Slashdot Mirror
LastPass Makes Password Management Free Across All Of Your PCs, Tablets and Smartphones (cnet.com)
LastPass on Wednesday announced that its popular password manager will now be free for all to use. LastPass previously charged a fee of $12 per year to sync passwords across multiple devices, such as a computer, tablet or phone. From a report on CNET: To entice newcomers, the service allowed you to access select features for free on either the web or on a mobile device, but syncing between the two required a premium membership. Not anymore -- that service is now free. LastPass is one of the best known and most trusted password managers. Its main purpose is to store all of your passwords in an encrypted vault in the cloud. The vault can only be opened using a master password that only you know. LastPass doesn't store the master password or have access to it, which means even if its servers were to be breached, your precious passwords would remain encrypted and protected.
I don't see anything newsworthy here at all. Did some sneaky little marketer pay for someone's lunchy-lunch yesterday?
Bad Slashdot, bad!
...that only you transmit up to 'the cloud' anytime you want to use any of your passwords, anywhere.
I know it isn't quite that simple or risky, but it's rather close.
Password Managers, by design, serve the function of reducing your security.
That's not how it works.
Can someone explain why I would want to have Lastpass hold the keys to my kingdom when I could just use a trusted, open source option like Keepass with a private server or free account on any number of cloud storage services? Browser plug-ins aren't exactly known for their great security.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Which leaves us with the interesting question of LastPass's business model.
1) Advertising? Knowing every site you visit - AND YOUR PASSWORD?
2) "We have a benefactor". Yeah. Except that maybe that benefactor is the NSA. Or is it the GRU? Or is it the MSS (China's NSA)?
No matter how I slice it, I can't figure out an angle that isn't kinda creepy.
from How It Works:
Local-Only Encryption
User data is encrypted and decrypted at the device level. Data stored in the vault is kept secret, even from LastPass.
Now, you don't have to believe that if you don't want to, but unless you have evidence I'm gonna say you appear to be mistaken in your understanding of how it works.
I don't use LastPass, but they make it abundantly clear that all encryption and decryption is local-only, done on-device, not in the cloud, so that they never have access to the information in your vault. From what I can gather, their cloud is little more than a sync engine between devices, rather than the place from which you access your data.
If you have a keylogger installed then none of your passwords you'd be storing are safe anyway. A useless fucking point.
They can't get stolen because they're encrypted. They could as well be public, because they're of no use to anyone who doesn't know the master password.
Oh look at that, a shill posting a boilerplate explanation from his company's own website.
Unless you have "evidence" to the contrary, I'm gonna say that your opinion is irrelevant because it isn't your own, your corporate pimps handed it down to you and you sucked it up like the good little whore you are.
This is where we thank the wonders of open-source, so you can freely read the code and see for yourself how it works.
Not that I suspect, of course, that you ever have done that, ever wanted to do that, or ever will do that. At least I'm the honest whore.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
That is only one side of the code (that they are presumably using in their closed source client). Where is the rest?
Ermm... This is pretty much a full blown client, which it says right on the giant README. On phones you have a point, but on the desktop you can use this and be guaranteed it's the same client. As for the rest, what does it matter? You see your password is being encrypted, and you can check it's not backdoored. If you trust modern encryption at all, then you know your secrets are safe because there's no way to crack your passwords unless your master password is literally "1234". If you don't trust encryption, well, I'm afraid you're a little out of luck for security then. :)
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
each site has a unique, computer-generated password. which is stored in encrypted form and only decrypted by you when you need to retrieve that single password. if one of the 20 sites doesn't store their password properly in their database, only that password will be compromised and the other 19 are safe. This is much better than using a single super-secure-nobody-could-possibly-guess-it password for all sites.
It is pitch dark. You are likely to be eaten by a grue.
Going for absolute security is a great navel-gazing exercise. Pick the security boundary you are comfortable with and realize that you have no control outside the boundary. Hopefully you pick a boundary that fails gracefully.
I personally do not believe open source is any more secure than closed source in any practical sense.
Calling anyone who disagrees, especially when they point out that you are wrong, a "shill" is just the same as any unsupported BS from a presidential candidate. Null content.
Several years ago I had the job of evaluating LastPass for $DAY_JOB. I tested it by capturing the data uploaded to the network and confirmed that it was AES encrypted using my password on my system and the data was all encrypted before leaving my system. the master password was never transmitted in any form that I could find. No traffic was generated to/from any other port or location.
While it is true that things might have changed since then, the server remains open source and you can confirm that it does not ever touch the master password in any form. More importantly, the system is heavily examined on a continuing basis by security researchers and, while vulnerabilities have been found, reported, and fixed, there has never been any question of the master password leaving the client.
With well over 100 unique, random, long passwords, some only used once or twice a year, I really lack other options than a password vault in a world where accounts might need to be accessed from a desktop, two laptops, and two phones running six OSes (2 VMs and one dual boot).
Kevin Oberman, Network Engineer, Retired
Yep. KeePass is open source and stores your password database locally (or remotely via something like WebDAV). Another alternative is to use a password hasher that regenerates all of your passwords based on a master password so that there is no stored database to be potentially compromised at all.
There is no reason to trust LastPass or any other proprietary, third party solution with your most valuable data. Also, didn't LastPass recently get hacked?
And if you want to sync passwords across devices, just keep the KeePass database in a cloud storage account. In the event that your cloud account is breached, the database is still encrypted
Redundancy is good And also good.