LastPass
 

I was reading this review:

http://www.pcmag.com/article2/0,2817,2406190,00.asp

And noted this under the "Secure Storage" heading:

With LastPass, all of your passwords and other data are stored online in a highly encrypted format. The system is designed so that the people at LastPass have no access to your password. Even if subpoenaed to release your encrypted data, they simply couldn't.

Whether this is just the magazine's take on it, or part of official LastPass spiel, I know not.

This reminds me of the situation with Lavabit - discussed at length here on the forum - and makes me wonder if, in a similar situation, LastPass would still not be able to provide the requested data to the authorities?

That's sloppy writing (by the PCMag hack, not FredOnline ...). I can't imagine a situation where LastPass folks could not release the encrypted data. May be they cannot decrypt it, but that's a different story:rolleyes:

The LastPass browser plugin is designed to download encrypted data from their servers, decrypt it locally with your password, and encrypt it again before uploading any changes. That way, the server only ever sees the encrypted data, and your password never leaves your own computer . . . until you go to their website and log in with the same password.

Once you log in via their website, it's an unholy mess of JavaScript-generated content that doesn't feel like a web page at all, and I can't tell what on Earth is going on behind the scenes. But one thing is certain: if somebody asked them to record my password the next time I visit their website, it would be easy for them to do that without anybody else being the wiser. And once they combine the password with the encrypted data they already have, voila, it ain't encrypted anymore.

Just like Hushmail was able to decrypt the (supposedly encrypted) emails of a user who logged in via the website. Just like Lavabit was told to intercept Snowden's password, and came very close to complying before they shut down everything.

Programs that run on your own computer and do the encryption/decryption locally are generally OK. But if somebody asks you to enter a password on a web page, there's always a possibility that your password will be intercepted.

Personally, I find the plugin very helpful for remembering all sorts of of passwords including those for library cards etc, and I don't know whether it's me, but my iphone might have picked a lot of this data up, when doing an icloud sync on bookmarks etc of pc data via the apple system, so i don't know whether it accessed the data on my side, but for me it's just very helpful having the same data available everywhere.

Yes, safe enough for me. Lastpass is one of the best programs I came across.

Myself, I use KeePass, which has been highly recommended in several magazines and websites. I run the mobile version on a USB drive and back up the database regularly in other places. The nice thing about running it off the USB, there is no install program and no indication anywhere on my PC that I am using a password manager; I just unplug it and walk away.

I have read many positive reviews about 1Pass too.

I suppose they are all comparable. Whatever makes it easier to manage all your accounts is a good thing.

LastPass
 

I am a LastPass user for now. If you use LastPass you must also use the two-factor authentication option via a YubiKey. I've been really happy with the functionality of LastPass. It works well!

The only thing I do not like is that they are a US company subject to the Patriot Act and other US laws. I inquired about this with LastPass and can probably find their reply if anyone is interested. I imagine if the FBI has given LastPass an NSL - similar to what they did to LavaBit - then they (FBI/NSA) now have access to all stored encrypted data at LastPass. I don't see how US companies are going to be able to compete with similar companies in the EU. For example, if a LastPass competitor starts up in Norway or the Netherlands I will drop LastPass. As soon as I can find an SSL proxy similar to Megaproxy in the EU I will drop Megaproxy. In short, I pretty much will abandon any US company for a comperable company in the EU. If Americans don't trust US companies because of US law why the heck would any European citizen?

No, no & no.

LastPass
 

Do you mean No, No and No to LastPass? Or, No to two factor authentication. It is a good product, but it has a vulnerability that is impossible to mitigate without taking your business elsewhere...

I meant you do not have to use YubiKey with lastPass

Security
 

I would not use LastPass without a YubiKey for security reasons. Essentially, LastPass holds the keys to your kingdom so to me it is worth the one time cost of a YubiKey or two ($25US) and the small yearly subscription cost to LastPass for the added protection. The folks at LastPass have really designed a very secure system with exception of a single non-technical vulnerability that cannot be mitigated...

Of course, even without the YubiKey you are relatively safe so long as you use a strong password for the master key. And, LastPass makes it much easier to use really strong passwords on all the other sites you use that require authentication. The password generator is awesome!

Your choice.
My objection was to "you must also use the two-factor authentication.

Updates to the LastPass personal lineup
 

Today's LastPass blog:

https://blog.lastpass.com/2017/08/up...l-lineup.html/

Price now doubled for the premium account, to $24 per year.

I'm not crazy about password managers. I use my own methods for protecting sensitive data locally and in the cloud.

Hackers will go after Lasspass and the like 100% of the time. Do you think they will waste time looking for my data in mom's recipes?

The premium account offers bells and whistles I don't need, so this doesn't affect me.