EmailDiscussions.com  

Go Back   EmailDiscussions.com > Miscellaneous > The Off-Topic Lounge
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Off-Topic Lounge APPROPRIATE FAMILY-FRIENDLY TOPICS ONLY - READ THE RULES!
This forum is for posting anything (excluding topics prohibited by the forum rules) that's unrelated to email. General discussions, in other words.

Reply
 
Thread Tools
Old 11 Oct 2013, 11:13 PM   #1
FredOnline
Master of the @
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 1,908
LastPass

I was reading this review:

http://www.pcmag.com/article2/0,2817,2406190,00.asp

And noted this under the "Secure Storage" heading:

With LastPass, all of your passwords and other data are stored online in a highly encrypted format. The system is designed so that the people at LastPass have no access to your password. Even if subpoenaed to release your encrypted data, they simply couldn't.

Whether this is just the magazine's take on it, or part of official LastPass spiel, I know not.

This reminds me of the situation with Lavabit - discussed at length here on the forum - and makes me wonder if, in a similar situation, LastPass would still not be able to provide the requested data to the authorities?
FredOnline is offline   Reply With Quote

Old 12 Oct 2013, 12:31 AM   #2
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,430
Quote:
Originally Posted by FredOnline View Post
With LastPass, all of your passwords and other data are stored online in a highly encrypted format. The system is designed so that the people at LastPass have no access to your password. Even if subpoenaed to release your encrypted data, they simply couldn't.
That's sloppy writing (by the PCMag hack, not FredOnline ...). I can't imagine a situation where LastPass folks could not release the encrypted data. May be they cannot decrypt it, but that's a different story
janusz is offline   Reply With Quote
Old 12 Oct 2013, 12:57 AM   #3
kijinbear
Cornerstone of the Community
 
Join Date: Mar 2011
Location: ~$
Posts: 647
The LastPass browser plugin is designed to download encrypted data from their servers, decrypt it locally with your password, and encrypt it again before uploading any changes. That way, the server only ever sees the encrypted data, and your password never leaves your own computer . . . until you go to their website and log in with the same password.

Once you log in via their website, it's an unholy mess of JavaScript-generated content that doesn't feel like a web page at all, and I can't tell what on Earth is going on behind the scenes. But one thing is certain: if somebody asked them to record my password the next time I visit their website, it would be easy for them to do that without anybody else being the wiser. And once they combine the password with the encrypted data they already have, voila, it ain't encrypted anymore.

Just like Hushmail was able to decrypt the (supposedly encrypted) emails of a user who logged in via the website. Just like Lavabit was told to intercept Snowden's password, and came very close to complying before they shut down everything.

Programs that run on your own computer and do the encryption/decryption locally are generally OK. But if somebody asks you to enter a password on a web page, there's always a possibility that your password will be intercepted.
kijinbear is offline   Reply With Quote
Old 7 Nov 2013, 07:52 PM   #4
jdtaylor
Master of the @
 
Join Date: Sep 2004
Posts: 1,588
Personally, I find the plugin very helpful for remembering all sorts of of passwords including those for library cards etc, and I don't know whether it's me, but my iphone might have picked a lot of this data up, when doing an icloud sync on bookmarks etc of pc data via the apple system, so i don't know whether it accessed the data on my side, but for me it's just very helpful having the same data available everywhere.
jdtaylor is offline   Reply With Quote
Old 8 Nov 2013, 07:37 AM   #5
Berenburger
The "e" in e-mail
 
Join Date: Sep 2004
Location: The Netherlands
Posts: 2,248
Yes, safe enough for me. Lastpass is one of the best programs I came across.
Berenburger is offline   Reply With Quote
Old 9 Nov 2013, 04:09 AM   #6
MichaelH
Junior Member
 
Join Date: Dec 2008
Posts: 26
Myself, I use KeePass, which has been highly recommended in several magazines and websites. I run the mobile version on a USB drive and back up the database regularly in other places. The nice thing about running it off the USB, there is no install program and no indication anywhere on my PC that I am using a password manager; I just unplug it and walk away.

I have read many positive reviews about 1Pass too.

