Lastpass is getting screwed up. As it is expanding or deteriorating ???

Status
Not open for further replies.

Futureized

High-Frequency
Innovator
. I lost my key passes on cell phone everyday..
. Everytime I tried to open the app, I had to authenticate everytime... APPRCIATE.

Failed mostly, after sending PASSCODE..

End of Story.......
They have our PASSWORDS
 
LastPass is good, using for ages.

Use with 2FA and facial and fingerprint recognition... no need to type in passwords.

And also use LP to generate passwords... 15 chars for regular sites and 30 chars for secure like email, banking, etc. and then 2FA on top.
 
. I lost my key passes on cell phone everyday..
. Everytime I tried to open the app, I had to authenticate everytime... APPRCIATE.

Failed mostly, after sending PASSCODE..

End of Story.......
They have our PASSWORDS
Didn't get you. On phones we can set 4digit code to authenticate in the app without putting our real passwords. If you lost the code you can clear the data for the app and start again by putting in original full credentials.

Second thing is try to login in LastPass via browser from a pc or laptop and it will prompt you to verify the new device by sending authorization email. Once done you can login from that device and as well recover you password by answering few questions.
Not difficult.
 
  • Like
Reactions: Futureized
why would you trust someone else with your passwords?
Eh, thats like saying 'why would you trust someone else with your money' if you have it in a bank.

Its about which is safer. A password manager is safer than keeping them on a locked text file or keeping simple, easy to remember passwords/using same password is a lot of places.
 
  • Like
Reactions: Futureized
Didn't get you. On phones we can set 4digit code to authenticate in the app without putting our real passwords. If you lost the code you can clear the data for the app and start again by putting in original full credentials.

Second thing is try to login in LastPass via browser from a pc or laptop and it will prompt you to verify the new device by sending authorization email. Once done you can login from that device and as well recover you password by answering few questions.
Not difficult.
I know these m8.
Talking real stuff..

Lastpass is no more/.
 
A password manager is exactly that, "A locked text file" in cloud. its only safe until someone hacks password manager.
Isn't lastpass data encrypted? AFAIK, even lastpass does not know our master password.

From their website:
LastPass says they never receive my Master Password. Don’t I send it to the LastPass servers when I log in?

No, when you login to LastPass, two things are generated from your Master Password using our code discussed previously before anything is sent to the server: the password hash and the decryption key. This is all done locally.
  • The password hash is sent to our servers to verify you. Once verified, we send back your encrypted Vault. We are only sent your hash, not your Master Password.
  • The decryption key, which NEVER leaves your computer, is then used to decrypt your Vault once it comes back

How is my Vault encrypted?

LastPass encrypts your Vault before it goes to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data!

What is a one-way salted hash?
Lets break it down.
  • A one-way function is one that cannot be reversed. To oversimplfy this idea, take a look at this equation: x + y = 1. We know the result "1" but there's no way to tell what x or y is. (This is not really what a one-way function looks like, for a real example check out this article)
  • A hash is a representation of your Master Password.
  • The process of salting will add extra data to the hash--making the hash even more complicated. We use the username to salt the Master Password and then some.
We enter the Username and Master Password into one way functions to create a salted hash. Since the function is one-way, even if someone were to get a hold of the salted hash, they would not obtain the Master Password.

What are PBKDF2-SHA256 rounds?
This is used to make the salted hash (result from above) even more complicated for an attacker. It increases the number of iterations it takes in order for someone to guess the password. Put this together with the one-way salted hash and we get an equation that looks something like:

hash(master password + username)^iterations = password hash

*This is a very oversimplified version. We actually end up hashing the password iterations multiple times during this process.
A one-way salted hash derived from a strong Master Password with a high number of iterations makes it virtually impossible for a brute force attack.
 
Don't mind but that's weird having 360 passwords, Also are all different ?

For me Google does the job it saves all passwords and I hope it's secured.
 
Don't mind but that's weird having 360 passwords, Also are all different ?
:P I know. I'm not going to go into the details, but at least 70 t0 80 of them are important and unique (used lastpass password generator). The rest, I really don't care about. But still, remembering even 20 odd complex passwords is gonna be near impossible. With age, I guess it would be even more difficult.
 
Isn't lastpass data encrypted? AFAIK, even lastpass does not know our master password.
Have you heard about rainbow tables? https://en.wikipedia.org/wiki/Rainbow_table

Also, do you know that the recent spectre vulnerability does not have any fix yet.

Also, what is the guarantee that one fine day someone DDoSes the Lastpass and you are locked out of all of your accounts. Or Lastpass issues a new change of policy and you have to bend over?
 
^^ Non-techie guy here. So, most of what I had quoted in my earlier post itself is way above my head. ;)

BTW, I see many "what if" questions. But no answers. As I questioned earlier, how do you remember 2o+ complex passwords.
 
I am using Lastpass for two years, works great! In mobile it authenticates via fingerprint and in my computer i have to type my lastpass password once and it's done. It also doesn't let you login from new devices or computer unless you authenticate with the email that's will be sent to you in case of new PC or mobile device. It's one of the best out there.
OP can go to account settings and authenticate the device/computer name from the settings to avoid repeated authentication.
 
Using LastPass since 9yrs no issues whatsoever. Have over 400 sites saved. The only care we need to take is to activate 2 step authentication where in if somebody tries to use your credentials you will be intimated via email to authorize that very device or login method and unless you do so the person knowing your credentials cant do anything.
Also keep a very complex password especially a phrase comprising of mix characters with loooong strings.
Theres + & - for everything and it totally depends how you yourselves secure and use it.
 
Status
Not open for further replies.