Is LastPass Risky? A Look at Online Password Management
As the title would suggest, LastPass is an online password manager. Now when some people hear about passwords being stored in the cloud, they immediately run in terror. There is a real concern about a website such as this being hacked, and a lot of accounts’ passwords being stolen, many individual accounts outside LastPass being stolen, and general chaos ensuing. I was and probably still am one of those people. I’ve been thinking about the subject though, and it made me evaluate the two situations: managing passwords online, and managing them offline? Which is more convenient, easier, and above all, which is safer?
Technically while LastPass does store your passwords, it doesn’t know what they are. Passwords are encrypted and decrypted only on your local device, meaning that only the person with the master password has access to the passwords and can see them. If someone were to hack the website and steal a bunch of passwords, they would be useless without the key to decrypt them. LastPass has faced potential breaches in the past (it was never really confirmed if a breach had actually occurred), and when this happened, all LastPass users were required to do was change their master password. The master password isn’t stored on LastPass, and nobody at LastPass knows it. Only you do. You are the only person who can view passwords on LastPass because you have the master password.
Now it would be possible for someone to obtain the master password in a few ways:
- Someone could guess it if it’s weak enough.
- They could try a dictionary attack and get it that way (one reason why you should never use words in the dictionary as passwords).
- They could get it from you – say you’ve written it down somewhere.
- It could be gotten with the help of malicious software such as a keylogger, which would then send the master password back to the designated server or website belonging to the hacker, and they could then access your account.
Now all of these potential problems have solutions, or rather precautions that one can take – prevention is better than cure after all.
- Never use a weak password – especially not when it's a master password.
- Don’t write down your master password or at least store it somewhere safe if you do.
- And as for keyloggers, always use good internet security software, practice safe surfing, and even if your PC were to have a keylogger on it, you can use virtual keyboards like Neo’s Safekeys (LastPass even provides its own virtual keyboard on the login page) to at least protect you from some types of keyloggers, although probably not all of them.
Criteria
| Online Password Manager (LastPass)
| Offline Password Manager
| No Password Manager
|
---|---|---|---|
Storing passwords
| Stored and encrypted locally; decrypted locally
| Stored and encrypted locally; decrypted locally
| Stored locally and not encrypted
|
Password generation
| Randomly generated
| Randomly generated
| Manually; weak, obvious passwords
|
Password length
| 12 – 100 characters
| 12 – 100 characters
| 6 – 8 characters
|
Time to crack
| virtually uncrackable
| virtually uncrackable
| almost instantly, or in a very short time
|
There are also many other security features you can use with LastPass, such as notifications sent to an email address if anything suspicious happens in your LastPass account such as a password change that you didn’t authorise. You can enable multifactor verification, where you use your mobile device to log in, in addition to having to type in your master password. And this in essence means that, by extension, all of your accounts managed with LastPass are protected by multifactor verification. The average account doesn’t use multifactor verification (Google, Facebook, LinkedIn, and Tumblr are among the ones that do). And seeing as you won’t have to type in passwords on any website ever again, seeing as you can either automatically log in from your LastPass dashboard, or automatically fill in the information with a click or two at your website sign in page, you are protected from keyloggers too.
You can also limit which countries are allowed to log in, and even disallow logins from Tor (popular with hackers). LastPass also has a security checker that will inform you of weak passwords, and nowadays the most important thing: whether any of your accounts are at risk and need a password change due to a Heartbleed vulnerability.
Features
| Online password manager (LastPass)
| Offline password manager
| No password manager
|
---|---|---|---|
Security notifications
| Yes
| No
| No (only on select individual accounts)
|
Multifactor verification
| Yes
| Sometimes, depending on software used
| No (only on select individual accounts)
|
Master password
| Yes
| Yes
| N/A
|
Limit login locations
| Yes
| No
| No
|
Virtual keyboard
| Yes (for master password entry)
| No (third party only)
| No (third party only)
|
Disallow Tor logins
| Yes
| No
| No
|
One Time Passwords
| Yes
| No
| No
|
Security certificate checker
| Yes
| No
| No (would have to be done manually)
|
Password Iterations
| Yes
| No
| No
|
Restrict Mobile Access
| Yes
| No
| No
|
Automatic log off
| Yes
| No
| No
|
Master Password Re-prompts
| Yes
| Sometimes, depending on software used
| N/A
|
Dedicated security emails
| Yes
| No
| No
|
Security checker
| Yes
| No
| No
|
Managing your passwords offline is rather dangerous – probably a lot more dangerous than with an online password manager. More so than you might realise.
Here are a few reasons why:
- People tend to write down their passwords, not encrypting them, and even leave them out in the open for others to see.
- If you write them down, you will more than likely take them with you when you travel, and not have them locked up safely somewhere, and that exposes you to even more risk.
- People create weak passwords which are very easy to crack.
- People don’t change their passwords very often, seeing as it’s too much of a hassle and too time consuming.
- Using a browser to store your passwords is not recommended, because any malicious software will have an easy time of retrieving them. LastPass for instance, has no trouble whatsoever in importing the passwords stored in your browser.
All of these above reasons should explain why even though you think managing and storing your passwords offline is safe, it really isn’t. And they are also a few reasons why you should consider using LastPass, or even another password manager, whether it be online or offline. The reality is, you'll probably be better off.
What do you think of using LastPass and password managers in general?
© 2014 Anti-Valentine