Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




282 posts

Ultimate Geek
+1 received by user: 76


Topic # 185659 30-Nov-2015 22:18
Send private message

Lately I have done some looking into the topic and bought into the idea that it is more secure to use a password manager and set things up so you don't know any of your passwords. As such I have changed most of my passwords out there to auto-generated passwords using Lastpass. 

The one thing I haven't changed yet, however, is my internet banking details. I'm just not sure I trust having the username and password for those sites in one place, especially considering I would never write them down otherwise.

Has anyone else dealt with this issue? I have considered having the password saved but keeping the username in my head. Could this be a better way to go? 




View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2

gzt

10310 posts

Uber Geek
+1 received by user: 1582


  Reply # 1438205 30-Nov-2015 22:32
Send private message

I imagine all the security of lastpass is for nothing if you use it on an untrusted platform anyway.

2891 posts

Uber Geek
+1 received by user: 381


  Reply # 1438210 30-Nov-2015 22:53
3 people support this post
Send private message

Store most things on Lastpass.

Internet banking and email accounts, store in your head AND enable 2-factor authentication. 
That way you can still access those accounts from any computer if Lastpass is unavailable, without skimping on security (as TFA will outdo nearly any super strong password).




Bachelor of Computing Systems (2015)

 

--

 

Late 2013 MacBook Pro with Retina Display (4GB/2.4GHz i5/128GB SSD) - HP DV6 (8GB/2.8GHz i7/120GB SSD + 750GB HDD)
iPhone 6S + (64GB/Gold/Vodafone NZ) - Xperia Z C6603 (16GB/White/Spark NZ)

Sam, Auckland 


 
 
 
 


14449 posts

Uber Geek
+1 received by user: 1898


  Reply # 1438225 1-Dec-2015 00:11
Send private message

Aren't the passwords with last pass actually stored on your PC, or maybe it is the encryption key that is stored on your pc. So I guess it is how much you trust encrytion. It all depends on how strong your last pass password is. The problem is that passwords are now impossible to remember if you have got a lot of them, and many now have to be made up of different types of characters. If you have an banking app, you only need a 4 digit number pin, which I don't think is particularly secure, as you are then relying on the encryption technology of the mobile device, and that people can't bylass the lock screen (which has been bypassed in the past). 

 

The thing is, if you can't remember your banking password, what is the next best way to store your password? Something that in encrypted?

 

I was shocked  to see that some banks still use Windows XP on their front end machines in their branches, as well as XPs maximum version of IE, to login to customers accounts.

UHD

656 posts

Ultimate Geek
+1 received by user: 303
Inactive user


  Reply # 1438229 1-Dec-2015 00:42
Send private message

The key advantage of LastPass is enabling long, secure, and different passwords for each service you use. If you choose not to store bank passwords there then you need to remember at least two long, secure, and different passwords rather than one and that generally is tougher and creates a tendency toward less secure passwords.

The browser extension can be installed on most any computer or failing that, the website logged in to manually in case you are not at your regular workstation or mobile device.

I would argue that if you have LastPass 2FA enabled it would mitigate potential hardware keylogging on any number of potential risky computing situations (dodgy internet cafes and so forth) as well as providing that little extra layer of security in case you didn't notice you were on a phishing site: log in details would not be automatically filled.

Their security is not matched by anything I have encountered yet. Despite several intrusions not a single piece of user data has been exposed.

Of course, to each their own but I have no problems storing my passwords there. I store far more valuable passwords than banking credentials there without fear.



282 posts

Ultimate Geek
+1 received by user: 76


  Reply # 1438428 1-Dec-2015 11:24
Send private message

Thanks for the replies guys. I think for now I'll just stick to keeping internet banking in my head.

The biggest problem with this is the banks that aren't my primary because you run the risk of forgetting them as because you hardly ever log in. I guess I'll work something out.

3501 posts

Uber Geek
+1 received by user: 1967

Trusted
Lifetime subscriber

  Reply # 1438430 1-Dec-2015 11:29
Send private message

I keep mine in lastpass, with seperate 2FA on both lastpass AND the internet banking.






Information wants to be free. The Net interprets censorship as damage and routes around it.


