I'm guessing it would not be hard to automate this, meaning that passwords can be pulled easily from LastPass just like other password storage, contradicting what "Bob from LastPass" seems to be claiming. This is with two-factor authentication and with the "require master-password to show/copy password"-option enabled. Using LastPass with the Chrome plugin I was able to pull a password by navigating to a login page, filling in the password and entering the following in the console (press F12). I could name a website with 11 million users that stores passwords unencrypted in their database.įinally, LastPass offers features like one time passwords for accessing your passwords in untrustworthy locations, which keeps your account secure from even the most advanced keyloggers. This is useful because you have no idea whether sites you are on are encrypting your password, or salting it. Cracking any "sub password" yields no extra information to an attacker. So whereas before every single site you were on was a potential entry point to all other sites you were on, now only your LastPass account is. However, you could have a ridiculously strong master password - who cares if you have to type a 100 character password if you only do it once a day? And because it saves your "sub passwords", you can have them a lot stronger than you normally might.Īnother advantage is that most people won't have different passwords for every website (or will have a pattern), and LastPass lets you ditch this. Yes, it is true that it provides a "single point of failure" unless Grid is used. Even when using the web interface, your passwords are encrypted locally before being transmitted. What makes it secure is simply that they cannot tell anyone what your passwords are, even with a gun to their head.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |