Trust Lastpass with internet banking password?

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Trust Lastpass with internet banking password?

ghettomaster

387 posts

Ultimate Geek

#185659 30-Nov-2015 22:18

Lately I have done some looking into the topic and bought into the idea that it is more secure to use a password manager and set things up so you don't know any of your passwords. As such I have changed most of my passwords out there to auto-generated passwords using Lastpass.

The one thing I haven't changed yet, however, is my internet banking details. I'm just not sure I trust having the username and password for those sites in one place, especially considering I would never write them down otherwise.

Has anyone else dealt with this issue? I have considered having the password saved but keeping the username in my head. Could this be a better way to go?

1 | 2

17140 posts

Uber Geek

Lifetime subscriber

#1438205 30-Nov-2015 22:32

I imagine all the security of lastpass is for nothing if you use it on an untrusted platform anyway.

tardtasticx

3075 posts

Uber Geek

#1438210 30-Nov-2015 22:53

Store most things on Lastpass.

Internet banking and email accounts, store in your head AND enable 2-factor authentication.
That way you can still access those accounts from any computer if Lastpass is unavailable, without skimping on security (as TFA will outdo nearly any super strong password).

mattwnz

20164 posts

Uber Geek

#1438225 1-Dec-2015 00:11

Aren't the passwords with last pass actually stored on your PC, or maybe it is the encryption key that is stored on your pc. So I guess it is how much you trust encrytion. It all depends on how strong your last pass password is. The problem is that passwords are now impossible to remember if you have got a lot of them, and many now have to be made up of different types of characters. If you have an banking app, you only need a 4 digit number pin, which I don't think is particularly secure, as you are then relying on the encryption technology of the mobile device, and that people can't bylass the lock screen (which has been bypassed in the past).

The thing is, if you can't remember your banking password, what is the next best way to store your password? Something that in encrypted?

I was shocked to see that some banks still use Windows XP on their front end machines in their branches, as well as XPs maximum version of IE, to login to customers accounts.

UHD

655 posts

Ultimate Geek
Inactive user

#1438229 1-Dec-2015 00:42

The key advantage of LastPass is enabling long, secure, and different passwords for each service you use. If you choose not to store bank passwords there then you need to remember at least two long, secure, and different passwords rather than one and that generally is tougher and creates a tendency toward less secure passwords.

The browser extension can be installed on most any computer or failing that, the website logged in to manually in case you are not at your regular workstation or mobile device.

I would argue that if you have LastPass 2FA enabled it would mitigate potential hardware keylogging on any number of potential risky computing situations (dodgy internet cafes and so forth) as well as providing that little extra layer of security in case you didn't notice you were on a phishing site: log in details would not be automatically filled.

Their security is not matched by anything I have encountered yet. Despite several intrusions not a single piece of user data has been exposed.

Of course, to each their own but I have no problems storing my passwords there. I store far more valuable passwords than banking credentials there without fear.

ghettomaster

387 posts

Ultimate Geek

#1438428 1-Dec-2015 11:24

Thanks for the replies guys. I think for now I'll just stick to keeping internet banking in my head.

The biggest problem with this is the banks that aren't my primary because you run the risk of forgetting them as because you hardly ever log in. I guess I'll work something out.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1438430 1-Dec-2015 11:29

I keep mine in lastpass, with seperate 2FA on both lastpass AND the internet banking.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

timmmay

20581 posts

Uber Geek

Trusted

Lifetime subscriber

#1438450 1-Dec-2015 11:48

Look at KeePass Pro - it's free.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

reven

3743 posts

Uber Geek

Trusted

#1438453 1-Dec-2015 11:53

no, just no. I wouldnt trust lastpass or any service with my bank/google passwords. everything else, sure.

UHD

655 posts

Ultimate Geek
Inactive user

#1438468 1-Dec-2015 12:13

reven: no, just no. I wouldnt trust lastpass or any service with my bank/google passwords. everything else, sure.

Why not?

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#1438477 1-Dec-2015 12:31

UHD:

Why not?

Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.

SumnerBoy

2074 posts

Uber Geek

ID Verified

Lifetime subscriber

#1438484 1-Dec-2015 12:42

+1 for local (I use KeyPass) and then ownCloud for private syncing between devices.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1438566 1-Dec-2015 13:36

Kyanar:
UHD:

Why not?

Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.

My Current lastpass key is... long, random, and contains all character sets. The passwords within it, are almost all long , random, and contain all character sets, and are changed on a regular basis.

The whole point of lastpass is you should only have the one single password to remember, and everything else is random gibberish and can be changed whenever needed.

Now I'm not a huge fan of them right now (have cancelled my subscription after they were brought out by LogMeIn), but I still think they are the best option. No human can remember 300+ long random passwords, cept maybe rain man...

mattwnz

20164 posts

Uber Geek

#1438587 1-Dec-2015 13:55

Lias:

The whole point of lastpass is you should only have the one single password to remember, and everything else is random gibberish and can be changed whenever needed.

Now I'm not a huge fan of them right now (have cancelled my subscription after they were brought out by LogMeIn), but I still think they are the best option. No human can remember 300+ long random passwords, cept maybe rain man...

I think last pass is far better than what many people do, such as writing down passwords, storing them in an excel document, or having easy to guess ones.

Some people use special rules for remembering more complex passwords. Lastpass is also free, unless you want to use some of the premium features, such as using it on mobiles. Maybe people should ask what the banks say about using Lastpass to store passwords. Would they consider it safe enough? eg will they cover losses if the password gets compromised?

But really the problem is getting over using passwords altogether. If someone came up with a password replacement that was easy and universal, it would be a multi billion dollar idea.

UHD

655 posts

Ultimate Geek
Inactive user

#1438618 1-Dec-2015 14:28

Kyanar:
UHD:

Why not?

Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.

You are right about the password database being stolen at least once. This was four years ago and to date not a single report (even unverified) of passwords being decrypted exists. The beauty of LastPass is that changing passwords is as simple as it can possibly be. All one needs to do is simply update their passwords at the website they wish to use and even if the hackers somehow manage to bruteforce the stolen database they will have wasted decades of computation time for nothing.

I'm not sure what you mean about storing the passwords on the servers in a reversible manner. If you take a quick look at the LastPass design you will see that even if LastPass wanted to decrypt user passwords they would not be able to do so. All encryption is done locally, meaning LastPass only ever see hashes which are then randomly salted and PBKDF2-SHA256'd.

UHD

655 posts

Ultimate Geek
Inactive user

#1438620 1-Dec-2015 14:29

SumnerBoy: +1 for local (I use KeyPass) and then ownCloud for private syncing between devices.

Surely this is just LastPass with a less secure online distribution method (a personal cloud service).

1 | 2