through the net and adjust my behavior/service use accordingly.
 
  • Like
Reactions: ch33zw1z

ch33zw1z

Lifer
Nov 4, 2004
39,541
20,188
146
Cool John, feel free to elaborate and comment on why this is more or less secure than alternatives
 

sandorski

No Lifer
Oct 10, 1999
70,684
6,252
126
Pen/Paper is safer. Only a handful of people are likely to have potential access with it, in comparison to millions.
 
  • Like
Reactions: pmv

Chiefcrowe

Diamond Member
Sep 15, 2008
5,056
199
116
That is probably true but where would be the best place to store it? and what if you need access from outside your house?

Pen/Paper is safer. Only a handful of people are likely to have potential access with it, in comparison to millions.