Comments

  1. Lester

    Good post. I’ve used both Roboform and Last Pass. I don’t really care for either because of the way they required me to change my personal habits. But the biggest thing I had against Last Pass was that so often it had connection errors and kept telling me something was wrong with my internet connection when everything seemed to be running fine.

    I’ve never had that problem – so much so that I wasn’t even aware that it would complain about the network.

    Leo
    28-Aug-2012
  2. Andy

    Leo, excellent article as usual, and I am seriously considering using LastPass, I just have one question. If I use two factor authentication and get my phone stolen, what happens then?
    Maybe a daft question, but it has happened to me before and it was traumatic enough just dealing with the lost contact details etc!

    When you set up two-factor authentication, LastPass generates for you a set of one-time passwords. As the name implies each can only be used once. You save those in a safe & secure location in case you ever need them. Lose your phone and you then use a one-time password to login to LastPass on the web, and turn off two-factor authentication until you’ve replaced your phone.

    Leo
    28-Aug-2012
  3. Kevin

    Hi Another very good article. I have used Lastpass for some time now and find it very good.
    However I have a little question !!!
    It work’s for me perfectly on all Windows App’s. But how about all the other programs that also require a password ?? Will name just one which is Skype !!! As a granddad with family around the globe this is very important to me and lastpass does not save the password (At least not the free version) At the moment Skype and other passwords I just save in Secure notes so I suppose no real problem.
    Even so I would like your opinion on the matter.
    Ta in advance

    LastPass (and other password vaults) are designed primarily for websites. I’m not aware of a utilty that handles arbitrary programs asking for login credentials.

    Leo
    28-Aug-2012
  4. Michael

    The trouble with Google two factor authentication is it assumes we all have mobile phones. I don’t leave my home very often, there is no mobile signal where I live, and although I do still have a mobile at the moment the day may come when I ditch it. A landline phone doesn’t seem to be acceptable to Google.

    The Google two-factor application does NOT require connectivity. LastPass also supports alternate forms of two-factor as well, including a program you can simply run from your own USB stick.

    Leo
    28-Aug-2012
  5. Carl

    Is their a provision that allows you to access you passwords if you are using a public or friends computer? tks

    You can access your vault via a web page, but I would not trust someone else’s computer in general – whether you’re using LastPass or not. There’s simply too much risk.

    Leo
    28-Aug-2012
  6. AlizzA

    About problem you mentioned (re-visiting a site and it does not fill), I realized that first time when we Save site in LastPass, it may save the googly garbagy loooong link (like https://mega.utor.com/ghdt/hdhdyhsgs_hddybdgddyy?jhdudhduhdloging.aspxhdjkhd8373664883) and then we we re-visit site, that is not the link we visit again!!
    When I save a site in LastPass I always delete all those extras from link (and even S from https://) and make link as simple as possible (like http://mega.utor.com/ or http://utor.com/) then it covers all subsidiary links and subdomains that site may produce when I visit every time.

    • Fugitive_Bill

      Paul,

      I do that too.
      I created a text file (called “Projects-To-Do” which is better than ‘Here-are-all-my-passwords and bank account information’)
      Which in fact contains all my passwords for various forum, shopping sites, bank accounts etc etc.
      That is then kept on a at least two flash drives.
      When logging on to sensitive sites such as a bank, I use that text file and copy/paste the information into fields, that way there is no way any keyboard loggers know what I typed.

      – B!LL!

      • Fugitive_Bill

        I stand corrected on the copy/paste thing as noted by LEO in the post below, however I only ever use my OWN computers (at home), never use computers at Internet Cafes or use my laptop/tablet at Wi-Fi’s such as McDonalds for important things like banking.

  7. Bradley

    Hi Leo,

    I signed up for LastPass a few days ago based on recommendations I read from you and on Lifehacker, and I really think it’s great.

    I have a question that I can’t resolve on my own: If I’m on somebody else’s (or a public) computer, how do you advise accessing my passwords for things like email, since I don’t have them memorized anymore? Is it risky to log in to LastPass (using their onscreen keyboard to avoid keyloggers) and use the online vault to access my passwords? I assume I’d have to do a copy/paste of my email password and then overwrite the clipboard afterward. Any thoughts?

    Thanks for a really excellent website!

    Brad

    If you’re at a computer you can’t trust then you shouldn’t be logging in to your email at all regardless of whether you’re using LastPass or not. Your email password could be captured by several different means. Copy/paste does nothing to thwart keyloggers since in reality there are “activity” loggers which can easily capture what comes and goes in the clipboard.

    Leo
    31-Aug-2012
  8. Tony Martin

    I have been using LastPass for about 6 months and really like it. I used to use Password safe before. The only problem I’ve had is when a web site wants me to change my password. LastPass will generate a new one but since I don’t see the passwords I am not sure which is new password and the old. I end up having to call the site to reset my password because I can’t get it.

