Is LastPass safe?

Status
Not open for further replies.

SirLipe

Reputable
Aug 6, 2015
124
2
4,685
I really like LastPass but I'm not sure if it's safe. I mean if someone somehow hacks into my LastPass account I'm in trouble. I did some research but I'm still not sure. What are your thoughts?

Mod Edit for Language
 
Solution
It is as safe as your Master Password. Since you only use one password to log in to LastPass it better be complex, lengthy, and unique to just your lastpass account. There is no point to worry about security if you're just going to use the same password in multiple places. For example I keep my master password on multiple safe, offline locations and only use it on my LastPass account.

LastPass has no knowledge of your master password so if you lose it, you are screwed. This is where the security comes in. They only have the salted hash response to your password vault. Since AES-256 salted with SHA-256 would take thousands of years for a farm of super computers to crack, there is no risk of being hacked in the traditional sense. The...

LilDog1291

Honorable
Jan 9, 2013
313
0
10,960
It is as safe as your Master Password. Since you only use one password to log in to LastPass it better be complex, lengthy, and unique to just your lastpass account. There is no point to worry about security if you're just going to use the same password in multiple places. For example I keep my master password on multiple safe, offline locations and only use it on my LastPass account.

LastPass has no knowledge of your master password so if you lose it, you are screwed. This is where the security comes in. They only have the salted hash response to your password vault. Since AES-256 salted with SHA-256 would take thousands of years for a farm of super computers to crack, there is no risk of being hacked in the traditional sense. The only way a LastPass account or vault could be compromised is from a user falling for social engineering.

If you are still paranoid beyond that, just switch to using Keepass but I think you will find it to be too much of a pain to maintain and access. Lastpass seems to be the best balance in password management.
 
Solution

SirLipe

Reputable
Aug 6, 2015
124
2
4,685


OK thanks, I created a new different complex not that long master password
 

Math Geek

Titan
Ambassador
i use it as well and like it. your passwords are encrypted and only unlockable with the master password. can't get much safer than that really.

also love that it syncs across platforms so if you make a password change and save it, your phone, tablet, pc, laptop..... will get the update and you won't even miss a beat. be sure to set it to need your master password with each session though. as leaving it unlocked negates completely the use of the software. i use the pass generator to get truly complex and random passwords. would never remember them for each site but that's what lastpass is for :)
 

SirLipe

Reputable
Aug 6, 2015
124
2
4,685


I use the pass generator only for important accounts. Can I get LastPass on my iphone?
 
They have had some security breaches over the years that compromised some user account information, though not the passwords themselves, and some vulnerabilities were found (and fixed) in their browser extension last year that could have been used to reveal a user's passwords if they visited a malicious website. Whether more vulnerabilities exist is unknown, but I wouldn't doubt if more were discovered in time.

Also, I'm not sure I would trust any form of encryption to take "thousands of years" to crack, at least for an organization with enough resources and specialized hardware. Of course, that goes for all encrypted communications, not just password storage. It's usually enough to keep out random criminals though, but there's still the possibility that they might use a vulnerability or malware to get to the stored data without actually having to break the encryption.
 
Its a compromise.

Using this is far better then using the same exact password for everything or a weak password.
On the other hand it is all your eggs in one basket so if lastpass is compromised, EVERYTHING is now compromised.

I personally dont use it but for people who are just incapabile of using good password policies I recommend it to them.

My advice to people is start with a base password, and then add to it bassed on the tier category
Tier 1) site forums (like this one) no data lost, no money lost if compromised - base password (8+ characters with numbers and letters best if not be just one word)
Tier 2) social media - assume password is comprmised the second you type it in - shoudl be completley different from other passwords
Tier 3) Email, cloud storage, personal accounts - these have personal data in them so add a prefix or suffix to it
Tier 4) utilties websites, ecommerce sites, etc - these have your your credit card info so add something more to this password
Tier 5) banking - driect access to your money - you should have base pasword plus prefex/suffix, upercase letters, adn characters.

If you follow that tier list and make your prefix suffix in some way releavant then it is not that hard to remember most all of your passwords.

 
I think that using a password manager is a requirement now-a-days. There's no way to remember all the passwords you use, unless you keep the password the same or similar across the sites and things that require a password. That leaves all your accounts exposed if one account gets hacked. Thus, the use of a password manager to keep track of a different password for all of your accounts. Over the years, I've used TurboPassword, Datavault and Lastpass. I especially like Lastpass because you can use it on multiple platforms.

One suggestion - instead of using a password for Lastpass, create a passphrase that includes numbers and special characters. A passphrase can be longer and it's generally easier to remember. With the numbers and characters thrown in, it's pretty tough to crack.
 
Status
Not open for further replies.