14284 posts

Uber Geek
+1 received by user: 2590

Trusted
Subscriber

  Reply # 1438450 1-Dec-2015 11:48
Send private message

Look at KeePass Pro - it's free.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


3405 posts

Uber Geek
+1 received by user: 687

Trusted

  Reply # 1438453 1-Dec-2015 11:53
Send private message

no, just no.  I wouldnt trust lastpass or any service with my bank/google passwords.  everything else, sure.

UHD

656 posts

Ultimate Geek
+1 received by user: 303
Inactive user


  Reply # 1438468 1-Dec-2015 12:13
Send private message

reven: no, just no.  I wouldnt trust lastpass or any service with my bank/google passwords.  everything else, sure.


Why not?

3044 posts

Uber Geek
+1 received by user: 467

Trusted
Subscriber

  Reply # 1438477 1-Dec-2015 12:31
Send private message

UHD: 

Why not?


Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.

1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1438484 1-Dec-2015 12:42
Send private message

+1 for local (I use KeyPass) and then ownCloud for private syncing between devices.

3501 posts

Uber Geek
+1 received by user: 1967

Trusted
Lifetime subscriber

  Reply # 1438566 1-Dec-2015 13:36
Send private message

Kyanar:
UHD: 

Why not?


Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.


My Current lastpass key is... long, random, and contains all character sets. The passwords within it, are almost all long , random, and contain all character sets, and are changed on a regular basis. 

The whole point of lastpass is you should only have the one single password to remember, and everything else is random gibberish and can be changed whenever needed.

Now I'm not a huge fan of them right now (have cancelled my subscription after they were brought out by LogMeIn), but I still think they are the best option. No human can remember 300+ long random passwords, cept maybe rain man...




Information wants to be free. The Net interprets censorship as damage and routes around it.


14449 posts

Uber Geek
+1 received by user: 1898


  Reply # 1438587 1-Dec-2015 13:55
Send private message

Lias:

The whole point of lastpass is you should only have the one single password to remember, and everything else is random gibberish and can be changed whenever needed.

Now I'm not a huge fan of them right now (have cancelled my subscription after they were brought out by LogMeIn), but I still think they are the best option. No human can remember 300+ long random passwords, cept maybe rain man...


I think last pass is far better than what many people do, such as writing down passwords, storing them in an excel document, or having easy to guess ones.

Some people use special rules for remembering more complex passwords. Lastpass is also free, unless you want to use some of the premium features, such as using it on mobiles. Maybe people should ask what the banks say about using Lastpass to store passwords. Would they consider it safe enough? eg will they cover losses if the password gets compromised?

But really the problem is getting over using passwords altogether. If someone came up with a password replacement that was easy and universal, it would be a multi billion dollar idea.

UHD

656 posts

Ultimate Geek
+1 received by user: 303
Inactive user


  Reply # 1438618 1-Dec-2015 14:28
Send private message

Kyanar:
UHD: 

Why not?


Because LastPass has been compromised before, and the password database stolen. While they are encrypted, that makes it only as secure as current technical limitations on hardware to crack it (Moore's Law says that it can't hold out forever) especially considering by design it must be stored encrypted (reversible) on the servers.

I wouldn't consider LastPass either. Local is the only option.


You are right about the password database being stolen at least once. This was four years ago and to date not a single report (even unverified) of passwords being decrypted exists. The beauty of LastPass is that changing passwords is as simple as it can possibly be. All one needs to do is simply update their passwords at the website they wish to use and even if the hackers somehow manage to bruteforce the stolen database they will have wasted decades of computation time for nothing.

I'm not sure what you mean about storing the passwords on the servers in a reversible manner. If you take a quick look at the LastPass design you will see that even if LastPass wanted to decrypt user passwords they would not be able to do so. All encryption is done locally, meaning LastPass only ever see hashes which are then randomly salted and PBKDF2-SHA256'd.

UHD

656 posts

Ultimate Geek
+1 received by user: 303
Inactive user


  Reply # 1438620 1-Dec-2015 14:29
Send private message

SumnerBoy: +1 for local (I use KeyPass) and then ownCloud for private syncing between devices.


Surely this is just LastPass with a less secure online distribution method (a personal cloud service).

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.