Change your LastPass passwords now

Forums › Off topic › Change your LastPass passwords now

1 | 2 | 3 | 4

mdf

3566 posts

Uber Geek
+1 received by user: 1519

Trusted

#1326349 17-Jun-2015 10:33

I do periodic culls too, though finding the "delete my account" thing is often a right royal pain. It would be nice to get something similar to the "unsubscribe" spam email thing - a prominent (and functional) "delete my account".

Tinshed

278 posts

Ultimate Geek
+1 received by user: 56

#1326520 17-Jun-2015 14:01

This thread illustrates just how hard it is to do the 'right' thing in managing passwords. It would seem there is no 'right' way as experts have different points of view. I have over 300 passwords in my 1Password vault, some of those are work related, some have unique passwords, some have weak passwords, some have passwords that need to be changed every 90 days and so forth. Just like everyone else I suspect. Those who say "this is THE answer' are only really saying "this works well for me". If we who post here, who I imagine have a higher technical IQ than most of the population, have different views on the best approach to managing and storing passwords, imagine what it is like for the average user? Putting a password on a post-it note and attaching it the screen may seem silly and dangerous to us, but perhaps that works best for a great many people. The complexity around managing a large number of systems across multiple devices is enough to deter many from implementing robust or comprehensive processes and tools.

Tinshed
Wellington, New Zealand

fizzychicken

318 posts

Ultimate Geek
+1 received by user: 86

#1326525 17-Jun-2015 14:11

Tinshed: .... Putting a password on a post-it note and attaching it the screen may seem silly and dangerous to us, but perhaps that works best for a great many people. ....

one of the best bits of this season of silicon valley right there.

https://keybase.io/fizzychicken

mattwnz

20515 posts

Uber Geek
+1 received by user: 4795

#1326533 17-Jun-2015 14:26

Tinshed: This thread illustrates just how hard it is to do the 'right' thing in managing passwords. It would seem there is no 'right' way as experts have different points of view. I have over 300 passwords in my 1Password vault, some of those are work related, some have unique passwords, some have weak passwords, some have passwords that need to be changed every 90 days and so forth. Just like everyone else I suspect. Those who say "this is THE answer' are only really saying "this works well for me". If we who post here, who I imagine have a higher technical IQ than most of the population, have different views on the best approach to managing and storing passwords, imagine what it is like for the average user? Putting a password on a post-it note and attaching it the screen may seem silly and dangerous to us, but perhaps that works best for a great many people. The complexity around managing a large number of systems across multiple devices is enough to deter many from implementing robust or comprehensive processes and tools.

A post it note though is not as secure as last pass, if you have got a password on your computer, and you have got last pass to log you out each time you exit the browser. The way to possibly tell the best solution is to ask banks what whey recommend, and whether using a system like lastpass is acceptable. I doubt a post it note would be acceptable, as it isn't encrypted or secure.

amanzi

Amanzi
1354 posts

Uber Geek
+1 received by user: 332

ID Verified

Trusted

Lifetime subscriber

#1326542 17-Jun-2015 14:44

mattwnz: A post it note though is not as secure as last pass, if you have got a password on your computer, and you have got last pass to log you out each time you exit the browser. The way to possibly tell the best solution is to ask banks what whey recommend, and whether using a system like lastpass is acceptable. I doubt a post it note would be acceptable, as it isn't encrypted or secure.

If you have complete physical security of your computer, e.g. you live alone, then the post-it note should be more secure than LastPass. And if someone has access to your computer then you're probably screwed anyway - even if you're using LastPass.

mclean

584 posts

Ultimate Geek
+1 received by user: 182

Subscriber

#1326601 17-Jun-2015 15:45

amanzi: If you have complete physical security of your computer, e.g. you live alone, then the post-it note should be more secure than LastPass. And if someone has access to your computer then you're probably screwed anyway - even if you're using LastPass.

I'm guessing that theft of your computer/phone is a big vulnerability, since it's a fairly common occurrence and it exposes every account to cracking a single password again. At least in that event you usually know it's happened and you can try to shut down key accounts.

I got started on LastPass then chickened out after reading on their forums what happens after you commit all your accounts to passwords generated by LastPass and then something gets corrupted. Recovering from that doesn't bear thinking about. I'm sure it's rare but it obviously happens.

