Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




282 posts

Ultimate Geek
+1 received by user: 76


Topic # 185659 30-Nov-2015 22:18
Send private message

Lately I have done some looking into the topic and bought into the idea that it is more secure to use a password manager and set things up so you don't know any of your passwords. As such I have changed most of my passwords out there to auto-generated passwords using Lastpass. 

The one thing I haven't changed yet, however, is my internet banking details. I'm just not sure I trust having the username and password for those sites in one place, especially considering I would never write them down otherwise.

Has anyone else dealt with this issue? I have considered having the password saved but keeping the username in my head. Could this be a better way to go? 




View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
471 posts

Ultimate Geek
+1 received by user: 137

Subscriber

  Reply # 1438199 30-Nov-2015 22:22
3 people support this post
Send private message

I would strongly recommend against storing your bank password in anything. While I think password managers are great (and I use lastpass too), you should still never put your bank password anywhere other than your head in my opinion.

In fact, I would even say it's best to remember your password to any key applications you may want to access when LastPass isn't available - i.e. on another computer.

gzt

9158 posts

Uber Geek
+1 received by user: 1290


  Reply # 1438205 30-Nov-2015 22:32
Send private message

I imagine all the security of lastpass is for nothing if you use it on an untrusted platform anyway.

 
 
 
 


Doesn't know what he doin
2850 posts

Uber Geek
+1 received by user: 335

Subscriber

  Reply # 1438210 30-Nov-2015 22:53
3 people support this post
Send private message

Store most things on Lastpass.

Internet banking and email accounts, store in your head AND enable 2-factor authentication. 
That way you can still access those accounts from any computer if Lastpass is unavailable, without skimping on security (as TFA will outdo nearly any super strong password).




Bachelor of Computing Systems (2015)

 

--

 

Late 2013 MacBook Pro with Retina Display (4GB/2.4GHz i5/128GB SSD) - HP DV6 (8GB/2.8GHz i7/120GB SSD + 750GB HDD)
iPhone 6S + (64GB/Gold/Vodafone NZ) - Xperia Z C6603 (16GB/White/Spark NZ)

Sam, Auckland 


13362 posts

Uber Geek
+1 received by user: 1597


  Reply # 1438225 1-Dec-2015 00:11
Send private message

Aren't the passwords with last pass actually stored on your PC, or maybe it is the encryption key that is stored on your pc. So I guess it is how much you trust encrytion. It all depends on how strong your last pass password is. The problem is that passwords are now impossible to remember if you have got a lot of them, and many now have to be made up of different types of characters. If you have an banking app, you only need a 4 digit number pin, which I don't think is particularly secure, as you are then relying on the encryption technology of the mobile device, and that people can't bylass the lock screen (which has been bypassed in the past). 

 

The thing is, if you can't remember your banking password, what is the next best way to store your password? Something that in encrypted?

 

I was shocked  to see that some banks still use Windows XP on their front end machines in their branches, as well as XPs maximum version of IE, to login to customers accounts.

UHD

531 posts

Ultimate Geek
+1 received by user: 220


  Reply # 1438229 1-Dec-2015 00:42
One person supports this post
Send private message

The key advantage of LastPass is enabling long, secure, and different passwords for each service you use. If you choose not to store bank passwords there then you need to remember at least two long, secure, and different passwords rather than one and that generally is tougher and creates a tendency toward less secure passwords.

The browser extension can be installed on most any computer or failing that, the website logged in to manually in case you are not at your regular workstation or mobile device.

I would argue that if you have LastPass 2FA enabled it would mitigate potential hardware keylogging on any number of potential risky computing situations (dodgy internet cafes and so forth) as well as providing that little extra layer of security in case you didn't notice you were on a phishing site: log in details would not be automatically filled.

Their security is not matched by anything I have encountered yet. Despite several intrusions not a single piece of user data has been exposed.

Of course, to each their own but I have no problems storing my passwords there. I store far more valuable passwords than banking credentials there without fear.



282 posts

Ultimate Geek
+1 received by user: 76


  Reply # 1438428 1-Dec-2015 11:24
Send private message

Thanks for the replies guys. I think for now I'll just stick to keeping internet banking in my head.

The biggest problem with this is the banks that aren't my primary because you run the risk of forgetting them as because you hardly ever log in. I guess I'll work something out.

