Arts Autos Books Business Education Entertainment Family Fashion Food Games Gender Health Holidays Home HubPages Personal Finance Pets Politics Religion Sports Technology Travel

Is LastPass Risky? A Look at Online Password Management

Updated on February 12, 2018

Anti-Valentine

As the title would suggest, LastPass is an online password manager. Now when some people hear about passwords being stored in the cloud, they immediately run in terror. There is a real concern about a website such as this being hacked, and a lot of accounts’ passwords being stolen, many individual accounts outside LastPass being stolen, and general chaos ensuing. I was and probably still am one of those people. I’ve been thinking about the subject though, and it made me evaluate the two situations: managing passwords online, and managing them offline? Which is more convenient, easier, and above all, which is safer?

Technically while LastPass does store your passwords, it doesn’t know what they are. Passwords are encrypted and decrypted only on your local device, meaning that only the person with the master password has access to the passwords and can see them. If someone were to hack the website and steal a bunch of passwords, they would be useless without the key to decrypt them. LastPass has faced potential breaches in the past (it was never really confirmed if a breach had actually occurred), and when this happened, all LastPass users were required to do was change their master password. The master password isn’t stored on LastPass, and nobody at LastPass knows it. Only you do. You are the only person who can view passwords on LastPass because you have the master password.

Now it would be possible for someone to obtain the master password in a few ways:

Someone could guess it if it’s weak enough.
They could try a dictionary attack and get it that way (one reason why you should never use words in the dictionary as passwords).
They could get it from you – say you’ve written it down somewhere.
It could be gotten with the help of malicious software such as a keylogger, which would then send the master password back to the designated server or website belonging to the hacker, and they could then access your account.

Now all of these potential problems have solutions, or rather precautions that one can take – prevention is better than cure after all.

Never use a weak password – especially not when it's a master password.
Don’t write down your master password or at least store it somewhere safe if you do.
And as for keyloggers, always use good internet security software, practice safe surfing, and even if your PC were to have a keylogger on it, you can use virtual keyboards like Neo’s Safekeys (LastPass even provides its own virtual keyboard on the login page) to at least protect you from some types of keyloggers, although probably not all of them.

Criteria	Online Password Manager (LastPass)	Offline Password Manager	No Password Manager
Storing passwords	Stored and encrypted locally; decrypted locally	Stored and encrypted locally; decrypted locally	Stored locally and not encrypted
Password generation	Randomly generated	Randomly generated	Manually; weak, obvious passwords
Password length	12 – 100 characters	12 – 100 characters	6 – 8 characters
Time to crack	virtually uncrackable	virtually uncrackable	almost instantly, or in a very short time

You can use a YubiKey to help further secure your LastPass account. | Source

There are also many other security features you can use with LastPass, such as notifications sent to an email address if anything suspicious happens in your LastPass account such as a password change that you didn’t authorise. You can enable multifactor verification, where you use your mobile device to log in, in addition to having to type in your master password. And this in essence means that, by extension, all of your accounts managed with LastPass are protected by multifactor verification. The average account doesn’t use multifactor verification (Google, Facebook, LinkedIn, and Tumblr are among the ones that do). And seeing as you won’t have to type in passwords on any website ever again, seeing as you can either automatically log in from your LastPass dashboard, or automatically fill in the information with a click or two at your website sign in page, you are protected from keyloggers too.

You can also limit which countries are allowed to log in, and even disallow logins from Tor (popular with hackers). LastPass also has a security checker that will inform you of weak passwords, and nowadays the most important thing: whether any of your accounts are at risk and need a password change due to a Heartbleed vulnerability.

Features	Online password manager (LastPass)	Offline password manager	No password manager
Security notifications	Yes	No	No (only on select individual accounts)
Multifactor verification	Yes	Sometimes, depending on software used	No (only on select individual accounts)
Master password	Yes	Yes	N/A
Limit login locations	Yes	No	No
Virtual keyboard	Yes (for master password entry)	No (third party only)	No (third party only)
Disallow Tor logins	Yes	No	No
One Time Passwords	Yes	No	No
Security certificate checker	Yes	No	No (would have to be done manually)
Password Iterations	Yes	No	No
Restrict Mobile Access	Yes	No	No
Automatic log off	Yes	No	No
Master Password Re-prompts	Yes	Sometimes, depending on software used	N/A
Dedicated security emails	Yes	No	No
Security checker	Yes	No	No

Managing your passwords offline is rather dangerous – probably a lot more dangerous than with an online password manager. More so than you might realise.

