LastPass password manager gets two new security options
I have used LastPass for quite some time before I made the switch to the KeePass password manager. While I have not regretted that move, I know of several users who are using LastPass for all their password management needs.
LastPass supports a wide variety of features that make it more than a replacement for the built-in password manager of the web browser. This includes a secure password generator, note taking, access from web browsers and the LastPass website, browser synchronization and automatic form filling.
The premium version adds mobile client support and multifactor authentication to the client using Yubikeys or USB thumb drives.
Two new security features have been added to LastPass accounts yesterday that improve the security further. Both features are available in the account settings dialog which you can open from the LastPass vault.
The first security feature restricts the LastPass login to countries that you select in the settings dialog. Once you have made your selection here, and most LastPass users without doubt will only select their home country, log ins are only permitted if the IP address resolves to a location in that country.
If someone else steals the login and tries to log in from another country that log in will not be permitted even if the login credentials are correct. While there are options to bypass that limitation, for instance with the help of a VPN service, it may block a percentage of attackers from investigating the error message or trying to get into the account. You do however need to make sure to change the country selection before you travel to another country if you want to use LastPass there. This can be a temporary addition for a business trip, or a permanent one if you move to that country.
The second feature disables log ins from the Tor network. It is obviously not a good idea to block logins from the Tor network if you use it yourself. If you never use it however, you can block it to prevent hackers from using it when they try to access your account.
Advertisement
I wonder how reliable that country blocking is, just saying because many proxy IPs are detected as being somewhere else by whatismyip software.
Anyone who has used a VPN before will know that not even VPN servers can be pinpointed to the right country sometimes.
Howard Stern
Aug 3,2012
:’I Chose #! V.1.x GD1
Reply
Martin –
According to the KeePass site, There are two versions.
V. 1.x operates under GDI+ and lacks a number of features.
V. 2.x has more features but requires Microsoft .NET Framework, which has its own problems.
Which version do you use?
I use version 2.x
I switched to LastPass after years with ‘AI Roboform’ when the latter IMO was on the decline. No idea really with security issues when pragmatism is the lot of ignorance: no problem doesn’t mean no possible problem.
Anyway, whatever password vault, there are some credentials I never even write down, as for instance bank account …
i understand about roboform…has been on a decline. you can del
delete passwords from roboform without signing in…a serious
defect which they will not address. i have been using sticky
passwords for some time. excellent program. works the way
it should. as with many others, i just do not trust putting all
my passwords in the “cloud” no matter if they say its all
encrypted. sticky will make a portable for use on a flash
drive so you can take it with you anyway and its still
password protected.
To DanTe, the thing with LassPass is they never get anything of yours that isn’t encrypted already, so even if the FBI or Hackers or whatever took all of LassPass’s servers it would mean nothing unless you use a password like 12345.
BTW about this new feature, what happens if you reside in the USA and check the box to prevent logins from the USA, does that lock you out of your account forever since you’ll never be able to get back into settings to change it back?
Good question, no idea to be honest.
It does not allow you to uncheck the country from which you are currently accessing the account.
Dan, IP to country detection is not perfect and it may very well happen that it gets identified incorrectly. While the chance is slim of that happening, it can still happen. It is however good to know that users can’t lock themselves out of the program this way.
I never trust some third party vendor to maintain my passwords. Too much potential for third party failure/glitch that would expose my finance accounts. I stick to the tried and true password wallet programs on the PC and phone encrypted with one family-wide password.
I just changed all my passwords to ‘incorrect’, so my computer just tells me when I forget. :)