KeePass looks safer in that respect but is a lot less convenient to use. Plus for a Windows phone you a have to rely on an "unauthorised" app with access to the database, which is entirely unacceptable IMHO.

Not an easy one for the average person.

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

rphenix

990 posts

Ultimate Geek
+1 received by user: 127

ID Verified

Lifetime subscriber

#1326699 17-Jun-2015 17:00

mclean:
amanzi: If you have complete physical security of your computer, e.g. you live alone, then the post-it note should be more secure than LastPass. And if someone has access to your computer then you're probably screwed anyway - even if you're using LastPass.

I'm guessing that theft of your computer/phone is a big vulnerability, since it's a fairly common occurrence and it exposes every account to cracking a single password again. At least in that event you usually know it's happened and you can try to shut down key accounts.

I got started on LastPass then chickened out after reading on their forums what happens after you commit all your accounts to passwords generated by LastPass and then something gets corrupted. Recovering from that doesn't bear thinking about. I'm sure it's rare but it obviously happens.

KeePass looks safer in that respect but is a lot less convenient to use. Plus for a Windows phone you a have to rely on an "unauthorised" app with access to the database, which is entirely unacceptable IMHO.

Not an easy one for the average person.

I have used lastpass both at the enterprise side managing multiple people yubikeys etc.. along with using lastpass personally for what mustn't be far off 10 years have never seen this personally only thing was now and again local cache can get corrupt and user has to click lastpass advanced tools clear local cache and it re-pulls your vault data.

You can also export lastpass data for backup purposes.

Security of lastpass vs keepass stored in dropbox seems negligible - 2 factor auth would be a better option.

Having your phone stolen is a worry in multiple ways not just lastpass - one thing I like with the iphone 6 is the finger print reader is better than some and can be used by lastpass to unlock the vault rather than entering a password all the time.

tripp

3848 posts

Uber Geek
+1 received by user: 1220

Trusted

Lifetime subscriber

#1326703 17-Jun-2015 17:11

rphenix:
mclean:
amanzi: If you have complete physical security of your computer, e.g. you live alone, then the post-it note should be more secure than LastPass. And if someone has access to your computer then you're probably screwed anyway - even if you're using LastPass.

I'm guessing that theft of your computer/phone is a big vulnerability, since it's a fairly common occurrence and it exposes every account to cracking a single password again. At least in that event you usually know it's happened and you can try to shut down key accounts.

I got started on LastPass then chickened out after reading on their forums what happens after you commit all your accounts to passwords generated by LastPass and then something gets corrupted. Recovering from that doesn't bear thinking about. I'm sure it's rare but it obviously happens.

KeePass looks safer in that respect but is a lot less convenient to use. Plus for a Windows phone you a have to rely on an "unauthorised" app with access to the database, which is entirely unacceptable IMHO.

Not an easy one for the average person.

I have used lastpass both at the enterprise side managing multiple people yubikeys etc.. along with using lastpass personally for what mustn't be far off 10 years have never seen this personally only thing was now and again local cache can get corrupt and user has to click lastpass advanced tools clear local cache and it re-pulls your vault data.

You can also export lastpass data for backup purposes.

Security of lastpass vs keepass stored in dropbox seems negligible - 2 factor auth would be a better option.

Having your phone stolen is a worry in multiple ways not just lastpass - one thing I like with the iphone 6 is the finger print reader is better than some and can be used by lastpass to unlock the vault rather than entering a password all the time.

What I find great about last pass is you can remove the device/authorization and even if they have password/pin it won't let them access the data.

Tinshed

278 posts

Ultimate Geek
+1 received by user: 56

#1326741 17-Jun-2015 18:20

mattwnz:
Tinshed: This thread illustrates just how hard it is to do the 'right' thing in managing passwords. It would seem there is no 'right' way as experts have different points of view. I have over 300 passwords in my 1Password vault, some of those are work related, some have unique passwords, some have weak passwords, some have passwords that need to be changed every 90 days and so forth. Just like everyone else I suspect. Those who say "this is THE answer' are only really saying "this works well for me". If we who post here, who I imagine have a higher technical IQ than most of the population, have different views on the best approach to managing and storing passwords, imagine what it is like for the average user? Putting a password on a post-it note and attaching it the screen may seem silly and dangerous to us, but perhaps that works best for a great many people. The complexity around managing a large number of systems across multiple devices is enough to deter many from implementing robust or comprehensive processes and tools.

