Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

96 comments on “LastPass Password Manager and Vault”

  1. Leo, excellent article as usual, and I am seriously considering using LastPass, I just have one question. If I use two factor authentication and get my phone stolen, what happens then?
    Maybe a daft question, but it has happened to me before and it was traumatic enough just dealing with the lost contact details etc!

    When you set up two-factor authentication, LastPass generates for you a set of one-time passwords. As the name implies each can only be used once. You save those in a safe & secure location in case you ever need them. Lose your phone and you then use a one-time password to login to LastPass on the web, and turn off two-factor authentication until you’ve replaced your phone.

    Leo
    28-Aug-2012
    Reply
    • Leo, although this really ought to be very obvious, it can’t hurt to add — don’t store your one-time passwords on your phone!

      Like, “Duh!” :)

      Store them on your desktop computer (encrypted, hopefully) or print them out and store the paper in the lockbox under your bed. :)

      The main idea here is to keep the one-time passwords somewhere other than your phone, so that if the phone gets lost or stolen, the one-time passwords won’t be lost or stolen along with it. (!)

      (I really do prefer to think that anyone intelligent enough to be reading Ask Leo!, isn’t going to do anything so stupid… but hey, one never knows, and everyone makes a colosssal blunder every once in two or three blue moons.) :)

      Reply
    • I would strongly recommend people give Bitwarden a look before committing to Lastpass, which has had some breaches and other glitches over the years. I used Roboform for (to many) years before I did a critical deep-dive into password managers. This is the one I found to be the best. I have no connection to Bitwarden and receive no compensation from them.

      Reply
  2. Hi Another very good article. I have used Lastpass for some time now and find it very good.
    However I have a little question !!!
    It work’s for me perfectly on all Windows App’s. But how about all the other programs that also require a password ?? Will name just one which is Skype !!! As a granddad with family around the globe this is very important to me and lastpass does not save the password (At least not the free version) At the moment Skype and other passwords I just save in Secure notes so I suppose no real problem.
    Even so I would like your opinion on the matter.
    Ta in advance

    LastPass (and other password vaults) are designed primarily for websites. I’m not aware of a utilty that handles arbitrary programs asking for login credentials.

    Leo
    28-Aug-2012
    Reply
    • I currently use the free version of LastPass here too. Look on the left margin and you will see a variety of ‘folders’ named Password, Notes, etc. If you click the Plus (+) icon near the bottom-right of the window, you can add a new item to securely store whatever information you want/need to keep safely, and you can save it under any of the already-established folders, or you can create a new folder with a name that makes sense to you. Even though these items will not automatically fill in your username and password in the Skype app, you can fairly easily access your username and password using LastPass. I keep a variety of information on LastPass because it is encrypted on my computer before it is sent over the Internet to my vault.

      Even though LastPass free has served me well over the years, and offers an incredible assortment of useful features, I am considering upgrading to the Premium version for some of the extra features it offers, such as those found in the Security Dashboard.

      I hope this helps,

      Ernie

      Reply
      • O.K., I took the plunge and purchased the premium version of LastPass. It has a few features, not available in the free version, that make it well worth the price – In the Security Dashboard, I can see which launchers have ‘weak’ passwords so I can change them, and I can see any duplicated passwords. I had a few launchers for the likes of Microsoft and Google where one launcher went to my email, and a second launcher went to account settings. I removed the email launchers because I don’t use them anyway. Another great feature is that I can enable ‘Dark web monitoring’, then when/if any of my email account passwords appear to have been breached, I’ll be notified. To my way of thinking, anything I can do to reduce the likelihood of becoming a victim of crackers (black-hat hackers) is something I want to do :)

        Reply
  3. The trouble with Google two factor authentication is it assumes we all have mobile phones. I don’t leave my home very often, there is no mobile signal where I live, and although I do still have a mobile at the moment the day may come when I ditch it. A landline phone doesn’t seem to be acceptable to Google.

    The Google two-factor application does NOT require connectivity. LastPass also supports alternate forms of two-factor as well, including a program you can simply run from your own USB stick.

