Page 2 of 5 FirstFirst 1234 ... LastLast
Results 16 to 30 of 75
  1. #16
    New Lounger
    Join Date
    Feb 2010
    Location
    Edna, Texas
    Posts
    16
    Thanks
    8
    Thanked 0 Times in 0 Posts
    ruirib, I have read all your replies and seems you really know what your talking about. My question has always been, "how do we know that the Password manager site will not or can not be hacked" Seems they would be a prime target for some super computer savvy hacker, knowing they could get passwords to so many financial web sites. And is it not true that all someone would have to have is the information you use to access the password manager. And speaking of that, I assume you change that information on a regular basis, how do you remember it.

  2. #17
    New Lounger
    Join Date
    Dec 2009
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    My question has always been, "how do we know that the Password manager site will not or can not be hacked"
    Yes, this is the real issue for me. I don't trust anyone with my passwords, not even a password manager. That's why I use a system as described above, based on long pass phrase (not a password) to which I add a letter (at the beginning, end, or somewhere in the middle) from the URL of the site I'm visiting. That makes it unique for each site.

    So the pass phrase "MyAuntSuzyIs62AndBoughtTonsOfFeathers". Then you might replace 'Of' with the second letter of the domain name of the site. So for 'www.example.com' the pass phrase is "MyAuntSuzyIs62AndBoughtTonsxFeathers" and for 'www.amazon.com' it becomes "MyAuntSuzyIs62AndBoughtTonsmFeathers".

    This isn't my real system ;-), but you can see how easy it would be to invent your own. And I guarantee the more bizarre is your passphrase, the more impossible it will be to forget it.

  3. #18
    New Lounger
    Join Date
    Oct 2013
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    LastPass can and has been exploited. However, all your data is still encrypted and would take a LOOOOONG time to decipher even with multiple supercomputers. Now if the hacker also knew your master password....

  4. #19
    Lounger
    Join Date
    Jun 2010
    Location
    Oliver Springs, TN
    Posts
    34
    Thanks
    0
    Thanked 5 Times in 4 Posts
    LastPass also provides another level of protection that not many know about. If you travel overseas LastPass will not allow you to access your vault from the foreign country. It is necessary to inform LastPass that it is OK to use the vault from the foreign location. So if some person overseas should try to use your LastPass password it would do them little good. LastPass needs to send you an email and you click on a link to allow access from a foreign country. Many of the compromises come from overseas and adding this level of protection is desireable.

  5. #20
    New Lounger
    Join Date
    Aug 2010
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts
    LastPass definitely has its strengths and weaknesses, but all-in-all I find it the best pw manager for me. There is no danger of lastpass "going away" and losing your passwords because they are stored locally, encrypted on your computer (or mobile device). For example, if you're on your phone, wifi tablet, etc, and don't for whatever reason have internet access, you just log in and check the "force local login" box to use the local copy. This causes lastpass to use the local encrypted copy instead of the one stored on lastpass.com.

    Lastpass.com is targeted by hackers, certainly. But the good part is, your passwords are only stored on their servers in encrypted form. Your master password unlocks them, and it is never transmitted to lastpass. That is why if you forget your master password, all your passwords are lost and lastpass cannot help you since they don't know it.

    Is it theoretically possible that some hackers could gain access to data on lastpass.com's servers, obtain your encrypted passwords, and decrypt them? Yes. But they would need to be using extremely powerful computers and even then it might take years (millenia) to break the encryption. So, I'm cool with that.

  6. #21
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,173
    Thanks
    129
    Thanked 1,139 Times in 1,050 Posts
    Quote Originally Posted by Strawboss View Post
    ruirib, I have read all your replies and seems you really know what your talking about. My question has always been, "how do we know that the Password manager site will not or can not be hacked" Seems they would be a prime target for some super computer savvy hacker, knowing they could get passwords to so many financial web sites. And is it not true that all someone would have to have is the information you use to access the password manager. And speaking of that, I assume you change that information on a regular basis, how do you remember it.
    Well, you need to presume that it can be hacked, so the question is how do they protect against it. Encryption is the key and topshot has addressed it already - if the cost to decryption is high enough, you can feel reasonably safe.

    There is been a situation in the past where LastPass notified users of suspicious activity in their network. They were transparent about it and a hack was never confirmed. There were no news of any users complaining about having any of their accounts exploited. You are, obviously, placing some trust in the provider, trusting them to monitor their servers and network and always making sure they have the very best possible encryption technology to provide some assurance to their users.

    Your master password is your encryption key, so it must be a good one. The password can be changed by logging in to your account at LastPass's website.
    Rui
    -------
    R4

  7. #22
    New Lounger
    Join Date
    Feb 2012
    Location
    Wyoming
    Posts
    10
    Thanks
    4
    Thanked 0 Times in 0 Posts
    I use RoboForm as my password manager. This is an entirely on the computer program and storage and is quite secure. I don't trust storage of passwords in the cloud or on off-computer sites. I make a copy of all of my passwords on paper and place them in a bank safe deposit box. I change all important passwords with totally random, long passwords every three months, especially those involved with finances and personal and health matters.

  8. #23
    New Lounger
    Join Date
    Dec 2009
    Location
    Fort Myers, FL
    Posts
    17
    Thanks
    0
    Thanked 2 Times in 2 Posts
    I use Password Safe, which requires you to select your site to be accessed, then click-and-paste your username and password. A bit longer than the tools that automatically paste in these items, but never causes a problem if the site you are trying to access changes its code. It also allows you to go in and unhide the password when you hit that rare website that won't allow copy-and-paste to enter the password. As with other such programs, you only need to remember your master password to access it.