Here are a few reasons why:

People tend to write down their passwords, not encrypting them, and even leave them out in the open for others to see.
If you write them down, you will more than likely take them with you when you travel, and not have them locked up safely somewhere, and that exposes you to even more risk.
People create weak passwords which are very easy to crack.
People don’t change their passwords very often, seeing as it’s too much of a hassle and too time consuming.
Using a browser to store your passwords is not recommended, because any malicious software will have an easy time of retrieving them. LastPass for instance, has no trouble whatsoever in importing the passwords stored in your browser.

All of these above reasons should explain why even though you think managing and storing your passwords offline is safe, it really isn’t. And they are also a few reasons why you should consider using LastPass, or even another password manager, whether it be online or offline. The reality is, you'll probably be better off.

What do you think of using LastPass and password managers in general?

Internet & the Web
How Safe And Strong Are Your Passwords?
by Rachael O'Halloran24
Viruses, Spyware & Internet Security
How To Pick Smart Answers To Your Security Questions
by Rachael O'Halloran30
Internet & the Web
How To Create The Best Passwords Hackers Hate
by Rachael O'Halloran48
Internet & the Web
Everything You Need To Know About The Tinder Device Ban
by Devesh Bhatnagar0
Viruses, Spyware & Internet Security
How to Protect Your Facebook Account from Hackers
by Melanie Palen10

This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

Necessary

Features

Marketing

Statistics

Approve All & Submit
Approve Checked Only

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://corp.maven.io/privacy-policy

Show Details

Necessary
HubPages Device ID	This is used to identify particular browsers or devices when the access the service, and is used for security reasons.
Login	This is necessary to sign in to the HubPages Service.
Google Recaptcha	This is used to prevent bots and spam. (Privacy Policy)
Akismet	This is used to detect comment spam. (Privacy Policy)
HubPages Google Analytics	This is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic Pixel	This is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web Services	This is a cloud services platform that we used to host our service. (Privacy Policy)
Cloudflare	This is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted Libraries	Javascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)

Features
Google Custom Search	This is feature allows you to search the site. (Privacy Policy)
Google Maps	Some articles have Google Maps embedded in them. (Privacy Policy)
Google Charts	This is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host API	This service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTube	Some articles have YouTube videos embedded in them. (Privacy Policy)
Vimeo	Some articles have Vimeo videos embedded in them. (Privacy Policy)
Paypal	This is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook Login	You can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
Maven	This supports the Maven widget and search functionality. (Privacy Policy)

Marketing
Google AdSense	This is an ad network. (Privacy Policy)
Google DoubleClick	Google provides ad serving technology and runs an ad network. (Privacy Policy)
Index Exchange	This is an ad network. (Privacy Policy)
Sovrn	This is an ad network. (Privacy Policy)
Facebook Ads	This is an ad network. (Privacy Policy)
Amazon Unified Ad Marketplace	This is an ad network. (Privacy Policy)
AppNexus	This is an ad network. (Privacy Policy)
Openx	This is an ad network. (Privacy Policy)
Rubicon Project	This is an ad network. (Privacy Policy)
TripleLift	This is an ad network. (Privacy Policy)
Say Media	We partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing Pixels	We may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking Pixels	We may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.

Statistics
Author Google Analytics	This is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
Comscore	ComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking Pixel	Some articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
Clicksco	This is a data management platform studying reader behavior (Privacy Policy)

Is LastPass Risky? A Look at Online Password Management

What do you think of using LastPass and password managers in general?

Related

How Safe And Strong Are Your Passwords?

How To Pick Smart Answers To Your Security Questions

How To Create The Best Passwords Hackers Hate

Everything You Need To Know About The Tinder Device Ban

How to Protect Your Facebook Account from Hackers

Popular

The Best XKCD Comics of All Time

101 Prettiest Pinterest Shabby Chic - My Picks

How To Start a Blog on Blogger

Arts and Design

Autos

Books, Literature, and Writing

Business and Employment

Education and Science

Entertainment and Media

Family and Parenting

Fashion and Beauty

Food and Cooking

Games, Toys, and Hobbies

Gender and Relationships

Health

Holidays and Celebrations

Home and Garden

HubPages Tutorials and Community

Personal Finance

Pets and Animals

Politics and Social Issues

Religion and Philosophy

Sports and Recreation

Technology

Travel and Places

About Us

This website uses cookies