I suppose they are all comparable. Whatever makes it easier to manage all your accounts is a good thing.
MichaelH is offline   Reply With Quote
Old 11 Nov 2013, 01:52 AM   #7
smithmb001
Senior Member
 
Join Date: May 2013
Posts: 158
LastPass

I am a LastPass user for now. If you use LastPass you must also use the two-factor authentication option via a YubiKey. I've been really happy with the functionality of LastPass. It works well!

The only thing I do not like is that they are a US company subject to the Patriot Act and other US laws. I inquired about this with LastPass and can probably find their reply if anyone is interested. I imagine if the FBI has given LastPass an NSL - similar to what they did to LavaBit - then they (FBI/NSA) now have access to all stored encrypted data at LastPass. I don't see how US companies are going to be able to compete with similar companies in the EU. For example, if a LastPass competitor starts up in Norway or the Netherlands I will drop LastPass. As soon as I can find an SSL proxy similar to Megaproxy in the EU I will drop Megaproxy. In short, I pretty much will abandon any US company for a comperable company in the EU. If Americans don't trust US companies because of US law why the heck would any European citizen?
smithmb001 is offline   Reply With Quote
Old 11 Nov 2013, 01:57 AM   #8
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,430
Quote:
Originally Posted by smithmb001 View Post
If you use LastPass you must also use the two-factor authentication option via a YubiKey.
No, no & no.
janusz is offline   Reply With Quote
Old 11 Nov 2013, 02:34 AM   #9
smithmb001
Senior Member
 
Join Date: May 2013
Posts: 158
LastPass

Quote:
Originally Posted by janusz View Post
No, no & no.
Do you mean No, No and No to LastPass? Or, No to two factor authentication. It is a good product, but it has a vulnerability that is impossible to mitigate without taking your business elsewhere...
smithmb001 is offline   Reply With Quote
Old 11 Nov 2013, 02:36 AM   #10
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,430
I meant you do not have to use YubiKey with lastPass
janusz is offline   Reply With Quote
Old 11 Nov 2013, 03:02 AM   #11
smithmb001
Senior Member
 
Join Date: May 2013
Posts: 158
Security

Quote:
Originally Posted by janusz View Post
I meant you do not have to use YubiKey with lastPass
I would not use LastPass without a YubiKey for security reasons. Essentially, LastPass holds the keys to your kingdom so to me it is worth the one time cost of a YubiKey or two ($25US) and the small yearly subscription cost to LastPass for the added protection. The folks at LastPass have really designed a very secure system with exception of a single non-technical vulnerability that cannot be mitigated...

Of course, even without the YubiKey you are relatively safe so long as you use a strong password for the master key. And, LastPass makes it much easier to use really strong passwords on all the other sites you use that require authentication. The password generator is awesome!
smithmb001 is offline   Reply With Quote
Old 11 Nov 2013, 03:18 AM   #12
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,430
Quote:
Originally Posted by smithmb001 View Post
I would not use LastPass without a YubiKey for security reasons.
Your choice.
My objection was to "you must also use the two-factor authentication.
janusz is offline   Reply With Quote
Old 4 Aug 2017, 02:43 AM   #13
FredOnline
Master of the @
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 1,908
Updates to the LastPass personal lineup

Today's LastPass blog:

https://blog.lastpass.com/2017/08/up...l-lineup.html/

Price now doubled for the premium account, to $24 per year.
FredOnline is offline   Reply With Quote
Old 4 Aug 2017, 09:06 AM   #14
beeboy
Cornerstone of the Community
 
Join Date: Jun 2003
Posts: 534
I'm not crazy about password managers. I use my own methods for protecting sensitive data locally and in the cloud.

Hackers will go after Lasspass and the like 100% of the time. Do you think they will waste time looking for my data in mom's recipes?
beeboy is offline   Reply With Quote
Old 4 Aug 2017, 03:00 PM   #15
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,430
Quote:
Originally Posted by FredOnline View Post
Price now doubled for the premium account
The premium account offers bells and whistles I don't need, so this doesn't affect me.
janusz is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 03:22 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy