Is it safe to stay logged in to LastPass?

LastPass recommends that you stay logged in at all times, provided that no
one in the house has access to your computer. I feel that this policy gives an
internet hacker easy access your password vault. Do you agree? I ask the
LastPass people this question and their answer makes me think that they didn’t
understand the question.

In this excerpt from
Answercast #63, I look at the safety of keeping your computer logged into
LastPass.

Become a Patron of Ask Leo! and go ad-free!

Logged into LastPass

So, the short answer is no, I don’t agree or I should say that I don’t agree
with you.

I, for example, am logged into LastPass the whole day. And in fact, depending
on how I shut down (or don’t shut down) my computer, I may be logged into
LastPass constantly for multiple days at a time.

Protecting your passwords

Why is this not a risk? Well, the concern that you mentioned is hackers on
the internet: giving them easy access to what’s in LastPass. Guess what? if
hackers can get to your computer, you have bigger problems than LastPass.

I have a firewall in place; I have anti-malware software in place; I have
common sense; I know what to click on and what not to click on. It’s these
things that are protecting me. Not the fact that I’m not logged into
LastPass.

In-home protection

My strong recommendation is that you use LastPass however you feel the most
comfortable using it. But I really don’t consider being logged in for long
periods of time as an issue – except, as the LastPass people have suggested, if
other people can walk up to your computer and start doing something with it.
Those are the kinds of scenarios where yes, you really want to log out of
LastPass automatically.

The fact is there are probably a number of things you want to do
automatically if that kind of thing could happen.

The most common one, the easiest one that I strongly recommend for people in
that situation is to fire up a screen saver that has a short duration (a short
time out) so that screen saver kicks in, in like five or 10 minutes – and that
screen saver requires that you specify a password in order to go away. What
that means is that nobody (while that screen saver is running) can just walk up
to your machine and start using it.

That is a level security that I recommend. With tools like True Crypt, with
tools like LastPass, I believe you can specify a time out or they will say,
“I’ll remember that you’re logged in, but I’ll only do it for maybe 30 minutes
or maybe 60 minutes.”

Again, if people can walk up to your computer and actually touch and deal
with your computer while you’re not around, those are things absolutely to be
aware of. But if you’re in secure situation like I am here (I’m at home; it’s
myself and my wife and that’s fine), then leaving it logged into LastPass really
doesn’t add that high of a level of security issue.

Worried about hackers

If you really are worried about hackers coming in through the internet,
you’re worried about something much larger than LastPass; you’re worried about
the fundamental security of your PC. That means you really want to have the
fundamentals in place:

The firewall
The anti-malware stuff
Knowing what to click and what not to click on
Not falling for phishing attempts

All that kind of stuff that protects your machine inherently protects
LastPass as well.

Next from Answercast #63 – How do I transfer my documents and programs from my old Windows XP machine to Windows XP mode on my new machine?

3 comments on “Is it safe to stay logged in to LastPass?”

Steve Gledhill (PC Resolver)

October 22, 2012 at 1:04 am

I’m the same as Leo – I have LastPass logged in for days and don’t worry.
Instead of having my screensaver on a short fuse I simply use the Windows Key and ‘L’ to quickly go to the Windows Login screen. I always do this when I leave the house in case I have an uninvited guest whilst I’m away.
Kevin

October 23, 2012 at 10:50 am

Hi Leo
Maybe not such a popular one this, but totally agree with ya.
I as an OAP living alone often use “Remember Password” left on even though not in house temporarily.
Reason is that so many of my sites that require passwords are really of no consequence to me. An example would be my Golf Handicap.Would I really care if a burglar found it as it is nearly public knowledge anyway these days.
As a result of this I regularly leave “Remember Password” turned on.
This of course does not apply to “Secure Notes” or to 3 other sites at the moment. To access these the password must be entered.
All really sensitive data as I see it is secured by True Crypt.
When away from home all criteria change. Dual Authentication etc come into play and of course am much more careful.
Regards.
Texas Mike

October 24, 2012 at 6:13 am

By that logic, then simply using Windows’ password storage would be just as adequate. If there is no one to have physical access to your computer, if you have a hardware firewall, and adequate anti-malware protection, as well as knowing what to avoid being suckered into, then your computer is pretty much safe either way. In fact, I’ve done just the opposite of what the experts say. I have short passwords, and I use mostly the same few for every access. And in all these years, I’ve had NO issues with it. As Leo says, I’m just not that interesting.