IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [lastpass]

A freemium password management service which seeks to resolve the password fatigue problem by centralising user password management in the cloud.

60 questions
30
votes
4 answers

Security of LastPass together with YubiKey

I'm looking at password manager solutions and came across LastPass. I see that they also support two-factor authentication using YubiKeys. How secure is this combination for password management? What are the "weak links" in this scheme that could be…
jrdioko
  • 13,011
  • 7
  • 29
  • 38
28
votes
5 answers

How can I choose a strong password that is easy use on a smartphone?

Typing on a smartphone is tedious. Special characters are the hardest; lowercase letters are generally the easiest. But even a long all-letter passphrase like "correct horse battery staple" is difficult to type on a smartphone. I normally use…
Jay Bazuzi
  • 451
  • 4
  • 8
18
votes
1 answer

Lastpass hack - risks for abuse

I use Lastpass. Today I got an email from them telling me that their servers were hacked, and a database with email addresses and recovery hints was probably copied. Dear LastPass User, We wanted to alert you that, recently, our team discovered and…
SPRBRN
  • 7,379
  • 6
  • 33
  • 37
16
votes
2 answers

is LastPass SMS Recovery a security risk?

According to the LastPass FAQ, employees of LastPass cannot see nor decrypt the stored passwords. LastPass encrypts your Vault before it goes to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your…
eKKiM
  • 285
  • 2
  • 9
15
votes
1 answer

Security of LastPass' password generator

I currently use LastPass for all of my password generation and management. After reading Diceware, I realized that LastPass' password generator might be insecure, as somebody could potentially attempt to generate the same password I did. I'm…
Nathan Merrill
  • 332
  • 2
  • 12
14
votes
2 answers

Is LastPass secure enough?

They said: Private Master Password: The user’s master password, and the keys used to encrypt and decrypt user data, are never sent to LastPass’ servers, and are never accessible by LastPass. Local-Only Encryption: User data is encrypted…
AsimRazaKhan
  • 259
  • 1
  • 2
  • 7
11
votes
4 answers

Why should we prevent users from saving their passwords in their password manager?

I understand there are a few other controls, like 2FA, for making transactions in many bank account websites, while only users required for username and password to access the account. I noticed that I can save my password in my LastPass password…
Filipon
  • 1,204
  • 10
  • 22
9
votes
2 answers

Do I REALLY need to change my LastPass password?

Last weekend LastPass' network was compromised and that a list of email addresses along with the hashes of the master passwords were stolen. It is being recommended that LastPass users change their passwords on several security websites. …
cuengi8
  • 103
  • 2
9
votes
3 answers

How to find passwords in memory (password managers)

I’m trying to figure out if password managers such as LastPass store passwords in plain text (or hash values that can then be decrypted with the master-password) in memory after a user logs into the browser/extension. I’m trying to find academic…
octo-carrot
  • 316
  • 3
  • 12
8
votes
2 answers

Protecting my high-value passwords against offline attacks

Summary I'm a LastPass user, but I have concerns about storing high-value passwords, like my bank password, online. I've read some posts on this topic but still have questions. How safe are password managers like LastPass? Does the average user…
user1020406
  • 81
  • 2
8
votes
1 answer

LastPass installer scary message about sideloading

I've been using LastPass for years, generally through the original Chrome extension. In recent months, certain features of the extension have been totally broken, such as the ability to share passwords or the ability to generate new random…
Ryan
  • 315
  • 4
  • 13
8
votes
1 answer

How does Lastpass decrypt my mobile vault after restart with just the fingerprint?

So my vault (on mobile device) is encrypted with my Master Password. Without the Master Password, the decryption cannot happen. There is an option to enable Fingerprint Authentication on the mobile devices. Obviously that is only done after you have…
Slav
  • 183
  • 4
8
votes
1 answer

LastPass's use of client-side Salt

The LastPass Team states the following in their FAQ: Do you use a salted hash for logging in? Yes, we first do a 'salt' of your LastPass password with your username on the client side (on your computer, LastPass never gets your password), then…
Oliver Weichhold
  • 201
  • 1
  • 4
7
votes
2 answers

LastPass - Best practices on foreign devices

I am a new user to LastPass and have been reading the literature to better understand how it works. What I do not grasp is how to best use LastPass on other computers. In the case where you only want to use the web GUI, I don't believe LastPass can…
Polite Master
  • 253
  • 1
  • 2
  • 4
6
votes
2 answers

Is the same decryption key used for data on the server as locally with Lastpass?

Lastpass stores the password databases encrypted on the server. Does it give a database to anyone who asks? If no, then what authentication (i.e. password) is used? I use Lastpass on multiple devices with the same master password and have not…
Celeritas
  • 10,039
  • 22
  • 77
  • 144
1
2 3 4