    You can simply view your vault in your browser. You can see what the password is that’s been saved for that site, or if you have LastPass generate a password for you, “Generated password for…” entries will also appear in your vault.

    Leo
    31-Aug-2012
  9. Ian Finlayson

    I got Lastpass after you recommended it ages ago. Most of my friends now use it. Those that don’t usually have to get their mother to tie their shoelaces. I can’t understand anyone not using it. Great for travelling. I have over 80 passwords and get Lastpass to generate passwords for me usually a mix of characters generally 18 to 20 in length. Keep up the good work Leo.

  10. nick

    Read article, read security article on spinrite’s site, and downloaded it.
    it SEEMS very neat.
    HOWEVER, could you PLEASE address this problem – on EXPORT to CSV file, i CANNOT export the custom form fields that I create or that LastPass creates.
    to me, this is the biggest bummer there is.
    EXPORT exports the first page of data for a LIST item, but does NOT EXPORT the 2nd page of a list entry, the custom form fields.

    can you or other users address this, and provide fedback?

    thanks

    I don’t have an answer for this. I’d recommend submitting this as an issue to LastPass directly.

    Leo
    31-Aug-2012
  11. nick

    downloaded it, and trying it.
    (I posted comment last evening, but not sure if it got lost, not showing up)
    ONE BIG DEFICIENCY – inablility to export custom fields.
    if you create a site, and fill in just the normal site field values – those can be exported to a CSV file.

    BUT, if you capture a site, and it creates custom fields, those values or fields are NOT exported to CSV, AND they are NOT exported to even the encrypted file that LastPass Pocket uses.

    So, you are captive to using the browser format, and if for what ever reason they go defunct or you don’t like that program and decide to change, you can’t get custom data out of the database.

    I LIKE the design of the program, but I HATE it (and hate OTHER programs) when you can’t do a simple export of all the data within the database.

    any otehr feedback from others, if I’m doing something wrong and not understanding how to export (spent 8 hours on machine last evening researching this, forums, google search,e tc…) please let me know

    thanks
    nick

  12. ThomasGC

    I have several Twitter accounts and found that LastPass would not always populate the login fields.

    After reviewing the LastPass records in my vault, I found that changing the URL protocol from https to http fixed the problem.

    I still have a few sites that won’t auto-fill (e.g. Magnatune), and have to resort to copy and paste via the LastPass drop-down.

  13. Ken Ormson

    I have used LastPass for a few years now and find it very useful.

    It struggles with my UK bank websites, which all require multi-level logins. They need an identifier and password on a first screen, then 2 random dropdown digits from a 4-digit PIN, then a random piece of personal information from a range of 6 items. LastPass can cope with the first screen, not a chance for the second and a bit of a fiddle for the third data.

    I have just bought an Android smartphone and tried LastPass on that. It is not integrated into the browser, but comes as a separate app. That cannot cope with the above scenario.

    So, in summary, LastPass is great when it works, but is not a solution to all approaches to my bank websites. So I have to use passwords that I can remember myself – a great pity.

    Leo, you did not mention that LastPass also stores its database locally, so that it can be used offline to access any other information you may have stored there – e.g. telephone banking passwords.

  14. Z Berkeley

    If it’s ‘on your machine’, then what happens if you get a new computer, or if your current machine fails/is stolen etc? Can you access LastPass from a cloud off the web?

  15. David Johnson

    Leo;
    Thanks for the fine work you share.
    Could you give some of your thoughts on Password Safe?
    Again thanks.
    David

  16. Mark Jacobs

    @Z Berkeley
    Yes, LastPass stores a copy of your passwords on their servers (the Cloud). Because of that I can use it to sync my passwords on all of my computers and my smart phone.

  17. John.P

    I tried lastPass and liked it enough to pay for the Premium upgrade, While i agree there are some limitations, I wouldn’t be without it now.
    Also Leo you referenced Steve Gibson in your column, That episode was what led me to try the program. I actually subscribe to Security Now and find it an equally good source of info like your’s Leo.
    If you haven’t already seen it i highly recommend you get episode #366 The Death of Clever.
    He talks about passwords and hackers, I found this episode quite alarming!

  18. Alfredo F. Martel

    I have been using Norton 360 for years which does about the same thing (for passwords) as Last Pass. Or not?

  19. Scott

    Hi, Leo

    I wanted to ask a follow-up question of sorts to an answer you gave another commenter re: two-step authentication with LP. My question is not about that but about one-time passwords that you referred to….

    Isn’t there a sense in which OTPs can somewhat defeat the purpose ? I mean, for my email accounts — and certainly for my LP account — I want to have good, long passwords so that the accounts will not be compromised by guessing or hacking my password. As it is my LP account should be fairly secure with the long password I have for it, since any would-be hacker must guess or crack the ONE valid password I have out of however many millions/billions of possible combinations.