A post it note though is not as secure as last pass, if you have got a password on your computer, and you have got last pass to log you out each time you exit the browser. The way to possibly tell the best solution is to ask banks what whey recommend, and whether using a system like lastpass is acceptable. I doubt a post it note would be acceptable, as it isn't encrypted or secure.

My point was that given the complexity and differences of opinion about the best way to handle passwords, many people will resort to very simple/unsecure solutions, such as post-it notes. It is simply too hard for many people to manage access to multiple systems with multiple passwords. So they resort to the easiest solution. And to be honest in some cases, so do I. For example, for many sites I use the same password. It is simply too hard to have industrial strength passwords for those myriad of sites that require a basic level of logon. Not my bank password of course! So no matter if my bank finds a post-it note acceptable or not, for many people (not me) it is the best answer.

Tinshed
Wellington, New Zealand

mattwnz

20515 posts

Uber Geek
+1 received by user: 4795

#1326746 17-Jun-2015 18:36

mclean:
amanzi: If you have complete physical security of your computer, e.g. you live alone, then the post-it note should be more secure than LastPass. And if someone has access to your computer then you're probably screwed anyway - even if you're using LastPass.

I'm guessing that theft of your computer/phone is a big vulnerability, since it's a fairly common occurrence and it exposes every account to cracking a single password again. At least in that event you usually know it's happened and you can try to shut down key accounts.

I got started on LastPass then chickened out after reading on their forums what happens after you commit all your accounts to passwords generated by LastPass and then something gets corrupted. Recovering from that doesn't bear thinking about. I'm sure it's rare but it obviously happens.

KeePass looks safer in that respect but is a lot less convenient to use. Plus for a Windows phone you a have to rely on an "unauthorised" app with access to the database, which is entirely unacceptable IMHO.

Not an easy one for the average person.

I have been using last pass for many years and never had a problem with corruption, or even heard about it. I don't however change my master password that often, and that is likely when it could occur, as it goes through a process of reencrypting it all again. I was recommended lastpass by a security expert. But guess like all experts, there are conflicting views.

rphenix

990 posts

Ultimate Geek
+1 received by user: 127

ID Verified

Lifetime subscriber

#1326807 17-Jun-2015 20:59

mattwnz:
I was recommended lastpass by a security expert. But guess like all experts, there are conflicting views.

True about conflicting views. However I don't think its a big deal its not as if someone has a copy of both the encrypted vault data and encrypted password and can spend cpu cycles brute-forcing it - all they would get is a password that's already been changed and if someone doesn't do that - IP restrictions are in place requiring email authentication from unknown IP's.

I've had my details on compromised lists before .e.g Adobe and where lastpass is great I know that password isnt used elsewhere so all I have to do is change it on the affected service with a random password. It was Lastpass that notified me first by email of the Adobe breach and that my email address was listed before Adobe did.

Mighty Ape

Shop now at Mighty Ape (affiliate link).

Tinshed

278 posts

Ultimate Geek
+1 received by user: 56

#1326815 17-Jun-2015 21:20

A further point to consider: what would happen to your passwords if you got run over by the proverbial bus? Until you get to a certain age, such a question has no meaning, but above a certain age the issue of "digital death" becomes a real issue. Whatever solution you have for all your passwords, a good question to ask yourself is what would happen in the event of your death? For many, the response will be, "Ask me in thirty years". But having been recently confronted with this issue, a solution that enables others to easily access your passwords and therefore delete your digital presence should be at least considered. Only because I had helped my mother-in-law setup her Gmail and Facebook accounts was I able to easily delete these after her passing. Unless you have been confronted with such an issue, it may not seem like much, but, trust me, it can quite distressing for family to continue to see a continuing digital presence of a loved one who has recently died. Having ready access to passwords can make a difference in such circumstances. I do believe that this will become an issue more and more people will be faced with. However bullet-proof you feel now, do think about this when implementing your password management solution.

Tinshed
Wellington, New Zealand

1 | 2 | 3 | 4