Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


282 posts

Ultimate Geek
+1 received by user: 76


Topic # 185659 30-Nov-2015 22:18
Send private message

Lately I have done some looking into the topic and bought into the idea that it is more secure to use a password manager and set things up so you don't know any of your passwords. As such I have changed most of my passwords out there to auto-generated passwords using Lastpass. 

The one thing I haven't changed yet, however, is my internet banking details. I'm just not sure I trust having the username and password for those sites in one place, especially considering I would never write them down otherwise.

Has anyone else dealt with this issue? I have considered having the password saved but keeping the username in my head. Could this be a better way to go? 




View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2

gzt

9819 posts

Uber Geek
+1 received by user: 1469


  Reply # 1438205 30-Nov-2015 22:32
Send private message

I imagine all the security of lastpass is for nothing if you use it on an untrusted platform anyway.

Doesn't know what he doin
2879 posts

Uber Geek
+1 received by user: 369

Subscriber

  Reply # 1438210 30-Nov-2015 22:53
3 people support this post
Send private message

Store most things on Lastpass.

Internet banking and email accounts, store in your head AND enable 2-factor authentication. 
That way you can still access those accounts from any computer if Lastpass is unavailable, without skimping on security (as TFA will outdo nearly any super strong password).




Bachelor of Computing Systems (2015)

 

--

 

Late 2013 MacBook Pro with Retina Display (4GB/2.4GHz i5/128GB SSD) - HP DV6 (8GB/2.8GHz i7/120GB SSD + 750GB HDD)
iPhone 6S + (64GB/Gold/Vodafone NZ) - Xperia Z C6603 (16GB/White/Spark NZ)

Sam, Auckland 


13982 posts

Uber Geek
+1 received by user: 1763


  Reply # 1438225 1-Dec-2015 00:11
Send private message

Aren't the passwords with last pass actually stored on your PC, or maybe it is the encryption key that is stored on your pc. So I guess it is how much you trust encrytion. It all depends on how strong your last pass password is. The problem is that passwords are now impossible to remember if you have got a lot of them, and many now have to be made up of different types of characters. If you have an banking app, you only need a 4 digit number pin, which I don't think is particularly secure, as you are then relying on the encryption technology of the mobile device, and that people can't bylass the lock screen (which has been bypassed in the past). 

 

The thing is, if you can't remember your banking password, what is the next best way to store your password? Something that in encrypted?

 

I was shocked  to see that some banks still use Windows XP on their front end machines in their branches, as well as XPs maximum version of IE, to login to customers accounts.

UHD

598 posts

Ultimate Geek
+1 received by user: 268


  Reply # 1438229 1-Dec-2015 00:42
One person supports this post
Send private message

The key advantage of LastPass is enabling long, secure, and different passwords for each service you use. If you choose not to store bank passwords there then you need to remember at least two long, secure, and different passwords rather than one and that generally is tougher and creates a tendency toward less secure passwords.

The browser extension can be installed on most any computer or failing that, the website logged in to manually in case you are not at your regular workstation or mobile device.

I would argue that if you have LastPass 2FA enabled it would mitigate potential hardware keylogging on any number of potential risky computing situations (dodgy internet cafes and so forth) as well as providing that little extra layer of security in case you didn't notice you were on a phishing site: log in details would not be automatically filled.

Their security is not matched by anything I have encountered yet. Despite several intrusions not a single piece of user data has been exposed.

Of course, to each their own but I have no problems storing my passwords there. I store far more valuable passwords than banking credentials there without fear.



282 posts

Ultimate Geek
+1 received by user: 76


  Reply # 1438428 1-Dec-2015 11:24
Send private message

Thanks for the replies guys. I think for now I'll just stick to keeping internet banking in my head.

The biggest problem with this is the banks that aren't my primary because you run the risk of forgetting them as because you hardly ever log in. I guess I'll work something out.

3123 posts

Uber Geek
+1 received by user: 1666

Subscriber

  Reply # 1438430 1-Dec-2015 11:29
Send private message

I keep mine in lastpass, with seperate 2FA on both lastpass AND the internet banking.






Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


13912 posts

Uber Geek
+1 received by user: 2470

Trusted
Subscriber

  Reply # 1438450 1-Dec-2015 11:48
Send private message

Look at KeePass Pro - it's free.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


3327 posts

Uber Geek
+1 received by user: 630

Trusted

  Reply # 1438453 1-Dec-2015 11:53
Send private message

no, just no.  I wouldnt trust lastpass or any service with my bank/google passwords.  everything else, sure.

UHD

598 posts

Ultimate Geek
+1 received by user: 268


  Reply # 1438468 1-Dec-2015 12:13
Send private message

reven: no, just no.  I wouldnt trust lastpass or any service with my bank/google passwords.  everything else, sure.


Why not?

2964 posts

Uber Geek
+1 received by user: 446

Trusted
Subscriber

  Reply # 1438477 1-Dec-2015 12:31
Send private message

UHD: 

Why not?


Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.

1662 posts

Uber Geek
+1 received by user: 186

Subscriber

  Reply # 1438484 1-Dec-2015 12:42
Send private message

+1 for local (I use KeyPass) and then ownCloud for private syncing between devices.

3123 posts

Uber Geek
+1 received by user: 1666

Subscriber

  Reply # 1438566 1-Dec-2015 13:36
Send private message

Kyanar:
UHD: 

Why not?


Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.


My Current lastpass key is... long, random, and contains all character sets. The passwords within it, are almost all long , random, and contain all character sets, and are changed on a regular basis. 

The whole point of lastpass is you should only have the one single password to remember, and everything else is random gibberish and can be changed whenever needed.

Now I'm not a huge fan of them right now (have cancelled my subscription after they were brought out by LogMeIn), but I still think they are the best option. No human can remember 300+ long random passwords, cept maybe rain man...




Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


13982 posts

Uber Geek
+1 received by user: 1763


  Reply # 1438587 1-Dec-2015 13:55
Send private message

Lias:

The whole point of lastpass is you should only have the one single password to remember, and everything else is random gibberish and can be changed whenever needed.

Now I'm not a huge fan of them right now (have cancelled my subscription after they were brought out by LogMeIn), but I still think they are the best option. No human can remember 300+ long random passwords, cept maybe rain man...


I think last pass is far better than what many people do, such as writing down passwords, storing them in an excel document, or having easy to guess ones.

Some people use special rules for remembering more complex passwords. Lastpass is also free, unless you want to use some of the premium features, such as using it on mobiles. Maybe people should ask what the banks say about using Lastpass to store passwords. Would they consider it safe enough? eg will they cover losses if the password gets compromised?

But really the problem is getting over using passwords altogether. If someone came up with a password replacement that was easy and universal, it would be a multi billion dollar idea.

UHD

598 posts

Ultimate Geek
+1 received by user: 268


  Reply # 1438618 1-Dec-2015 14:28
Send private message

Kyanar:
UHD: 

Why not?


Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.


You are right about the password database being stolen at least once. This was four years ago and to date not a single report (even unverified) of passwords being decrypted exists. The beauty of LastPass is that changing passwords is as simple as it can possibly be. All one needs to do is simply update their passwords at the website they wish to use and even if the hackers somehow manage to bruteforce the stolen database they will have wasted decades of computation time for nothing.

I'm not sure what you mean about storing the passwords on the servers in a reversible manner. If you take a quick look at the LastPass design you will see that even if LastPass wanted to decrypt user passwords they would not be able to do so. All encryption is done locally, meaning LastPass only ever see hashes which are then randomly salted and PBKDF2-SHA256'd.

UHD

598 posts

Ultimate Geek
+1 received by user: 268


  Reply # 1438620 1-Dec-2015 14:29
Send private message

SumnerBoy: +1 for local (I use KeyPass) and then ownCloud for private syncing between devices.


Surely this is just LastPass with a less secure online distribution method (a personal cloud service).

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.