LastPass ~ Password generator, encryption, manager

[Mozgus]

I hit my breaking point. I recently had my Ubisoft account stolen by someone in Russia. I refuse to give a dime to Ubi since Uplay is terrible, but I had a free copy of Far Cry 3 sitting on there that came with a video card, so I was still annoyed. And the thought that my "medium security" pass was now floating out in the world bugged me. I didn't use that same pass on my Steam or gmail but I've used it on some other sites that had some value. I did end up getting the account restored after some support tickets and a phone call, but it's completely bonkers how Ubi will just allow someone to change your email, pass, name, etc in an instant, with no email verification steps in place to stop it.

So I got LastPass. It's made things pretty simple to quickly generate randomized passwords for all my sites. I've seen a lot of places vouch for this service and that there's zero chance of your passwords being taken by any third party. All you have to do is make damn sure you never forget your single password to their site. It's free, unless you want access to the smartphone app, which is $12 a year. It integrates perfectly in my Chrome browser as an extension. You can also create a text list of all your passwords at any time, just in case you do stop using the service.

I'm not spamming or anything. Just honestly impressed with the ease of use. Before we get to the age of USB thumb print scanners, this will have to do.

[MrPopo]

So I got LastPass. It's made things pretty simple to quickly generate randomized passwords for all my sites. I've seen a lot of places vouch for this service and that there's zero chance of your passwords being taken by any third party.

From an information security standpoint this is the height of naivetivity. There is a benefit of having randomized passwords for all your sites in that someone getting ahold of one will not give them access to any sites, but because of this centrallized service you're no safer than you were beforehand. The two most common ways of getting someone's passwords are spyware (not stopped by this) and social engineering (also not stopped by this). And you STILL effectively have one password for all your sites because this site itself is password protected.

[Stark]

Why wouldn't you use something like KeePass, that is local to your box and generates passwords and keeps them in a database like the one you want to use, but at least it is local to your box and not on the Internet like LastPass?

[Mozgus]

From an information security standpoint this is the height of naivetivity. There is a benefit of having randomized passwords for all your sites in that someone getting ahold of one will not give them access to any sites, but because of this centrallized service you're no safer than you were beforehand. The two most common ways of getting someone's passwords are spyware (not stopped by this) and social engineering (also not stopped by this). And you STILL effectively have one password for all your sites because this site itself is password protected.

I understand all that, but spyware and social engineering are only a problem for, frankly, dumb people. I'm just tired of databases being hacked every other month. I always have to investigate what my password was on each site that happens to, and try to change that same password on all other sites that match. Thats a huge pain in the ass. This service keeps that from ever being an issue again. And that's an issue that plagues ALL of us. Hell, I just got an email last week from Vudu telling me to change the pass immediately because it happened to them too.

Like I said, and like they say, it's the last password you'll have to remember. And that's the way things should be. Make it long, unique, and guard it with your life. The only threat to it would be someone in your real life knowing exactly what its a password to and where to go with it and what to do. From everything I've read, there's absolutely no way anyone can steal your passwords from their servers, including themselves. I don't pretend to keep up with the evolution of encryption, but I'm pretty sure that a strong master key is all that's needed to keep all manner of technology from decrypting your shit without your say-so.

[Mozgus]

Why wouldn't you use something like KeePass, that is local to your box and generates passwords and keeps them in a database like the one you want to use, but at least it is local to your box and not on the Internet like LastPass?

I tried KeePass but didn't like the software. And I like convenience. LastPass is infinitely easier to work with. Saved me hours. And once again, encrypted cloud storage isn't a threat to me. It's all these terribly managed companies that DONT encrypt their customers' information that's a threat to me.

And again, if I see ANY reason to believe there's a chance my passwords aren't safe encrypted on their server, I can always delete my account, keep my text list of all my passwords and incorporate them into some other solution, local or otherwise, if need be.

Edit: And taking things further, lets say I do go entirely local. What if my hard drive decides to croak? Happens to everyone at one point or another. Ok, so I keep a USB backup of it. But what of a housefire or tornado? (This is Kansas). So local backups aren't totally a safe option. Ok, so what if I host an encrypted backup on dropbox or something? Oh would you look at that? We're right back where we started with LastPass. Guess I'll just stick with LastPass....

[Hobie-wan]

I've seen a lot of places vouch for this service and that there's zero chance of your passwords being taken by any third party.

Naive thinking. You can make something less likely to be compromised or stolen, but with enough effort it can be done. Let's say there are 50 people working on encryption and security at the company (likely way too high an estimate), there are thousands of hackers out there that could be working on trying to break it.

Relevant to creating passwords.

I understand all that, but spyware and social engineering are only a problem for, frankly, dumb people.

Not necessarily. I got hit with some malware before. I didn't click on anything. I was keeping my machine up to date. I didn't visit an unsafe site. I got crap from an infected ad on a safe site through an exploit that was used before it was patched. One could also accidentally click something during a moment of distraction or even drop something on your space bar and activate an ok. Maybe someone has pets or small children that got away from you for a moment. Accidents happen despite good practices.

[Mozgus]

That's about the 50th time I've seen that xkcd comic and ya know what? Still not interested in memorizing dozens of passwords. Sorry. All that its explaining is longer is better, which is fine because you can determine the length of the generated passwords. Unfortunately most sites require some numbers and capitals as well, so that strategy doesn't even apply.

[gtmtnbiker]

Unfortunately most sites require some numbers and capitals as well, so that strategy doesn't even apply.

Some sites have restrictions on password length and the use of non-alphanumeric characters which can be problematic. I've been using LastPass myself for awhile and have been pleased with it.

It's not perfect because it has trouble with some websites but it's been a timesaver for me.

[Hobie-wan]

Just saying nothing is perfect and nothing in unhackable. A computer that's full of passwords is tempting just like a bank full of money.

[flex wood]

A computer that's full of passwords is tempting just like a bank full of money.

You can't buy lap dances with passwords.