ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Is LastPass Risky? A Look at Online Password Management

Updated on February 12, 2018

As the title would suggest, LastPass is an online password manager. Now when some people hear about passwords being stored in the cloud, they immediately run in terror. There is a real concern about a website such as this being hacked, and a lot of accounts’ passwords being stolen, many individual accounts outside LastPass being stolen, and general chaos ensuing. I was and probably still am one of those people. I’ve been thinking about the subject though, and it made me evaluate the two situations: managing passwords online, and managing them offline? Which is more convenient, easier, and above all, which is safer?

Source

Technically while LastPass does store your passwords, it doesn’t know what they are. Passwords are encrypted and decrypted only on your local device, meaning that only the person with the master password has access to the passwords and can see them. If someone were to hack the website and steal a bunch of passwords, they would be useless without the key to decrypt them. LastPass has faced potential breaches in the past (it was never really confirmed if a breach had actually occurred), and when this happened, all LastPass users were required to do was change their master password. The master password isn’t stored on LastPass, and nobody at LastPass knows it. Only you do. You are the only person who can view passwords on LastPass because you have the master password.

Now it would be possible for someone to obtain the master password in a few ways:

  • Someone could guess it if it’s weak enough.
  • They could try a dictionary attack and get it that way (one reason why you should never use words in the dictionary as passwords).
  • They could get it from you – say you’ve written it down somewhere.
  • It could be gotten with the help of malicious software such as a keylogger, which would then send the master password back to the designated server or website belonging to the hacker, and they could then access your account.

Now all of these potential problems have solutions, or rather precautions that one can take – prevention is better than cure after all.

  • Never use a weak password – especially not when it's a master password.
  • Don’t write down your master password or at least store it somewhere safe if you do.
  • And as for keyloggers, always use good internet security software, practice safe surfing, and even if your PC were to have a keylogger on it, you can use virtual keyboards like Neo’s Safekeys (LastPass even provides its own virtual keyboard on the login page) to at least protect you from some types of keyloggers, although probably not all of them.

Criteria
Online Password Manager (LastPass)
Offline Password Manager
No Password Manager
Storing passwords
Stored and encrypted locally; decrypted locally
Stored and encrypted locally; decrypted locally
Stored locally and not encrypted
Password generation
Randomly generated
Randomly generated
Manually; weak, obvious passwords
Password length
12 – 100 characters
12 – 100 characters
6 – 8 characters
Time to crack
virtually uncrackable
virtually uncrackable
almost instantly, or in a very short time
You can use a YubiKey to help further secure your LastPass account.
You can use a YubiKey to help further secure your LastPass account. | Source

There are also many other security features you can use with LastPass, such as notifications sent to an email address if anything suspicious happens in your LastPass account such as a password change that you didn’t authorise. You can enable multifactor verification, where you use your mobile device to log in, in addition to having to type in your master password. And this in essence means that, by extension, all of your accounts managed with LastPass are protected by multifactor verification. The average account doesn’t use multifactor verification (Google, Facebook, LinkedIn, and Tumblr are among the ones that do). And seeing as you won’t have to type in passwords on any website ever again, seeing as you can either automatically log in from your LastPass dashboard, or automatically fill in the information with a click or two at your website sign in page, you are protected from keyloggers too.

You can also limit which countries are allowed to log in, and even disallow logins from Tor (popular with hackers). LastPass also has a security checker that will inform you of weak passwords, and nowadays the most important thing: whether any of your accounts are at risk and need a password change due to a Heartbleed vulnerability.

Features
Online password manager (LastPass)
Offline password manager
No password manager
Security notifications
Yes
No
No (only on select individual accounts)
Multifactor verification
Yes
Sometimes, depending on software used
No (only on select individual accounts)
Master password
Yes
Yes
N/A
Limit login locations
Yes
No
No
Virtual keyboard
Yes (for master password entry)
No (third party only)
No (third party only)
Disallow Tor logins
Yes
No
No
One Time Passwords
Yes
No
No
Security certificate checker
Yes
No
No (would have to be done manually)
Password Iterations
Yes
No
No
Restrict Mobile Access
Yes
No
No
Automatic log off
Yes
No
No
Master Password Re-prompts
Yes
Sometimes, depending on software used
N/A
Dedicated security emails
Yes
No
No
Security checker
Yes
No
No

Managing your passwords offline is rather dangerous – probably a lot more dangerous than with an online password manager. More so than you might realise.

Here are a few reasons why:

  • People tend to write down their passwords, not encrypting them, and even leave them out in the open for others to see.
  • If you write them down, you will more than likely take them with you when you travel, and not have them locked up safely somewhere, and that exposes you to even more risk.
  • People create weak passwords which are very easy to crack.
  • People don’t change their passwords very often, seeing as it’s too much of a hassle and too time consuming.
  • Using a browser to store your passwords is not recommended, because any malicious software will have an easy time of retrieving them. LastPass for instance, has no trouble whatsoever in importing the passwords stored in your browser.

All of these above reasons should explain why even though you think managing and storing your passwords offline is safe, it really isn’t. And they are also a few reasons why you should consider using LastPass, or even another password manager, whether it be online or offline. The reality is, you'll probably be better off.

What do you think of using LastPass and password managers in general?

See results

© 2014 Anti-Valentine

working

This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://corp.maven.io/privacy-policy

Show Details
Necessary
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
Features
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Marketing
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Statistics
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)