Slashdot Mirror
LastPass Makes Password Management Free Across All Of Your PCs, Tablets and Smartphones (cnet.com)
LastPass on Wednesday announced that its popular password manager will now be free for all to use. LastPass previously charged a fee of $12 per year to sync passwords across multiple devices, such as a computer, tablet or phone. From a report on CNET: To entice newcomers, the service allowed you to access select features for free on either the web or on a mobile device, but syncing between the two required a premium membership. Not anymore -- that service is now free. LastPass is one of the best known and most trusted password managers. Its main purpose is to store all of your passwords in an encrypted vault in the cloud. The vault can only be opened using a master password that only you know. LastPass doesn't store the master password or have access to it, which means even if its servers were to be breached, your precious passwords would remain encrypted and protected.
...that only you transmit up to 'the cloud' anytime you want to use any of your passwords, anywhere.
I know it isn't quite that simple or risky, but it's rather close.
Password Managers, by design, serve the function of reducing your security.
That's not how it works.
from How It Works:
Local-Only Encryption
User data is encrypted and decrypted at the device level. Data stored in the vault is kept secret, even from LastPass.
Now, you don't have to believe that if you don't want to, but unless you have evidence I'm gonna say you appear to be mistaken in your understanding of how it works.
I don't use LastPass, but they make it abundantly clear that all encryption and decryption is local-only, done on-device, not in the cloud, so that they never have access to the information in your vault. From what I can gather, their cloud is little more than a sync engine between devices, rather than the place from which you access your data.
There are still features exclusive to premium and enterprise users: https://lastpass.com/features/
"Their servers only store an encrypted blob that they (the company) can't decrypt". You don't know that. Unless you can see the source you don't know anything about it.
Technically true. But let's look at the equivalent Keepass steps:
1. Download source code for desktop version
2. Audit it
3. Compile it locally
4. Optional: encrypt the binary and store it somewhere in (say) dropbox if you want to avoid steps 1-3 each time in future
5. Download source code for iOS version (say)
6. Audit it
7. Purchase $100/year Apple developer license
8. Compile it locally
9. Deploy the binary to your iOS device
Unless you've gone through steps 1-9 yourself, then the difference between "trusting Keepass" and "trusting Lastpass" are immaterial.
If you have a keylogger installed then none of your passwords you'd be storing are safe anyway. A useless fucking point.
They can't get stolen because they're encrypted. They could as well be public, because they're of no use to anyone who doesn't know the master password.
Oh look at that, a shill posting a boilerplate explanation from his company's own website.
Unless you have "evidence" to the contrary, I'm gonna say that your opinion is irrelevant because it isn't your own, your corporate pimps handed it down to you and you sucked it up like the good little whore you are.
This is where we thank the wonders of open-source, so you can freely read the code and see for yourself how it works.
Not that I suspect, of course, that you ever have done that, ever wanted to do that, or ever will do that. At least I'm the honest whore.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
That is only one side of the code (that they are presumably using in their closed source client). Where is the rest?
Ermm... This is pretty much a full blown client, which it says right on the giant README. On phones you have a point, but on the desktop you can use this and be guaranteed it's the same client. As for the rest, what does it matter? You see your password is being encrypted, and you can check it's not backdoored. If you trust modern encryption at all, then you know your secrets are safe because there's no way to crack your passwords unless your master password is literally "1234". If you don't trust encryption, well, I'm afraid you're a little out of luck for security then. :)
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
Remember These,
June 15, 2015 - LastPass Reporting a Security Breach, Including Authentication Hashes and Salts https://it.slashdot.org/story/15/06/15/2143222/lastpass-reporting-a-security-breach-including-authentication-hashes-and-salts
January 17, 2016 - LastPass Vulnerable To Extremely Simple Phishing Attack https://it.slashdot.org/story/16/01/17/1936211/lastpass-vulnerable-to-extremely-simple-phishing-attack
July 27, 2016 - LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites https://it.slashdot.org/story/16/07/27/1342205/lastpass-accounts-can-be-completely-compromised-when-users-visit-sites
Could it be that the business model is incompetence?
A staunch KeePass user.
each site has a unique, computer-generated password. which is stored in encrypted form and only decrypted by you when you need to retrieve that single password. if one of the 20 sites doesn't store their password properly in their database, only that password will be compromised and the other 19 are safe. This is much better than using a single super-secure-nobody-could-possibly-guess-it password for all sites.
It is pitch dark. You are likely to be eaten by a grue.