    But if at any time I enable the use of OTPs (for LP or any of my email accounts) doesn’t that in a way give the hackers a larger bull’s-eye ? If I’ve got a list of 50-100 OTPs, that might, indeed, make it easier for ME to login once-and-only-once at library computer or somewhere. But as long as those OTPs are valid, it’s also providing more targets for hackers, no ?

    So, in general, and specifically for the security of a password manager, would you say it’s wise to keep one’s list of valid OTPs way down, like at least in the single digits ?

    Or am I misunderstanding something about OTPs in all this security business ?

    Thanks ! :-)

  20. Mark Jacobs

    @Scott
    The one time passwords usually work in conjunction with a normal password. It is a form of 2 factor authentication. Factor 1 is your user password. Factor 2 is the one time password which can be on a list, sent to your phone or generated by a onetime password calculator. In most cases, your user password can be as long as you want it to be. 2 factor authentication.

  21. Ken

    I had an issue with a banking login site one time, and I e-mailed Lastpass about it. I was answered pronto, that it would be fixed with the next update, and it was. Great service for free.

  22. Larry

    Thanks for article and link to Steve Gibson podcast. I’m sold on the security regarding Lastpass not being able to decrypt my passwords and the 2 factor auth. But, how about the database file of passwords that’s created and stored locally on my PC? If stolen PC or if there’s malware, how easily can a good hacker break into my Lastpass database file on my hard drive?

  23. Ken

    disappointed that my Browser..MSN does not interest Last Pass– no offers to save pw from it when i sign into sites.. hope I can consolidate my pw’s on there manually…happy sabatical!

  24. Lawrence

    Quick question regarding password strength. In the article you refer to the xkcd site which suggests an 11 character randomly generated password (such that LastPass might generate for a website) was weaker than the four word phrase using common words. Based on that should we not use the Lastpass auto generator for passwords and instead create our own pass phrases or are we ok so long as we set “minimum characters” to 12 (or more) and let it auto generate?

    There’s no absolute answer here. Longer is better, in general. 12 is what I would consider a minimum these days. Using words allows you to make an easier to remember long password, but with proper settings random password generators can be good. I do indeed use LastPass’s myself if it’s not a password I’ll ever need to remember. Length = 12 for me.

    Leo
    18-Apr-2013

  25. Scott Jackson

    Hi, Leo – truly appreciated your article reviewing LastPass; had a couple of questions: (1) Does LastPass work with Internet Explorer in it’s “InPrivate Browsing” mode? (asking about this because, in my experience, Norton Security Suite / Norton 360 doesn’t and neither does Comcast/Xfinity Constant Guard); and (2) Does the “Multifactor Authentication” available with LastPass Premium work with an older plain vanilla cellphone that can receive SMS and Text messages, or does it require the more sophisticated ‘Smart’ phones with either Android or Apple op. systems?

    • Mark Jacobs

      I’ve tried to use LastPass with InPrivateBrowsing in IE and it doesn’t seem to work.
      The second part of your question is unclear. You should be able use any cell phone to receive the text message containing the one time password, but you can’t use LastPass on that phone as it is incapable of accessing the Internet.

      • Scott Jackson

        Mark, thanks for the clarification on my 2nd question; I may opt to use the multifactor authentication with my old tech cellphone for some of my banking and investment websites. ___ Incidentally, a number of these sites have already employed a type of two-factor authentication whenever I try to access them with a computer they did not recognize (where I can usually opt to have a Text message sent to my cellphone with a 5 digit ‘code’ or an email with same or, in some cases, to receive a phone call which probably would have a pre-recorded message with the code to use). It’s interesting, though, when this happens repeatedly with some of those websites, because I’ve cleared my Cookies… and, apparently, in not finding the expected cookie, the bank’s website assumed I was trying to gain access with a new or different computer.

    • Not sure about IE (see Mark’s comments about not getting it to work there, though), but I use it in Chrome’s equivalent Incognito all the time.

      Lastpass’s two-factor options are here: https://helpdesk.lastpass.com/security-options/multifactor-authentication-options/ – I’m not seeing straight text-messaging as an option, which implies smartphone – or some other kind of device – may be needed. There are hints of SMS support through other applications but I haven’t been able to nail it down in a quick search.

  26. Tony2

    Am I correct in understanding that as long as my computer is on and I’ve logged into LastPass with my master password, any site I visit will be auto logged in without any further intervention from me?

    On my main laptop I have all my browsers set NOT to remember anything, which means that on every site I visit I MUST enter a password to get in. It appears to me that anyone else going to my computer could get into my sites simply because LastPass will auto fill my user name and password without any further prompting.

    Is there a way to set LastPass to ask for the master password for every site I visit? Or do I need to resolve that by signing out of LastPass every time I move away from the computer?