    Leo
    28-Aug-2012
    Reply
    • Indeed, Michael almost all typical Authenticator Apps — there are many ones out there — have this same basic setup:

      1. Go to the site where you want to estabish a two-factor login, and follow whatever process is needed to begin doing that.

      2. At some point, you’ll be asked to specify which Authenticator App you’re using. Different Apps use different mathematical algorithms to generate a two-factor, so the site needs to know which App you’re using.

      3. Next, the website generates a special key — a text string of randomly-generated characters. Copy it to your clipboard.

      4. Now go to your Authenticator App and select the option to create credentials for a new site. You’ll be prompted for the site’s key.

      5. Paste in the key you copied in Step 3.

      6. Bam! You will see added a new site listed in your Authenticator App, with a new login factor created every thirty seconds. This is what you copy and paste when that site asks for your two-factor ID.

      NOTICE the security here: The Authenticator App generates a new Login Factor mathematically and locally, based upon the initial key which the site randomly generated and supplied to you. Once set up, the generation of the two-factor take place entirely within the App itself — no connectivity required to generate the two-factor at all. :)

      Usually, two-factors are time-based — the mathematics used to generate the two-factor incorporate the current time, to the nearest 30 seconds, into the process.

      The site you’re logging into knows (because you told it which App you’re using) which algorithm is being used to generate the two-factor; it also knows what initial key it sent you, and the correct current time. From this, it does exactly what your own App does: it generates a two-factor. If it matches the one you send them, it knows that “you are you,” since only YOU have the correct initial key. Neat, huh? :)

      Reply
  4. Is their a provision that allows you to access you passwords if you are using a public or friends computer? tks

    You can access your vault via a web page, but I would not trust someone else’s computer in general – whether you’re using LastPass or not. There’s simply too much risk.

    Leo
    28-Aug-2012
    Reply
  5. About problem you mentioned (re-visiting a site and it does not fill), I realized that first time when we Save site in LastPass, it may save the googly garbagy loooong link (like https://mega.utor.com/ghdt/hdhdyhsgs_hddybdgddyy?jhdudhduhdloging.aspxhdjkhd8373664883) and then we we re-visit site, that is not the link we visit again!!
    When I save a site in LastPass I always delete all those extras from link (and even S from https://) and make link as simple as possible (like http://mega.utor.com/ or http://utor.com/) then it covers all subsidiary links and subdomains that site may produce when I visit every time.

    Reply
    • As a cautionary note, the ‘s’ in https causes your web browser to create a secure connection with the website the URL is taking you to. Shortening the link from the right end make sense (I do this myself) but removing the s in https is a bad idea because when you use the LastPass launcher to connect to the website, you are creating an unencrypted connection to the site.

      Just so you know,

      Ernie

      Reply
  6. Hi Leo,

    I signed up for LastPass a few days ago based on recommendations I read from you and on Lifehacker, and I really think it’s great.

    I have a question that I can’t resolve on my own: If I’m on somebody else’s (or a public) computer, how do you advise accessing my passwords for things like email, since I don’t have them memorized anymore? Is it risky to log in to LastPass (using their onscreen keyboard to avoid keyloggers) and use the online vault to access my passwords? I assume I’d have to do a copy/paste of my email password and then overwrite the clipboard afterward. Any thoughts?

    Thanks for a really excellent website!

    Brad

    If you’re at a computer you can’t trust then you shouldn’t be logging in to your email at all regardless of whether you’re using LastPass or not. Your email password could be captured by several different means. Copy/paste does nothing to thwart keyloggers since in reality there are “activity” loggers which can easily capture what comes and goes in the clipboard.

    Leo
    31-Aug-2012
    Reply
  7. I have been using LastPass for about 6 months and really like it. I used to use Password safe before. The only problem I’ve had is when a web site wants me to change my password. LastPass will generate a new one but since I don’t see the passwords I am not sure which is new password and the old. I end up having to call the site to reset my password because I can’t get it.

    You can simply view your vault in your browser. You can see what the password is that’s been saved for that site, or if you have LastPass generate a password for you, “Generated password for…” entries will also appear in your vault.

    Leo
    31-Aug-2012
    Reply
  8. I got Lastpass after you recommended it ages ago. Most of my friends now use it. Those that don’t usually have to get their mother to tie their shoelaces. I can’t understand anyone not using it. Great for travelling. I have over 80 passwords and get Lastpass to generate passwords for me usually a mix of characters generally 18 to 20 in length. Keep up the good work Leo.

    Reply
  9. Read article, read security article on spinrite’s site, and downloaded it.
    it SEEMS very neat.
    HOWEVER, could you PLEASE address this problem – on EXPORT to CSV file, i CANNOT export the custom form fields that I create or that LastPass creates.
    to me, this is the biggest bummer there is.
    EXPORT exports the first page of data for a LIST item, but does NOT EXPORT the 2nd page of a list entry, the custom form fields.

    can you or other users address this, and provide fedback?

    thanks

    I don’t have an answer for this. I’d recommend submitting this as an issue to LastPass directly.

    Leo
    31-Aug-2012
    Reply
  10. downloaded it, and trying it.
    (I posted comment last evening, but not sure if it got lost, not showing up)
    ONE BIG DEFICIENCY – inablility to export custom fields.
    if you create a site, and fill in just the normal site field values – those can be exported to a CSV file.

    BUT, if you capture a site, and it creates custom fields, those values or fields are NOT exported to CSV, AND they are NOT exported to even the encrypted file that LastPass Pocket uses.

    So, you are captive to using the browser format, and if for what ever reason they go defunct or you don’t like that program and decide to change, you can’t get custom data out of the database.

    I LIKE the design of the program, but I HATE it (and hate OTHER programs) when you can’t do a simple export of all the data within the database.

    any otehr feedback from others, if I’m doing something wrong and not understanding how to export (spent 8 hours on machine last evening researching this, forums, google search,e tc…) please let me know

    thanks
    nick

    Reply
    • Nick – check out Bitwarden – super easy to export all your data as csv or json file. Also free and open source.

      Reply
  11. I have several Twitter accounts and found that LastPass would not always populate the login fields.

    After reviewing the LastPass records in my vault, I found that changing the URL protocol from https to http fixed the problem.

    I still have a few sites that won’t auto-fill (e.g. Magnatune), and have to resort to copy and paste via the LastPass drop-down.

    Reply
  12. I have used LastPass for a few years now and find it very useful.

    It struggles with my UK bank websites, which all require multi-level logins. They need an identifier and password on a first screen, then 2 random dropdown digits from a 4-digit PIN, then a random piece of personal information from a range of 6 items. LastPass can cope with the first screen, not a chance for the second and a bit of a fiddle for the third data.

    I have just bought an Android smartphone and tried LastPass on that. It is not integrated into the browser, but comes as a separate app. That cannot cope with the above scenario.

    So, in summary, LastPass is great when it works, but is not a solution to all approaches to my bank websites. So I have to use passwords that I can remember myself – a great pity.

    Leo, you did not mention that LastPass also stores its database locally, so that it can be used offline to access any other information you may have stored there – e.g. telephone banking passwords.

    Reply
  13. If it’s ‘on your machine’, then what happens if you get a new computer, or if your current machine fails/is stolen etc? Can you access LastPass from a cloud off the web?

    Reply
  14. @Z Berkeley
    Yes, LastPass stores a copy of your passwords on their servers (the Cloud). Because of that I can use it to sync my passwords on all of my computers and my smart phone. Since it’s on the LastPass server, you can open it using your email password combination. Therefore, it’s essential to have a long strong master password for LastPass.

    Reply
  15. I tried lastPass and liked it enough to pay for the Premium upgrade, While i agree there are some limitations, I wouldn’t be without it now.
    Also Leo you referenced Steve Gibson in your column, That episode was what led me to try the program. I actually subscribe to Security Now and find it an equally good source of info like your’s Leo.
    If you haven’t already seen it i highly recommend you get episode #366 The Death of Clever.
    He talks about passwords and hackers, I found this episode quite alarming!

    Reply
  16. Hi, Leo

    I wanted to ask a follow-up question of sorts to an answer you gave another commenter re: two-step authentication with LP. My question is not about that but about one-time passwords that you referred to….

    Isn’t there a sense in which OTPs can somewhat defeat the purpose ? I mean, for my email accounts — and certainly for my LP account — I want to have good, long passwords so that the accounts will not be compromised by guessing or hacking my password. As it is my LP account should be fairly secure with the long password I have for it, since any would-be hacker must guess or crack the ONE valid password I have out of however many millions/billions of possible combinations.

    But if at any time I enable the use of OTPs (for LP or any of my email accounts) doesn’t that in a way give the hackers a larger bull’s-eye ? If I’ve got a list of 50-100 OTPs, that might, indeed, make it easier for ME to login once-and-only-once at library computer or somewhere. But as long as those OTPs are valid, it’s also providing more targets for hackers, no ?

    So, in general, and specifically for the security of a password manager, would you say it’s wise to keep one’s list of valid OTPs way down, like at least in the single digits ?

    Or am I misunderstanding something about OTPs in all this security business ?

    Thanks ! :-)

    Reply
    • I use Lastpass and have over 270 sites stored and I only have 2 OTP,s activated why would you need anymore, when used just generate a couple more but keep them safe.

      Reply
  17. @Scott
    The one time passwords usually work in conjunction with a normal password. It is a form of 2 factor authentication. Factor 1 is your user password. Factor 2 is the one time password which can be on a list, sent to your phone or generated by a onetime password calculator. In most cases, your user password can be as long as you want it to be. 2 factor authentication.

    Reply
  18. I had an issue with a banking login site one time, and I e-mailed Lastpass about it. I was answered pronto, that it would be fixed with the next update, and it was. Great service for free.

    Reply
  19. Thanks for article and link to Steve Gibson podcast. I’m sold on the security regarding Lastpass not being able to decrypt my passwords and the 2 factor auth. But, how about the database file of passwords that’s created and stored locally on my PC? If stolen PC or if there’s malware, how easily can a good hacker break into my Lastpass database file on my hard drive?

    Reply
  20. Quick question regarding password strength. In the article you refer to the xkcd site which suggests an 11 character randomly generated password (such that LastPass might generate for a website) was weaker than the four word phrase using common words. Based on that should we not use the Lastpass auto generator for passwords and instead create our own pass phrases or are we ok so long as we set “minimum characters” to 12 (or more) and let it auto generate?

    There’s no absolute answer here. Longer is better, in general. 12 is what I would consider a minimum these days. Using words allows you to make an easier to remember long password, but with proper settings random password generators can be good. I do indeed use LastPass’s myself if it’s not a password I’ll ever need to remember. Length = 12 for me.

    Leo
    18-Apr-2013

    Reply
  21. Hi, Leo – truly appreciated your article reviewing LastPass; had a couple of questions: (1) Does LastPass work with Internet Explorer in it’s “InPrivate Browsing” mode? (asking about this because, in my experience, Norton Security Suite / Norton 360 doesn’t and neither does Comcast/Xfinity Constant Guard); and (2) Does the “Multifactor Authentication” available with LastPass Premium work with an older plain vanilla cellphone that can receive SMS and Text messages, or does it require the more sophisticated ‘Smart’ phones with either Android or Apple op. systems?

    Reply
    • I’ve tried to use LastPass with InPrivateBrowsing in IE and it doesn’t seem to work.
      The second part of your question is unclear. You should be able use any cell phone to receive the text message containing the one time password, but you can’t use LastPass on that phone as it is incapable of accessing the Internet.

      Reply
      • Mark, thanks for the clarification on my 2nd question; I may opt to use the multifactor authentication with my old tech cellphone for some of my banking and investment websites. ___ Incidentally, a number of these sites have already employed a type of two-factor authentication whenever I try to access them with a computer they did not recognize (where I can usually opt to have a Text message sent to my cellphone with a 5 digit ‘code’ or an email with same or, in some cases, to receive a phone call which probably would have a pre-recorded message with the code to use). It’s interesting, though, when this happens repeatedly with some of those websites, because I’ve cleared my Cookies… and, apparently, in not finding the expected cookie, the bank’s website assumed I was trying to gain access with a new or different computer.

        Reply
    • Not sure about IE (see Mark’s comments about not getting it to work there, though), but I use it in Chrome’s equivalent Incognito all the time.

      Lastpass’s two-factor options are here: https://helpdesk.lastpass.com/security-options/multifactor-authentication-options/ – I’m not seeing straight text-messaging as an option, which implies smartphone – or some other kind of device – may be needed. There are hints of SMS support through other applications but I haven’t been able to nail it down in a quick search.

      Reply
  22. Am I correct in understanding that as long as my computer is on and I’ve logged into LastPass with my master password, any site I visit will be auto logged in without any further intervention from me?

    On my main laptop I have all my browsers set NOT to remember anything, which means that on every site I visit I MUST enter a password to get in. It appears to me that anyone else going to my computer could get into my sites simply because LastPass will auto fill my user name and password without any further prompting.

    Is there a way to set LastPass to ask for the master password for every site I visit? Or do I need to resolve that by signing out of LastPass every time I move away from the computer?

    Reply
    • You can easily set LastPass to require the LastPass master password every time you to want to log on to a website. This can be done on a website by website basis. For example, I have LastPass ask me for my master password for my bank and other financial logons.

      Reply
    • Last pass can be configured to auto-login on a site-by-site basis – or not. It can also be configured to request the master password on a site-by-site basis – or not.

      Reply
      • Thanks to both of you. I see you’ve now addressed this in your newest article dated April 4th published in newsletter of April 8th. My password list is getting longer and I need to stop using my Excel sheet with semi-coded passwords, but I know you’ve said “If your computer is not physically secure, it’s not secure”, so I don’t want to make it easier for anyone who tries to exploit an insecure moment.

        Reply
        • If you are in a situation where someone might be able use your open LastPass to log into your websites, you can also set LastPass to require the master password for all of your logins. It’s more work as you have to type in the password for every login, but it’s the same master password every time, so you get quite quick at typing it in each time.

          Reply
          • Which can be an issue for some, like me, as I age I get more and more fat finger syndrome. Maybe at some stage I’ll have to use 2 fingers, or maybe only 1 finger typing for the master password.

          • If your computer is at home, you might not find it necessary to enter the password each time. I just mentioned that in response to the question of what to do if a computer can be used by someone else while you are logged on. I only use that in cases of sensitive accounts.

  23. I use KeePass (http://keepass.info) – free, open-source, also supports 2-factor authentication, and you can get it for your mobile device. There are two versions – one you can install, and a portable one (my preference). I couldn’t even begin to go over all the features – I’ve never used LastPass though I’ve heard good things about it, too – you probably wouldn’t really go wrong with either one, but I couldn’t recommend more highly that a person consider KeePass. (And no, I’m not affiliated in any way – I just love it and recommend it to everyone I can.)

    Reply
    • Same here. I use Keepass, I understand it enough for my needs, plus it does have heaps of advanced options that I don’t even pretend I might know what they are.

      But, it works for me. Last Pass I found very confusing, but that was about 5 years ago. Read about Keepass, tried it and Yeeeee hawwww, works for me.

      Reply
  24. yes i have lost my mpw; however, LP autologsin, so it does have the correct mpw. is there then a way i could view it? when i use a second browser, LP wants the mpw and does not auto login. that is also true when i go to the chromebook. and when i think have got it right and get “invalid pw”, i don’t know which is invalid, the siite, or LP’s master.
    am i just stuck and need the drastic reset? thanks always.

    Reply
    • If you lose your LastPass Master Password (I assume that’s what you mean by mpw) then there is no way to recover it. You’ll need to start over. This is documented on the LastPass site, and is a side-effect of their security measures – even they don’t know your password.