  9. #24
    New Lounger
    Join Date
    Dec 2009
    Location
    Massachusetts
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by topshot View Post
    LastPass can and has been exploited. However, all your data is still encrypted and would take a LOOOOONG time to decipher even with multiple supercomputers. Now if the hacker also knew your master password....
    Actually, your data is not just encrypted, but is 'salted' and encrypted. https://en.wikipedia.org/wiki/Salt_(cryptography)
    Even if your passwords are weak, it would be very very difficult to crack them even if LastPass was hacked and someone acquired access.

  10. #25
    New Lounger
    Join Date
    Jun 2010
    Location
    Loganville, GA
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I use LastPass and mostly have it generate a password for me. As I'm doing that, I open my separate (encrypted) password list and enter the new information. The password and any additional stuff like "Secret Questions" is always duplicated. LastPass could fold and I would lose only the convenience.

  11. #26
    New Lounger
    Join Date
    Dec 2009
    Location
    Erie, PA
    Posts
    21
    Thanks
    3
    Thanked 0 Times in 0 Posts
    I use lastpass and like it a lot. One thing I have wondered: Is it safer to use the autologin feature for sites rather than typing in my lastpass master password to login to a site? Would the autologin potentially avoid a keylogger hack?

  12. #27
    New Lounger
    Join Date
    Nov 2009
    Posts
    22
    Thanks
    2
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Comedian View Post
    I use Password Safe, which requires you to select your site to be accessed, then click-and-paste your username and password. A bit longer than the tools that automatically paste in these items, but never causes a problem if the site you are trying to access changes its code. It also allows you to go in and unhide the password when you hit that rare website that won't allow copy-and-paste to enter the password. As with other such programs, you only need to remember your master password to access it.
    I use Password Safe too and have done for about 10 years.

    I currently have 623 passwords in 33 groups of folders, subfolders, sub-subfolders, etc.

    It does exactly what it says on the tin.

    It was probably the inspiration for LastPass, KeyPass, etc. Not that that is a bad thing...

  13. #28
    New Lounger
    Join Date
    Nov 2013
    Posts
    1
    Thanks
    0
    Thanked 1 Time in 1 Post
    I use LastPass, which I find very convenient, but also have memorized a several step algorithm in building unique passwords that allows me to manually enter a password should I not be able to use the LastPass service. I believe the idea for the algorithm was suggested by Fred Langa long ago, before his current association with Windows Secrets. It simply involves having a root term that is used in every password, for example "mouse", and prefixing it with part of the domain name of the website requiring the password, say, for example, on this website (domain name: windowssecrets.com) the first four letters "wind".

    I also have a couple of other steps in the algorithm, such as using the special characters above the keys 1,2,3,4,5 (!,@,#,$,% - QWERTY keyboard) for the vowels a,e,i,o,u and capitalizing the second letter of the prefix. But these simple memorized steps allow me to build passwords such as "wIndm$%s@" for the windowssecrets.com domain which are rated as very strong by most password evaluators, but allow me to recreate them easily should I find myself without the services of LastPass.

    I have been using this system for many, many years now and have rarely had a problem remembering the password for a site. But one problem I have been experiencing is that here in the age of mobile devices, one cannot always expect to be using a QWERTY keyboard, around which this algorithm is somewhat dependent. What I didn't mention above is that I also use a letter key offset when building my domain name prefix, for example, one key to the right of the original letter, so that the password above would be "eOmfm$%s@". So I have been giving some thought to modifying my algorithm to be keyboard independent, but I haven't settled on any new rules yet.
    Last edited by bowersdw; 2014-03-06 at 10:29.

  14. The Following User Says Thank You to bowersdw For This Useful Post:

    Bob Spafford (2014-03-06)

  15. #29
    New Lounger
    Join Date
    Dec 2009
    Posts
    14
    Thanks
    0
    Thanked 2 Times in 2 Posts
    You can export your site information and form fill data to an external file, and you can protect those files if you want. If LastPass has issues, the info is still there.

  16. #30
    Lounger
    Join Date
    Apr 2011
    Posts
    44
    Thanks
    0
    Thanked 3 Times in 3 Posts
    I have never been comfortable with online storage of my passwords. On my Windows 7 PC, they are encrypted via EFS in a text file on my hard drive. I keep a backup copy on my hard drive but outside of the EFS envelope. That backup is encrypted by Truecrypt. Finally, I have a third copy on an Ironkey usb drive. I can travel with the IK and use its built-in browser, secure password entry, and VPN servers. It adds a little work to copy the text file after I add or change passwords, but that doesn't happen often enough to be a bother.

    I recently started using RoboForm. I needed something to manage 50+ different logons using 25+ different passwords. It works very well with one-page logons, but can be problematic with multi-page bank logons.

    I subscribed to the Roboform Everywhere feature, expecting to use it for my iPhone. I then found out there is no way to transfer passwords from my desktop PC to my iPhone except via the company's servers. Of course, I may be overly cautious. When uploading the Robo password file to their servers, it is encrypted locally first. So even if the Robo server is hacked, the hackers will only see the Robo file I encrypted on my PC before uploading it.

    For the time being, I am also being overly cautious with the iPhone. I have not ever used it to access any bank site, or even a purchase site like Amazon.

Page 2 of 5 FirstFirst 1234 ... LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •