LastPass recommends that you stay logged in at all times, provided that no
one in the house has access to your computer. I feel that this policy gives an
internet hacker easy access your password vault. Do you agree? I ask the
LastPass people this question and their answer makes me think that they didn’t
understand the question.
In this excerpt from
Answercast #63, I look at the safety of keeping your computer logged into
Become a Patron of Ask Leo! and go ad-free!
Logged into LastPass
So, the short answer is no, I don’t agree or I should say that I don’t agree
I, for example, am logged into LastPass the whole day. And in fact, depending
on how I shut down (or don’t shut down) my computer, I may be logged into
LastPass constantly for multiple days at a time.
Protecting your passwords
Why is this not a risk? Well, the concern that you mentioned is hackers on
the internet: giving them easy access to what’s in LastPass. Guess what? if
hackers can get to your computer, you have bigger problems than LastPass.
I have a firewall in place; I have anti-malware software in place; I have
common sense; I know what to click on and what not to click on. It’s these
things that are protecting me. Not the fact that I’m not logged into
My strong recommendation is that you use LastPass however you feel the most
comfortable using it. But I really don’t consider being logged in for long
periods of time as an issue – except, as the LastPass people have suggested, if
other people can walk up to your computer and start doing something with it.
Those are the kinds of scenarios where yes, you really want to log out of
The fact is there are probably a number of things you want to do
automatically if that kind of thing could happen.
The most common one, the easiest one that I strongly recommend for people in
that situation is to fire up a screen saver that has a short duration (a short
time out) so that screen saver kicks in, in like five or 10 minutes – and that
screen saver requires that you specify a password in order to go away. What
that means is that nobody (while that screen saver is running) can just walk up
to your machine and start using it.
That is a level security that I recommend. With tools like True Crypt, with
tools like LastPass, I believe you can specify a time out or they will say,
“I’ll remember that you’re logged in, but I’ll only do it for maybe 30 minutes
or maybe 60 minutes.”
Again, if people can walk up to your computer and actually touch and deal
with your computer while you’re not around, those are things absolutely to be
aware of. But if you’re in secure situation like I am here (I’m at home; it’s
myself and my wife and that’s fine), then leaving it logged into LastPass really
doesn’t add that high of a level of security issue.
Worried about hackers
If you really are worried about hackers coming in through the internet,
you’re worried about something much larger than LastPass; you’re worried about
the fundamental security of your PC. That means you really want to have the
fundamentals in place:
The anti-malware stuff
Knowing what to click and what not to click on
Not falling for phishing attempts
All that kind of stuff that protects your machine inherently protects
LastPass as well.