| | | I've been a satisfied user of LastPass since 2010. I use it to store every password I use on the web, as well as to store secure notes containing private information I might need access to when I'm away from home.
I am not a security expert, but I was convinced by this video of the value of the LastPass approach:
youtube.com
Note: this is a LONG video.
Using LastPass, nearly all of my passwords are completely random, unrememberable character strings generated by LastPass itself, such as "ick^UZk&6D0x". I don't type these passwords into web sites; LastPass fills them in for me.
There are two passwords that I must remember myself to use LastPass effectively: my LastPass master password itself, and my email password. I need to remember my email password even though LastPass remembers it for me, because if I try to use LastPass from a device that LastPass does not recognize as mine, LastPass will send me an email asking me for authorization before completing the login. In this unusual case, I need to remember my email password so I can access my email to complete the LastPass login.
Because I only need to remember two passwords, I can put a lot of effort into making those two passwords effective. My LastPass master password is a 33-character phrase that is easy to remember but includes some gibberish. Since I typically type this password at most once per day, it is not onerous to have such a long password.
The user's password database is stored on the LastPass server as an encrypted blob, and LastPass does not even have access to your master password; you need to remember it or you will lose access to all your stored passwords.
Note: The LastPass servers were hacked earlier this year. I received this email from LastPass:
Dear LastPass User,
We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.
We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.
We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.
Regards,
The LastPass Team
Steve Gibson's discussion of this security breach can be viewed here:
youtube.com
LRB |
|