2836 posts

Uber Geek
+1 received by user: 1478

Subscriber

  Reply # 1438430 1-Dec-2015 11:29
Send private message

I keep mine in lastpass, with seperate 2FA on both lastpass AND the internet banking.






Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


13332 posts

Uber Geek
+1 received by user: 2242

Trusted
Subscriber

  Reply # 1438450 1-Dec-2015 11:48
Send private message

Look at KeePass Pro - it's free.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


3209 posts

Uber Geek
+1 received by user: 563

Trusted

  Reply # 1438453 1-Dec-2015 11:53
Send private message

no, just no.  I wouldnt trust lastpass or any service with my bank/google passwords.  everything else, sure.

UHD

531 posts

Ultimate Geek
+1 received by user: 220


  Reply # 1438468 1-Dec-2015 12:13
Send private message

reven: no, just no.  I wouldnt trust lastpass or any service with my bank/google passwords.  everything else, sure.


Why not?

2915 posts

Uber Geek
+1 received by user: 414

Trusted
Subscriber

  Reply # 1438477 1-Dec-2015 12:31
Send private message

UHD: 

Why not?


Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.

1576 posts

Uber Geek
+1 received by user: 176

Subscriber

  Reply # 1438484 1-Dec-2015 12:42
Send private message

+1 for local (I use KeyPass) and then ownCloud for private syncing between devices.

2836 posts

Uber Geek
+1 received by user: 1478

Subscriber

  Reply # 1438566 1-Dec-2015 13:36
Send private message

Kyanar:
UHD: 

Why not?


Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.


My Current lastpass key is... long, random, and contains all character sets. The passwords within it, are almost all long , random, and contain all character sets, and are changed on a regular basis. 

The whole point of lastpass is you should only have the one single password to remember, and everything else is random gibberish and can be changed whenever needed.

Now I'm not a huge fan of them right now (have cancelled my subscription after they were brought out by LogMeIn), but I still think they are the best option. No human can remember 300+ long random passwords, cept maybe rain man...




Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


13362 posts

Uber Geek
+1 received by user: 1597


  Reply # 1438587 1-Dec-2015 13:55
Send private message

Lias:

The whole point of lastpass is you should only have the one single password to remember, and everything else is random gibberish and can be changed whenever needed.

Now I'm not a huge fan of them right now (have cancelled my subscription after they were brought out by LogMeIn), but I still think they are the best option. No human can remember 300+ long random passwords, cept maybe rain man...


I think last pass is far better than what many people do, such as writing down passwords, storing them in an excel document, or having easy to guess ones.

Some people use special rules for remembering more complex passwords. Lastpass is also free, unless you want to use some of the premium features, such as using it on mobiles. Maybe people should ask what the banks say about using Lastpass to store passwords. Would they consider it safe enough? eg will they cover losses if the password gets compromised?

But really the problem is getting over using passwords altogether. If someone came up with a password replacement that was easy and universal, it would be a multi billion dollar idea.

UHD

531 posts

Ultimate Geek
+1 received by user: 220


  Reply # 1438618 1-Dec-2015 14:28
Send private message

Kyanar:
UHD: 

Why not?


Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.


You are right about the password database being stolen at least once. This was four years ago and to date not a single report (even unverified) of passwords being decrypted exists. The beauty of LastPass is that changing passwords is as simple as it can possibly be. All one needs to do is simply update their passwords at the website they wish to use and even if the hackers somehow manage to bruteforce the stolen database they will have wasted decades of computation time for nothing.

I'm not sure what you mean about storing the passwords on the servers in a reversible manner. If you take a quick look at the LastPass design you will see that even if LastPass wanted to decrypt user passwords they would not be able to do so. All encryption is done locally, meaning LastPass only ever see hashes which are then randomly salted and PBKDF2-SHA256'd.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23


New Fujifilm macro lens lands in New Zealand
Posted 5-Dec-2017 20:16


Cyber security not being taken seriously enough
Posted 5-Dec-2017 20:13


Sony commences Android 8.0 Oreo rollout in New Zealand
Posted 5-Dec-2017 20:08


Revera partners with Nyriad to deliver blockchain pilot to NZ Government
Posted 5-Dec-2017 20:01



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.