LastPass password manager gets two new security options

Martin Brinkmann
Aug 2, 2012
Updated • Dec 5, 2012
Security
|
12

I have used LastPass for quite some time before I made the switch to the KeePass password manager. While I have not regretted that move, I know of several users who are using LastPass for all their password management needs.

LastPass supports a wide variety of features that make it more than a replacement for the built-in password manager of the web browser. This includes a secure password generator, note taking, access from web browsers and the LastPass website, browser synchronization and automatic form filling.

The premium version adds mobile client support and multifactor authentication to the client using Yubikeys or USB thumb drives.

Two new security features have been added to LastPass accounts yesterday that improve the security further.  Both features are available in the account settings dialog which you can open from the LastPass vault.

The first security feature restricts the LastPass login to countries that you select in the settings dialog.  Once you have made your selection here, and most LastPass users without doubt will only select their home country, log ins are only permitted if the IP address resolves to a location in that country.

If someone else steals the login and tries to log in from another country that log in will not be permitted even if the login credentials are correct. While there are options to bypass that limitation, for instance with the help of a VPN service, it may block a percentage of attackers from investigating the error message or trying to get into the account. You do however need to make sure to change the country selection before you travel to another country if you want to use LastPass there. This can be a temporary addition for a business trip, or a permanent one if you move to that country.

The second feature disables log ins from the Tor network. It is obviously not a good idea to block logins from the Tor network if you use it yourself. If you never use it however, you can block it to prevent hackers from using it when they try to access your account.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Caitlin Roberts said on August 4, 2012 at 12:40 am
    Reply

    I wonder how reliable that country blocking is, just saying because many proxy IPs are detected as being somewhere else by whatismyip software.

    Anyone who has used a VPN before will know that not even VPN servers can be pinpointed to the right country sometimes.

  2. Howard Stern said on August 3, 2012 at 8:32 pm
    Reply

    Howard Stern
    Aug 3,2012

    :’I Chose #! V.1.x GD1

    Reply

  3. KRS said on August 3, 2012 at 2:49 pm
    Reply

    Martin –

    According to the KeePass site, There are two versions.

    V. 1.x operates under GDI+ and lacks a number of features.

    V. 2.x has more features but requires Microsoft .NET Framework, which has its own problems.

    Which version do you use?

    1. Martin Brinkmann said on August 3, 2012 at 3:01 pm
      Reply

      I use version 2.x

  4. Transcontinental said on August 3, 2012 at 9:51 am
    Reply

    I switched to LastPass after years with ‘AI Roboform’ when the latter IMO was on the decline. No idea really with security issues when pragmatism is the lot of ignorance: no problem doesn’t mean no possible problem.
    Anyway, whatever password vault, there are some credentials I never even write down, as for instance bank account …

    1. clas said on August 3, 2012 at 2:30 pm
      Reply

      i understand about roboform…has been on a decline. you can del
      delete passwords from roboform without signing in…a serious
      defect which they will not address. i have been using sticky
      passwords for some time. excellent program. works the way
      it should. as with many others, i just do not trust putting all
      my passwords in the “cloud” no matter if they say its all
      encrypted. sticky will make a portable for use on a flash
      drive so you can take it with you anyway and its still
      password protected.

  5. Eli said on August 2, 2012 at 7:58 pm
    Reply

    To DanTe, the thing with LassPass is they never get anything of yours that isn’t encrypted already, so even if the FBI or Hackers or whatever took all of LassPass’s servers it would mean nothing unless you use a password like 12345.

    BTW about this new feature, what happens if you reside in the USA and check the box to prevent logins from the USA, does that lock you out of your account forever since you’ll never be able to get back into settings to change it back?

    1. Martin Brinkmann said on August 2, 2012 at 9:09 pm
      Reply

      Good question, no idea to be honest.

      1. Dan said on August 2, 2012 at 10:15 pm
        Reply

        It does not allow you to uncheck the country from which you are currently accessing the account.

      2. Martin Brinkmann said on August 2, 2012 at 10:21 pm
        Reply

        Dan, IP to country detection is not perfect and it may very well happen that it gets identified incorrectly. While the chance is slim of that happening, it can still happen. It is however good to know that users can’t lock themselves out of the program this way.

  6. DanTe said on August 2, 2012 at 7:25 pm
    Reply

    I never trust some third party vendor to maintain my passwords. Too much potential for third party failure/glitch that would expose my finance accounts. I stick to the tried and true password wallet programs on the PC and phone encrypted with one family-wide password.

    1. Tim said on August 2, 2012 at 8:26 pm
      Reply

      I just changed all my passwords to ‘incorrect’, so my computer just tells me when I forget. :)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.