LastPass recommends that you stay logged in at all times, provided that no
one in the house has access to your computer. I feel that this policy gives an
internet hacker easy access your password vault. Do you agree? I ask the
LastPass people this question and their answer makes me think that they didnât
understand the question.
In this excerpt from
Answercast #63, I look at the safety of keeping your computer logged into
LastPass.
Become a Patron of Ask Leo! and go ad-free!
Logged into LastPass
So, the short answer is no, I donât agree or I should say that I donât agree
with you.
I, for example, am logged into LastPass the whole day. And in fact, depending
on how I shut down (or donât shut down) my computer, I may be logged into
LastPass constantly for multiple days at a time.
Protecting your passwords
Why is this not a risk? Well, the concern that you mentioned is hackers on
the internet: giving them easy access to whatâs in LastPass. Guess what? if
hackers can get to your computer, you have bigger problems than LastPass.
I have a firewall in place; I have anti-malware software in place; I have
common sense; I know what to click on and what not to click on. Itâs these
things that are protecting me. Not the fact that Iâm not logged into
LastPass.
In-home protection
My strong recommendation is that you use LastPass however you feel the most
comfortable using it. But I really donât consider being logged in for long
periods of time as an issue â except, as the LastPass people have suggested, if
other people can walk up to your computer and start doing something with it.
Those are the kinds of scenarios where yes, you really want to log out of
LastPass automatically.
The fact is there are probably a number of things you want to do
automatically if that kind of thing could happen.
The most common one, the easiest one that I strongly recommend for people in
that situation is to fire up a screen saver that has a short duration (a short
time out) so that screen saver kicks in, in like five or 10 minutes â and that
screen saver requires that you specify a password in order to go away. What
that means is that nobody (while that screen saver is running) can just walk up
to your machine and start using it.
That is a level security that I recommend. With tools like True Crypt, with
tools like LastPass, I believe you can specify a time out or they will say,
âIâll remember that youâre logged in, but Iâll only do it for maybe 30 minutes
or maybe 60 minutes.â
Again, if people can walk up to your computer and actually touch and deal
with your computer while youâre not around, those are things absolutely to be
aware of. But if youâre in secure situation like I am here (Iâm at home; itâs
myself and my wife and thatâs fine), then leaving it logged into LastPass really
doesnât add that high of a level of security issue.
Worried about hackers
If you really are worried about hackers coming in through the internet,
youâre worried about something much larger than LastPass; youâre worried about
the fundamental security of your PC. That means you really want to have the
fundamentals in place:
-
The firewall
-
The anti-malware stuff
-
Knowing what to click and what not to click on
-
Not falling for phishing attempts
All that kind of stuff that protects your machine inherently protects
LastPass as well.
Next from Answercast #63 â How do I transfer my documents and programs from my old Windows XP machine to Windows XP mode on my new machine?
Iâm the same as Leo â I have LastPass logged in for days and donât worry.
Instead of having my screensaver on a short fuse I simply use the Windows Key and âLâ to quickly go to the Windows Login screen. I always do this when I leave the house in case I have an uninvited guest whilst Iâm away.
Hi Leo
Maybe not such a popular one this, but totally agree with ya.
I as an OAP living alone often use âRemember Passwordâ left on even though not in house temporarily.
Reason is that so many of my sites that require passwords are really of no consequence to me. An example would be my Golf Handicap.Would I really care if a burglar found it as it is nearly public knowledge anyway these days.
As a result of this I regularly leave âRemember Passwordâ turned on.
This of course does not apply to âSecure Notesâ or to 3 other sites at the moment. To access these the password must be entered.
All really sensitive data as I see it is secured by True Crypt.
When away from home all criteria change. Dual Authentication etc come into play and of course am much more careful.
Regards.
By that logic, then simply using Windowsâ password storage would be just as adequate. If there is no one to have physical access to your computer, if you have a hardware firewall, and adequate anti-malware protection, as well as knowing what to avoid being suckered into, then your computer is pretty much safe either way. In fact, Iâve done just the opposite of what the experts say. I have short passwords, and I use mostly the same few for every access. And in all these years, Iâve had NO issues with it. As Leo says, Iâm just not that interesting.