Slashdot Mirror
LastPass Makes Password Management Free Across All Of Your PCs, Tablets and Smartphones (cnet.com)
LastPass on Wednesday announced that its popular password manager will now be free for all to use. LastPass previously charged a fee of $12 per year to sync passwords across multiple devices, such as a computer, tablet or phone. From a report on CNET: To entice newcomers, the service allowed you to access select features for free on either the web or on a mobile device, but syncing between the two required a premium membership. Not anymore -- that service is now free. LastPass is one of the best known and most trusted password managers. Its main purpose is to store all of your passwords in an encrypted vault in the cloud. The vault can only be opened using a master password that only you know. LastPass doesn't store the master password or have access to it, which means even if its servers were to be breached, your precious passwords would remain encrypted and protected.
I don't see anything newsworthy here at all. Did some sneaky little marketer pay for someone's lunchy-lunch yesterday?
Bad Slashdot, bad!
Which leaves us with the interesting question of LastPass's business model.
1) Advertising? Knowing every site you visit - AND YOUR PASSWORD?
2) "We have a benefactor". Yeah. Except that maybe that benefactor is the NSA. Or is it the GRU? Or is it the MSS (China's NSA)?
No matter how I slice it, I can't figure out an angle that isn't kinda creepy.
These kind of "promises" by closed-source software security companies are rather worthless. If they want to, they'll have all your passwords, since they provide the software. Another question is whether they can be legally subpoenaed or forced by a national security letter to get your passwords by somehow modifying the way their software works. Probably not, but this may be a grey zone in the US.
But the real problem with closed-source software security solutions is that the company can do whatever they want and make their software as buggy as they wish (to save development cost, or out of incompetence), and you'll only ever know if somebody publishes an exploit. Which is what usually happens. Open source forces you to be way less sloppy, because there will always be some "annoying prick"(TM) who actually looks at your source code and points out its flaws.
Yep. KeePass is open source and stores your password database locally (or remotely via something like WebDAV). Another alternative is to use a password hasher that regenerates all of your passwords based on a master password so that there is no stored database to be potentially compromised at all.
There is no reason to trust LastPass or any other proprietary, third party solution with your most valuable data. Also, didn't LastPass recently get hacked?
Going for absolute security is a great navel-gazing exercise. Pick the security boundary you are comfortable with and realize that you have no control outside the boundary. Hopefully you pick a boundary that fails gracefully.
I personally do not believe open source is any more secure than closed source in any practical sense.
Yep. KeePass is open source and stores your password database locally (or remotely via something like WebDAV). Another alternative is to use a password hasher that regenerates all of your passwords based on a master password so that there is no stored database to be potentially compromised at all.
There is no reason to trust LastPass or any other proprietary, third party solution with your most valuable data. Also, didn't LastPass recently get hacked?
And if you want to sync passwords across devices, just keep the KeePass database in a cloud storage account. In the event that your cloud account is breached, the database is still encrypted
Redundancy is good And also good.