Discussion in 'Windows & Other Software' started by WuMyster, 23 Nov 2016.
Why pay when LastPass is free?
Originally mobile support was for those who paid only, things have since changed, personally I don't mind paying it it is a bargain to begin with for something that I could not live without now so I have no qualms about sending a few pounds a year to keep them running
or just print it and put if some where safe
Restore from backup/snapshot.
Been a Lastpass Premium Customer for ages, its time for my renewal and its gone up from 12USD to 28USD!
guess it was going to happen eventually :/
Just use the free option.
Is anyone else having issues with Lastpass this evening? Mine doesn't want to save passwords for new sites and the addon is popping up with sorry error while attempting to connect to server.
Seems to be a issue with Firefox 57 from what little info I can find on their forums.
When did this change? This was my #1 reasoning for buying LastPass for the time I've been using it. Now I have the ability to use LastPass on my phone and my PC for free? That should save me some money after it expires in 5 months . In the time I've had LastPass, I've never used any of the features that they now class as premium.
Since November 2016
Yes, I am getting the same message in Chrome.
Reinstalling the application has generated a question that I wanted to ask on here...
During installing a dialogue has popped up saying that LastPass has the "following usernames and passwords stored insecurely on my system". There are dozens of websites and they all appear to be from Chrome's autofill and a few from IE. I was clueless until now, but I take it things like Autofill are not encrypted if LastPass can find them during an installation?
Passwords stored by Chrome are stored in an SQLite file in your Windows profile. It's trivially easy to extract passwords from this file, I have a test application that will dump all of them out to a text file in about 5 seconds. IE and Firefox use slightly different approaches but again it's trivially easy to extract credentials from them. The same goes for other applications which store passwords like Putty, FileZilla, WinSCP and that kind of thing.
Oh dear, that's not very secure. But I suppose without physical access it's not very easy unless the OS is remotely accessed.
The danger with Chrome is that it syncs between every browser that you sign-in to with your Google account. So if you go to a friend's house and borrow their laptop, sign in to Chrome with your account...now all your passwords and credit card details are stored on that laptop. It's an even bigger problem if you use the same Google account on your personal and work machines - potentially you could have business credentials on your personal device and personal credentials on your work device. It massively increases the attack surface.
I'm not a big fan of LastPass (it's an insecure piece of crap with multiple documented and exploited security flaws) but it's certainly better than just relying on Chrome alone.
This nonsense again.
The only 'nonsense' last time around was you defending LastPass without providing anything to back it up.
The key vulnerability of LastPass is the 'last mile', where it has to decrypt the password and inject it into a web page. Time and again the browser extensions of LastPass have proved hilarious insecure, it's been surprisingly easy to trick it into injecting the password into a webpage with a URL crafted to look enough like the true URL. LastPass claimed to have fixed it, only for the exact same vulnerability to be found again a few months later. LastPass themselves harp on about their awesome cloud encryption or whatever, but it's totally irrelevant in this sort of vulnerability.
Fundamentally, the LastPass architecture is broken because the browser extension is 'reactive' rather than 'proactive' - this is, it reacts to the appearance of a web page and injects the credentials. A much more secure method would be for LastPass to enforce a 'proactive' process by having the user click on a link within LastPass, which is configured to trigger the correct URL only. Other password managers do exactly this, but LastPass don't.
the current spectre discussion seemed a good reason to revive this thread, theoretically should make all these password systems vulnerable ( excepting dual factor authorization ?)
per this reddit article
good description of how exploit works, BBC do not even attempt an explanation.
The spectre paper it references (if you are into up architecture) even has prototype java script to take the passwords from chrome.
[had wondered if this would impact aacs key's for uhd blu-rays, but seems these have been breached]
Is anyone using Enpass? I have never used a password manager before but need something to collate all the family logins, notes and important information. The new beta of Enpass 6 looks good. It also allows sync to mobile devices for a one off fee.
Anyone using it to give long-term feedback on it?
I did take a look at Lastpass and 1Password but this could do the trick.
Nope, used Lastpass for years and it does all of the above, I've never had an issue with it so don't see any reason to change.
Separate names with a comma.