    • Mark Jacobs

      You can easily set LastPass to require the LastPass master password every time you to want to log on to a website. This can be done on a website by website basis. For example, I have LastPass ask me for my master password for my bank and other financial logons.

    • Last pass can be configured to auto-login on a site-by-site basis – or not. It can also be configured to request the master password on a site-by-site basis – or not.

      • Tony2

        Thanks to both of you. I see you’ve now addressed this in your newest article dated April 4th published in newsletter of April 8th. My password list is getting longer and I need to stop using my Excel sheet with semi-coded passwords, but I know you’ve said “If your computer is not physically secure, it’s not secure”, so I don’t want to make it easier for anyone who tries to exploit an insecure moment.

        • Mark Jacobs

          If you are in a situation where someone might be able use your open LastPass to log into your websites, you can also set LastPass to require the master password for all of your logins. It’s more work as you have to type in the password for every login, but it’s the same master password every time, so you get quite quick at typing it in each time.

  27. Tony2

    On one of my computers I can’t get LastPass to work on Chrome. It says:

    inline install failed: Line 1, Column 1, Unexpected token.

    The extensions installed okay on Firefox and IE. How can I fix this?

  28. Karena

    I use KeePass (http://keepass.info) – free, open-source, also supports 2-factor authentication, and you can get it for your mobile device. There are two versions – one you can install, and a portable one (my preference). I couldn’t even begin to go over all the features – I’ve never used LastPass though I’ve heard good things about it, too – you probably wouldn’t really go wrong with either one, but I couldn’t recommend more highly that a person consider KeePass. (And no, I’m not affiliated in any way – I just love it and recommend it to everyone I can.)

  29. sam bruskin

    yes i have lost my mpw; however, LP autologsin, so it does have the correct mpw. is there then a way i could view it? when i use a second browser, LP wants the mpw and does not auto login. that is also true when i go to the chromebook. and when i think have got it right and get “invalid pw”, i don’t know which is invalid, the siite, or LP’s master.
    am i just stuck and need the drastic reset? thanks always.

    • If you lose your LastPass Master Password (I assume that’s what you mean by mpw) then there is no way to recover it. You’ll need to start over. This is documented on the LastPass site, and is a side-effect of their security measures – even they don’t know your password.

  30. Mark Jacobs

    You can go to LastPass.com and click “Sign in” then click “Click here if you forgot your password”. Enter you email address you use to log into LastPass and click “Email hint” The password hint you entered when you set up LastPass will be mailed to you. This might jog your memory. If that doesn’t work, right underneath the Email hint there is s link “* Note: if your hint doesn’t help you, you still may be able to use Account Recovery”. Try clicking on the Account Recovery link and further instructions will be sent to your email address. I’ve never tried this, but I imagine it should work in most cases.

  31. Roy

    What prevents someone accessing your computer from being logged into your sites automatically by LastPass?
    I think I will encrypt my password list and keep it on a USB stick so that it isn’t on my computer.

    • Roy

      Same issue with Dashlane. Guess all password managers have the same shorcoming. So will go with Boxcryptor for file based encryption.

    • Mark Jacobs

      LastPass encrypts your passwords with the master password you use to log on to LastPass with. LastPass only has the encrypted version of the password file. It is only decrypted by your computer never on the server. Your method is, of course safer, but I personally trust the LastPass encryption model. The cost of cracking a strong password is much more than the yield they would get hacking small fish like most of us as they would have to spend several hours to crack each password.

  32. Lo van Osch

    How come i can use LastPass from several pc’s, if encryption is locally? If LastPass knows only my credentials after encryption, then logging on from a second pc would produce a different encrypted ‘blob’ and LastPass should not be able to authenticate that. If the encryption key used on the 2nd pc is the same, then there is no use in encrypting it at all.

    • Your data is encrypted once, and then copied to all the computers via LastPass’s servers in its encrypted form. It’s only decrypted locally when you specify the correct password.

    • Mark Jacobs

      Local encryption and decryption means that the password file is encrypted and decrypted on the local computer not in the cloud. The encrypted LastPass password file is stored on LastPass’ servers.

  33. Lo van Osch

    Ok thanks, the master password also is used for generating the encryption key. That explains it.
    Another question is exactly when the password list is decrypted on my pc and how long it stays decrypted. I hope only when a password is actually needed and not from the moment i activate LastPass in my browser add-on?
    And is it safe to let LastPass remember the master password (on browser add-on activation)?

    • I believe it decrypts only as needed, but don’t quote me on that. Whether or not it’s safe to let it remember the master password is a function of the overall security of your machine. If you feel the machine is secure, then it’s what I do. On the other hand if the machine could be compromised or stolen, then I do not (like my laptop, with which I travel).

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.

Your email address will not be published. Required fields are marked *