Security

LastPass: Is it the password manager for you?

Michael Kassner advocates using password managers, but finds users push back because they are cumbersome to use. Now, he thinks he's found the solution.

I advocate using password managers. But users push back, explaining they are cumbersome to use. Up until now, I could not argue that point.

--------------------------------------------------------------------------------------------------------------

Two things prompted this post. My last article, "Are users right in rejecting security advice," produced a flurry of questions about passwords and the cost of using secure ones. The other has been my quest to find a password manager that users would appreciate. It's not official, but I may have stumbled onto something that will help all of us.

LastPass

Drama aside, I am referring to an app called LastPass. Plain and simple, it is not your usual password manager. For sure it does that, yet it does so much more, such as:

  • Configurable form filling
  • Several multi-factor authentication options
  • Synchronizes across browsers/computers
  • Ability to store information notes securely
  • Stand-alone applications for mobile devices
Get to know LastPass better

Features are important, but if you are like me, understanding everything about an application that is securing my password information tops the list. That's why I inundated Joe Siegrist of LastPass with the following questions. Here's what he had to say:

TechRepublic: What prompted the development of LastPass? Siegrist: LastPass has four founders. Who for the past 10 years worked together, creating a sizable Software as a Service business for financial service companies. Two years ago, we were ready for a new challenge. LastPass is the outcome of a need we saw and based on our accumulated experience.

We also got lucky: it would have been difficult for us to work together if Maryland was still playing Penn State in football every year. Loyalty to our alma maters runs deep.

TechRepublic: Could you describe how LastPass works, specifically the interaction between the local LastPass client and LastPass.com? Siegrist: LastPass installs an add-on in the browser to capture usernames and passwords as you enter them. The captured data is encrypted, saved locally, and sent to LastPass servers. That way access is not confined to just the one computer. TechRepublic: I understand that Last Pass is based on Host-Proof hosting, could you please explain what that means and the benefit it provides? Siegrist: LastPass utilizes host-proof hosting techniques for your most sensitive data (usernames, passwords, site name, group names, notes, field values, all your form fill profile data, etc). The core concept behind host-proof hosting is that only the client can access the data because it's sent to the LastPass servers in an encrypted form.

The key benefit is a reduction in how much you need to trust LastPass. You can verify that your data is being encrypted locally and because it is, LastPass employees don't have access to your data on the servers. It also was important to us from a liability perspective. If we never have the plain text data on our servers, it can't be hacked. Also, an employee cannot go rogue and look at this data.

TechRepublic: LastPass uses what is called a salted hash, could you explain what that is and why using it is important? Siegrist: There are two problems we considered:
  • A majority of websites store passwords as plain text.
  • A majority of users use the same password over and over.

Security-conscious Web sites use one-way hashes (a mathematical function that turns input into a long and unrecoverable number) to store password data. That is a good start, but susceptible to computed databases known as Rainbow Tables. To avoid this risk, random data (known as salt) is added to the plain text before hashing. Doing so makes Rainbow Tables useless. LastPass takes this a step further:

  • The user's login hash is salted with the username locally.
  • The new hash is sent to LastPass servers.
  • The hash is salted once again with a random 256-bit number before being stored.
TechRepublic: You mention that LastPass is superior to password managers used by browsers. Why is that? Siegrist: The biggest risk with built-in password managers is how malware is able to steal passwords directly from your password manager. For those who don't believe this is possible, try our windows installer and see if it finds stored passwords. If LastPass can find passwords, so can malicious applications. During installation, LastPass imports all found passwords, then cleans all traces off your computer.

Another advantage is if you have multiple computers. With LastPass, you do not have to worry about reentering the password data on every computer. You simply install the add-on on the other computer and log in.

