Comments on: One Password Management Software To Rule Them All

By: seenu

seenu — Fri, 11 Mar 2011 15:00:54 +0000

The ads in the content are really distracting. Please show very less numbers of content ads. It increases readability.

By: David

David — Tue, 09 Mar 2010 01:00:06 +0000

g1lQzG061IUQ4EZ6FsIHl5uCCLk2L9ARJG7eXPsP1Nv1

is a 256-bit password, as shown by the RoboForm password generator, because there are 44 characters, using upper & lower case and numeric characters, no special characters and the minimum number of numeric digits is 2. “Exclude similar characters” is unchecked, as is “Hexadecimal 0-9, A-F”.

It would have been 128-bit, if there were 22 characters with only 1 numeric digit required, from the same sets of characters.

At least, now you know that LastPass 256-bit encrypted data is protected by a weaker password than the encryption itself, unless the password is at least 44 characters, with no more than 2 numerals required, using A-Z, a-z and 0-9.

However, it’s never a good idea to use exactly the minimum required. If a hacker knows exactly how many characters there are in a password, it becomes a much less difficult problem to decipher.

So, why not 50 or 60? The fewer numeric digits required, the better. If LastPass doesn’t require any, then 50 characters = 297-bits and 60 = 357-bits, and the generated password may or may not include numerals.

357-bits would provide 29,356,782,284,672,915,348,618,507,459,867e+96 possible combinations. More than the NSA is likely to decipher in your lifetime.

So, get a Yubikey, if you want to keep your data kept safe online, assuming you trust LastPass encryption more than “mark” does. I believe a Yubikey can handle a password that long, but I haven’t tried one yet.

However, if you don’t trust proprietary code, which (by definition) provides security by obscurity, then you’re better off with PasswordSafe, which is Free and Open Source, so it has been scrutinized much more than RoboForm or LastPass for properly implemented algorithms.

By: David

David — Tue, 09 Mar 2010 00:30:42 +0000

Why doesn’t the password generator show the bit-strength of the password generated, so the user can see the effects of various options being taken?

The RoboForm password generator does this quite nicely.

By: mark

mark — Sat, 04 Apr 2009 13:37:54 +0000

Joe (the LastPass guy) said:

“Why wouldn’t you trust your encrypted data to be stored on a server?”

Because there could be implementation bugs in your software, for one thing. It’s not impossible that you sometimes mistakenly send unencrypted passwords to your server under certain circumstances. It’s not impossible that the encryption is done, but not done in the best way, and has weaknesses that should not exist.

By: LastPass Now Compatible With All Browsers « Shinko168’s Weblog

LastPass Now Compatible With All Browsers « Shinko168’s Weblog — Wed, 21 Jan 2009 19:10:55 +0000

[...] manager and form filler back in September and came to the conclusion that it was one of the best password management software programs out there. To be more precise, LastPass is an excellent unobtrusive password manager for [...]

By: LastPass Now Compatible With All Browsers

LastPass Now Compatible With All Browsers — Wed, 21 Jan 2009 09:48:57 +0000

By: Reimpostazione password di massa in Firefox | Firefox Blog

Reimpostazione password di massa in Firefox | Firefox Blog — Fri, 05 Dec 2008 17:18:24 +0000

[...] ricordare più nulla. Questi strumenti purtroppo non sono utilizzati da molti utenti di Internet. (Last Pass è [...]

By: Firefox Mass Password Reset

Firefox Mass Password Reset — Wed, 26 Nov 2008 10:14:27 +0000

[...] have to remember anything anymore. These tools are unfortunately not used by many Internet users. (Last Pass is one [...]

By: Guy Soffer

Guy Soffer — Tue, 21 Oct 2008 09:09:23 +0000

Really an amazing product. I use it on a daily basis…

By: Christopher Harley

Christopher Harley — Sat, 11 Oct 2008 01:38:49 +0000

Joe Siegrist-

Thanks for the clarification. I’m now more inclined to take a look at your offering.

By: Roman ShaRP

Roman ShaRP — Sun, 05 Oct 2008 20:20:44 +0000

May be I’ll check it later. Now I’m satisfied with Keepass, and I like that it’s OpenSource.

By: Joe Siegrist

Joe Siegrist — Tue, 30 Sep 2008 14:23:38 +0000

Why wouldn’t you trust your encrypted data to be stored on a server?

LastPass works by locally encrypting data with 256-bit AES, then storing that for you so you can use it elsewhere. It’s quite safe if you pick a good master password.

If you trust NIST:

Q: What is the chance that someone could use the “DES Cracker”-like hardware to crack an AES key?

A: In the late 1990s, specialized “DES Cracker” machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.

Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.

– NIST.gov AES Questions and Answers

LastPass uses a 256-bit AES key, so it would take many times longer than this. The risk of compromise of your locally encrypted data is exceedingly low.

Using LastPass is by far safer than what most people do, which is use a few passwords for every site. Many sites don’t hash passwords and simply store them in plain text, many sites don’t encrypt the channel for sending passwords. These are the pratical attacks that hackers can use to compromise you.

Joe Siegrist
LastPass

By: David Bradley

David Bradley — Tue, 30 Sep 2008 11:11:14 +0000

Yes, point taken. It was the cloud security aspect I wouldn’t trust. Moreover, I’d be loathe to have all my passwords in one box on my PC too in case it was stolen and cracked open.

By: MK

MK — Tue, 30 Sep 2008 10:32:26 +0000

@David Bradley: There is no perfect answer to everything. What a password storage system do is simplify the management of your passwords (obviously). It can generate complex passwords, and store them so you don’t have to remember all those tiny caps/big caps/numbers in your head.

Sure, it can eventually be cracked. But I prefer a password storage system that writing it on sticky notes, any day.

I do agree on the compromise of online system. Though it sounds tempting (you can access your passwords everywhere, don’t even have to bring a pen drive), I would never trust my security on cloud computing.

By: David Bradley

David Bradley — Tue, 30 Sep 2008 08:08:05 +0000

Theoretically, all password storage systems could be cracked, compromising all your sites. I’d worry about relying on an online system of any sort no matter how clever or otherwise it seems to be. There is no perfect answer LastPass is just another compromise.

By: MK

MK — Tue, 30 Sep 2008 04:31:24 +0000

Just what I am looking for right now. I’ve been using PassPack for long, and it works great. However PassPack is too simple, thus lacks many features such as password generator, or the ability to choose where you can save the file.

I’ve tried KeePass, nah too complex. Currently using PasswordSafe and it is pretty good.

LastPass sounds promising, especially the integration with the web browser. I hope future builds will include Opera.

By: pavid

pavid — Mon, 29 Sep 2008 23:04:01 +0000

I love LastPass. It’s so easy to use. Unfortunately, I have encountered a small problem in that I am unable to access my on-line e-mail using the new version of Rogers Yahoo. However, the classic version of Rogers Yahoo works just fine.

By: LastPass: administrador de contraseñas para Windows, Linux, Mac | arturogoga

Mon, 29 Sep 2008 20:25:11 +0000

[...] via ghacks [...]