Is LastPass Risky? A Look at Online Password Management

Source

As the title would suggest, LastPass is an online password manager. Now when some people hear about passwords being stored in the cloud, they immediately run in terror. There is a real concern about a website such as this being hacked, and a lot of accounts’ passwords being stolen, many individual accounts outside LastPass being stolen, and general chaos ensuing. I was and probably still am one of those people. I’ve been thinking about the subject though, and it made me evaluate the two situations: managing passwords online, and managing them offline? Which is more convenient, easier, and above all, which is safer?

Source

Technically while LastPass does store your passwords, it doesn’t know what they are. Passwords are encrypted and decrypted only on your local device, meaning that only the person with the master password has access to the passwords and can see them. If someone were to hack the website and steal a bunch of passwords, they would be useless without the key to decrypt them. LastPass has faced potential breaches in the past (it was never really confirmed if a breach had actually occurred), and when this happened, all LastPass users were required to do was change their master password. The master password isn’t stored on LastPass, and nobody at LastPass knows it. Only you do. You are the only person who can view passwords on LastPass because you have the master password.

Now it would be possible for someone to obtain the master password in a few ways:

  • Someone could guess it if it’s weak enough.
  • They could try a dictionary attack and get it that way (one reason why you should never use words in the dictionary as passwords).
  • They could get it from you – say you’ve written it down somewhere.
  • It could be gotten with the help of malicious software such as a keylogger, which would then send the master password back to the designated server or website belonging to the hacker, and they could then access your account.

Now all of these potential problems have solutions, or rather precautions that one can take – prevention is better than cure after all.

  • Never use a weak password – especially not when it's a master password.
  • Don’t write down your master password or at least store it somewhere safe if you do.
  • And as for keyloggers, always use good internet security software, practice safe surfing, and even if your PC were to have a keylogger on it, you can use virtual keyboards like Neo’s Safekeys (LastPass even provides its own virtual keyboard on the login page) to at least protect you from some types of keyloggers, although probably not all of them.

Criteria
Online Password Manager (LastPass)
Offline Password Manager
No Password Manager
Storing passwords
Stored and encrypted locally; decrypted locally
Stored and encrypted locally; decrypted locally
Stored locally and not encrypted
Password generation
Randomly generated
Randomly generated
Manually; weak, obvious passwords
Password length
12 – 100 characters
12 – 100 characters
6 – 8 characters
Time to crack
virtually uncrackable
virtually uncrackable
almost instantly, or in a very short time
You can use a YubiKey to help further secure your LastPass account.
You can use a YubiKey to help further secure your LastPass account. | Source

There are also many other security features you can use with LastPass, such as notifications sent to an email address if anything suspicious happens in your LastPass account such as a password change that you didn’t authorise. You can enable multifactor verification, where you use your mobile device to log in, in addition to having to type in your master password. And this in essence means that, by extension, all of your accounts managed with LastPass are protected by multifactor verification. The average account doesn’t use multifactor verification (Google, Facebook, LinkedIn, and Tumblr are among the ones that do). And seeing as you won’t have to type in passwords on any website ever again, seeing as you can either automatically log in from your LastPass dashboard, or automatically fill in the information with a click or two at your website sign in page, you are protected from keyloggers too.

You can also limit which countries are allowed to log in, and even disallow logins from Tor (popular with hackers). LastPass also has a security checker that will inform you of weak passwords, and nowadays the most important thing: whether any of your accounts are at risk and need a password change due to a Heartbleed vulnerability.

Features
Online password manager (LastPass)
Offline password manager
No password manager
Security notifications
Yes
No
No (only on select individual accounts)
Multifactor verification
Yes
Sometimes, depending on software used
No (only on select individual accounts)
Master password
Yes
Yes
N/A
Limit login locations
Yes
No
No
Virtual keyboard
Yes (for master password entry)
No (third party only)
No (third party only)
Disallow Tor logins
Yes
No
No
One Time Passwords
Yes
No
No
Security certificate checker
Yes
No
No (would have to be done manually)
Password Iterations
Yes
No
No
Restrict Mobile Access
Yes
No
No
Automatic log off
Yes
No
No
Master Password Re-prompts
Yes
Sometimes, depending on software used
N/A
Dedicated security emails
Yes
No
No
Security checker
Yes
No
No

Managing your passwords offline is rather dangerous – probably a lot more dangerous than with an online password manager. More so than you might realise.

Here are a few reasons why:

  • People tend to write down their passwords, not encrypting them, and even leave them out in the open for others to see.
  • If you write them down, you will more than likely take them with you when you travel, and not have them locked up safely somewhere, and that exposes you to even more risk.
  • People create weak passwords which are very easy to crack.
  • People don’t change their passwords very often, seeing as it’s too much of a hassle and too time consuming.
  • Using a browser to store your passwords is not recommended, because any malicious software will have an easy time of retrieving them. LastPass for instance, has no trouble whatsoever in importing the passwords stored in your browser.

All of these above reasons should explain why even though you think managing and storing your passwords offline is safe, it really isn’t. And they are also a few reasons why you should consider using LastPass, or even another password manager, whether it be online or offline. The reality is, you'll probably be better off.

What do you think of using LastPass and password managers in general?

  • Yes, password managers are completely safe.
  • I only use/would consider using an offline password manager.
  • Online password managers are the way to go.
  • No, none of them is safe!
See results without voting

© 2014 Anti-Valentine

More by this Author


No comments yet.

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working