      Reply
  25. You can go to LastPass.com and click “Sign in” then click “Click here if you forgot your password”. Enter you email address you use to log into LastPass and click “Email hint” The password hint you entered when you set up LastPass will be mailed to you. This might jog your memory. If that doesn’t work, right underneath the Email hint there is s link “* Note: if your hint doesn’t help you, you still may be able to use Account Recovery”. Try clicking on the Account Recovery link and further instructions will be sent to your email address. I’ve never tried this, but I imagine it should work in most cases.

    Reply
  26. What prevents someone accessing your computer from being logged into your sites automatically by LastPass?
    I think I will encrypt my password list and keep it on a USB stick so that it isn’t on my computer.

    Reply
    • LastPass encrypts your passwords with the master password you use to log on to LastPass with. LastPass only has the encrypted version of the password file. It is only decrypted by your computer never on the server. Your method is, of course safer, but I personally trust the LastPass encryption model. The cost of cracking a strong password is much more than the yield they would get hacking small fish like most of us as they would have to spend several hours to crack each password.

      Reply
  27. Paul,

    I do that too.
    I created a text file (called “Projects-To-Do” which is better than ‘Here-are-all-my-passwords and bank account information’)
    Which in fact contains all my passwords for various forum, shopping sites, bank accounts etc etc.
    That is then kept on a at least two flash drives.
    When logging on to sensitive sites such as a bank, I use that text file and copy/paste the information into fields, that way there is no way any keyboard loggers know what I typed.

    – B!LL!

    Reply
    • I stand corrected on the copy/paste thing as noted by LEO in the post below, however I only ever use my OWN computers (at home), never use computers at Internet Cafes or use my laptop/tablet at Wi-Fi’s such as McDonalds for important things like banking.

      Reply
    • P!ease, oh please, oh please tell me that this text file is encrypted (and preferably by something slightly stronger than Rot13)!

      And BTW, keyloggers can (and will) pick up pasted info.

      Reply
  28. How come i can use LastPass from several pc’s, if encryption is locally? If LastPass knows only my credentials after encryption, then logging on from a second pc would produce a different encrypted ‘blob’ and LastPass should not be able to authenticate that. If the encryption key used on the 2nd pc is the same, then there is no use in encrypting it at all.

    Reply
    • Your data is encrypted once, and then copied to all the computers via LastPass’s servers in its encrypted form. It’s only decrypted locally when you specify the correct password.

      Reply
  29. Ok thanks, the master password also is used for generating the encryption key. That explains it.
    Another question is exactly when the password list is decrypted on my pc and how long it stays decrypted. I hope only when a password is actually needed and not from the moment i activate LastPass in my browser add-on?
    And is it safe to let LastPass remember the master password (on browser add-on activation)?

    Reply
    • I believe it decrypts only as needed, but don’t quote me on that. Whether or not it’s safe to let it remember the master password is a function of the overall security of your machine. If you feel the machine is secure, then it’s what I do. On the other hand if the machine could be compromised or stolen, then I do not (like my laptop, with which I travel).

      Reply
  30. Here’s an instance of hating it! I use Firefox Beta versions. Came home from a week away, new Firefox installed itself and eliminated Lastpass. They have not kept up with Firefox and Lastpass is now not compatible with it, specifically Version 57. So I have to make SURE Firefox does not update itself on my desktop as it did on laptop and carry my phone version around with me to be able to access my passwords, as mostly I use the laptop for day to day computing. I have complained, no solution yet from LastPass, and Firefox doesn’t care!

    Reply
  31. Personally, I would never use a service like LastPass. First of all, any information that is stored on the LastPass server(s) is subject to hacking. I don’t care if that information is encrypted. We have learned again and again that absolutely nothing is completely secure on the internet. Secondly, any service that is available in the cloud can go away without notice. I keep all of my files and passwords on my local system (redundantly backed up of course).

    Reply
    • Needless to say, I disagree. Strongly. EVEN IF someone were to hack into LastPass’s servers and get the data stored there (which has never happened) all they would get is strongly encrypted noise. There is simply no practical way that a hacker would gain access to the contents of my vault. Period.

