Thanks for the clarification. I’m now more inclined to take a look at your offering.

LastPass works by locally encrypting data with 256-bit AES, then storing that for you so you can use it elsewhere. It’s quite safe if you pick a good master password.

If you trust NIST:

Q: What is the chance that someone could use the “DES Cracker”-like hardware to crack an AES key?

A: In the late 1990s, specialized “DES Cracker” machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.

Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.

– NIST.gov AES Questions and Answers

LastPass uses a 256-bit AES key, so it would take many times longer than this. The risk of compromise of your locally encrypted data is exceedingly low.

Using LastPass is by far safer than what most people do, which is use a few passwords for every site. Many sites don’t hash passwords and simply store them in plain text, many sites don’t encrypt the channel for sending passwords. These are the pratical attacks that hackers can use to compromise you.

Joe Siegrist
LastPass

Sure, it can eventually be cracked. But I prefer a password storage system that writing it on sticky notes, any day.

I do agree on the compromise of online system. Though it sounds tempting (you can access your passwords everywhere, don’t even have to bring a pen drive), I would never trust my security on cloud computing.

I’ve tried KeePass, nah too complex. Currently using PasswordSafe and it is pretty good.

LastPass sounds promising, especially the integration with the web browser. I hope future builds will include Opera.