      OF COURSE services go away without notice. Or sometimes they just go down for a bit. While I would bet money on the former never happening for LastPass, I know that the later has happened. That’s why a) LastPass works without an internet connection at all — your vault is still accessible, and b) I so strongly recommend backing up the contents of your vault — be it LastPass or any other — in a differently-secure method. (Meaning plain text contents, then secured some other way.)

      This fear is preventing people from using long and strong passwords, and using different passwords on every site. It’s these two things that – when not done – put people at far greater risk than using a well known vault like LastPass.

      Reply
  32. hi, i read your comments on password managers and was concerned about my using password safe witch is almost like keypass. so i wrote a note to them at their site. i got a return reply as follows:
    pwsafe.org

    Sun, Feb 24, 2:11 PM (2 days ago)

    to {removed}@gmail.com
    Hi John,

    Not quite:

    1. Some password managers keep unencrypted password in memory longer than strictly necessary.
    2. One can argue if this makes the password manager “unsafe”, since if an attacker can get to the memory of your PC, it’s effectvely “game over” anyway (given that level of access, there are easier ways to access your protected passwords)
    3. PasswordSafe was *not* among the password managers reviewed in the article.
    4. PasswordSafe *does* encrypt the passwords in memory, so it probably would have passed the review in the article.

    Cheers,

    Rony

    On Sun, Feb 24, 2019 at 8:55 PM wrote:

    john clas ({removed}@gmail.com) writes:
    hi, i just read that password safe and other password managers are unsafe due to unencrypted passwords in memory. is this correct? long time user.

    Reply
  33. MSN **isn’t** a web browser. Its a web portal, i.e. a web page linking to multi other pages and websites.

    Browsers are Internet Explorer, shouldn’t be using these days however, Opera, Firefox, Chrome, Waterfox, Brave browser, Vivaldi et al.

    Reply
  34. My biggest concern with RoboForm is that at the time I left it they had no export function — you were LOCKED in to using it, or you had to start over from scratch with a new tool should you ever want to change. It also means there’s no backup solution that doesn’t also involve RoboForm itself. I’d love to hear that’s changed.

    Reply
  35. Thanks Leo for another well written article. In the no too-distant past, every time I would read one of your online articles like this one, you would always display a large ad for Last Pass. After looking at those ads for a long time, I finally subscribed to Last Pass Premium. I’ve been a very satisfied user ever since.

    Not long after I subscribed you QUIT advertising for them, and I wondered if you no longer supported them because of something negative. Knowing so very little about computers, I get much of my computer information from you.

    So I was so glad to read this post from you today, even if you originally posted it in 2012.

    Reply
  36. Hi Leo,
    I’m now a former LastPass user after some changes were made to the way the browser extension handled logging in. The option to remember the master password was removed after an update. My wife and I both use Yubikeys, and, because of physical limitations, my wife would have the username and master password pre-filled when logging into LastPass then authenticating with her Yubikey to get into her vault, rather than struggling to type her master password. Even LastPass tech support didn’t realize the change had been made. After working with them showing what had happened and that it affected all browsers (Chrome, Edge, Firefox, Opera and Vivaldi), I found out that the feature was not going to be brought back.
    I started looking at alternative password managers and decided to check out Bitwarden. Bitwarden has most, if not all, of the same features as LastPass, although it isn’t quite as user friendly. Bitwarden is free to use for up to two users. The free version is available to use on multiple devices, Android and PC, unlike LastPass. To enable use of advanced 2FA, emergency access and other features, the fees are $10 for an individual and $40 for up to 6 users, less than LastPass.
    Bitwarden allows for both import and export of data. Users can also share passwords. Setting up Bitwarden will take some time, as the user has to setup an organization and then setup individual and shared vaults.
    Two features of Bitwarden sold me. First, the browser extensions, desktop app, and Android app can be linked to Windows Hello. I went passwordless on my Microsoft account and I can log into Bitwarden using my Microsoft PIN. Accessing my vault in a web browser still requires logging in with username, master password, and in my case, my Yubikey. This feature is a big bonus for my wife.
    Second, on my Android phone, Bitwarden will fill in logins on other apps. And it is easier to setup on the phone than Lastpass was.
    I think Bitwarden is a good alternative to LastPass, especially for those on a budget.

    Reply
    • Whenever LastPass changes something, like their pricing structure some time ago, I hear of a lot of alternatives being suggested. Bitwarden is probably the one I hear most often. Glad to hear it’s working well for you.

      Reply
  37. In addition to the website password management, I am using the secure notes feature of LastPass as a gateway to my estate plan and all financial accounts. The Emergency Contact is my executor and access is currently delayed by 48 hours. Everything seems to be set up OK, but I wonder if it would really work. Is there some way to test this feature without actually turning over the keys to the kingdom? It seems like something worth checking periodically in case something in the program changes.

    Reply
  38. I’ve been using the free version of Lastpass several years now. I like the program but am frustrated often because when I try to log into an account it just sits there and doesn’t fill in anything. I’m thinking of going Premium to see if that will remedy the problem.
    I have gone into the Knowledge base and was able to get my bank account to fill in but many others still do not work. Any suggestions? Thanks.

    Reply
    • Premium shouldn’t help.

      This is a problem that all password vaults have. Some websites are coded to prevent password vaults from working, and some are coded in obscure ways that password vaults can’t auto fill.

      If you right click on the little LastPass icon in the password or username field, in that menu, or in a sub-menu, will be options to copy the username or password to the clipboard. Do that and then paste in the corresponding field. Lastpass will clear it from the clipboard in something like 30 seconds.

      Reply
      • If you have a clipboard manager enabled and you copy a password, you should delete the password from the clipboard manager after pasting the password.

        If you are using the Windows built-in clipboard manager:
        Press the Windows Key + V.
        Click the ellipse (3 dots) on the upper right of any clipboard item you want to delete.
        Select “Delete” to remove that item or “Clear all” option to permanently remove all from your clipboard history.

        Reply
        • LastPass does empty the simple clipboard after 30 seconds. I also use “Clipboard Help+Spell” which would need to be cleared separately as you suggest. Fortunately it’s local only (not a share-across-machines thing).

          Reply
  39. Hi Leo,
    I have been reading your Newsletter for some years and enjoying you advice (specifically when I used to have a PC, but also now that I have completely changed over to Mac).
    On my Mac, there is a password manager which does all the things that LastPass does (in relation to password storage only – ie: prompting and autofilling, etc…. aside from the other stuff that LastPass can provide).
    The technicians at Apple have reassured me that the Mac password manager is sufficient (I’m assuming that passwords are encrypted like the LastPass strategy). However, I continue to be impressed by your advice re LastPass (which I believe is available to Mac-users).
    Would you agree with the advice Apple have given me in relation to suggesting and storing complex passwords on Mac?

    Reply
    • It depends on which password manager they’re referring to. I can think of a couple. But the bottom line is that if it works for you, I’m confident in Apple’s solution.

      The BIG thing that makes it a non-starter for me is that I want my passwords to be available on all my devices, including non-Mac devices. LastPass works on all the devices I use – PC, Mac, Linux, Android, and now an iPad as well.

      Reply
  40. I just came up on the fact that lastpass only works for web based products. I use an app for my email called emClient. I called the support people about this and they told me what was going on. I’m a tad disapointed that in everything I read never indicated apps wouldn’t work.

    Am I missing something?

    Reply
    • Not at all. This true for all password vaults — they’re primarily about signing in to websites (and in some cases mobile apps).

      But they still “work” for other programs. Simply copy/paste your credentials out of the vault manually as you need them. I do this all the time.

      Reply
      • Thank you for your patience with me, Leo and Mark.

        I already thought the cut/paste thing was the way to go. So far that is the first app that has thrown me a monkey wrench. Looking over my old list of pass words (don’t ask the number I have) it appears to be the only one like that.

        One or two other apps I have have ;migrated over to web based apps.

        Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.