TechRepublic: I was reading that you made special provisions for people that use public computers. Would you explain what security measures you have added? Siegrist: Public computers can be a hostile environment. So, we've included ways to mitigate risk:
  • One Time Passwords: Allow you to print out a password list and use each once to log in.
  • Screen keyboard: Can be used to defeat key loggers.
  • Multi-factor authentication options: If the password is compromised there's still another factor protecting you.
TechRepublic: LastPass is capable of using more than one type of multi-factor authentication. What are the options? Siegrist: We currently have 3 available with a few more coming soon:
  • Grid: Our free offering, allows you to print out a set of 260 coordinates and responses. LastPass will challenge you to enter the value of four coordinates to prove you are who you say you are.
  • Sesame: Included in LastPass Premium, Sesame allows you to turn a USB thumb drive into a second factor.
  • Yubikey: A device that acts as a USB keyboard that outputs a onetime password when activated. LastPass then verifies the password with Yubico's servers. You must purchase this separately and have LastPass premium to utilize it.
TechRepublic: I noticed that you offer LastPass Premium. What are the advantages of using the for-pay version? Siegrist: The main advantage for most people has been our mobile phone applications. We currently have offerings for iPhone/iPod Touch, Android, BlackBerry, Windows Mobile, Symbian, and Palm webOS. Also, multi-factor authentication options are part of LastPass Premium. We also turn off all advertisements and prioritize support for our Premium members. TechRepublic: There is a LastPass Enterprise, what's different about it and how can it help companies? Siegrist: LastPass Enterprise includes everything in LastPass Premium. Then, it expands on features that are useful in business including greater control, logging, and sharing:
  • You can setup accounts to share (as "Roles"), and they're automatically accepted by your users.
  • When you make a change to a shared account it can be pushed out to your users and accepted automatically.
  • Changing passwords on accounts that are shared amongst team members goes from being a chore to invisible.
  • Logging allows you to see who is using what accounts, and provides more audit capability when you're dealing with a single account shared amongst multiple people.
  • You can also disable and delete accounts if employees leave the company.
  • There are also capabilities around automatic provisioning of accounts on login to an Active Directory domain.
TechRepublic: People are concerned about their personal information being secure, especially when it comes to passwords. How does LastPass guarantee that users' data is only accessible by them? Siegrist: The local encryption of data with a key we do not know is the most important protection. We utilize AES encryption and support anyone with a desire to verify we're doing what we say we're doing.

LastPass also layers security techniques to mitigate risks. For example, we utilize SSL for data transfer, even though the data is already encrypted. We have automatic throttling of bogus-login attempts, and are innovating on the multi-factor front.

Helpful Web site

I found the LastPass Web site helpful. The numerous videos explain how individual components of LastPass work. They also made installation and configuration a snap. I would suggest reading their privacy statement to allay any concerns.

Final thoughts

LastPass has some competition, but I have not found any other password manager/form filler that automatically syncs between computers and has so many options for multi-factor authentication. Some interesting features currently under development are; synchronizing LastPass and Bookmarks/Favorites, Windows login replacement, and biometric multi-factor authentication.

I'm glad I asked all those questions. I'm also thankful for Joe Siegrist's help in answering them.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

72 comments
Charlesgo
Charlesgo

It is really helpful and I also find another article about free password managers from a samrtkey page, you can read it inĀ http://t.co/AYGt5jLqpA

Flicky Licky
Flicky Licky

I've never had to work so hard with passwords as I have since installing Lastpass. I spend more time trying to sort it out than I do on any other task. It enters TOTALLY wrong usernames / passwords, it duplicates records, its been a nightmare Cheerio

jeffpk
jeffpk

The fatal Flaw in LastPass is the idea that their servers will always be available. They were down when i needed them the other night. Not only as this inconvenient as I was locked out of my application with the lastpass generated password but it raised serious questions about their server side competence, and I dont want an incompetent storing all my passwords. By their very nature they are a hacker's dream target. Instead I put KeePassX for both Mac and Windows on a USB stick. Problem solved and totally under my physical control.

SkyNET32
SkyNET32

Michael, Can you tell me if LastPass has implemented the feature Siegrist mentioned for windows login? How does that work? I've been using LastPass for quite a while and love it. I'm not concerned about any "back doors" that the government may be after. Governments have already been asking folks like Verisign for copies of certs from major sites and those sites have complied. Steve Gibson talked about it on one of his SecurityNow podcasts. (#243) Now that Verisign was bought out by Symantec, are we not going to trust Symantec? Certificates are bullshit and useless anyway. http://www.grc.com/sn/sn-243.htm

anony_reader
anony_reader

My concern isn't necessarily with the security of Lastpass' technical implementation as much as with it's reputation and trusting it. They are a small startup and they though they claim all of your passwords etc. are strongly encrypted on their servers (and this can be indeed verified) - who's to say they don't have a back door? The Hushmail incident comes to mind here...(and in that scenario, who is to say a rogue employee can't utilize this back door to steal personal data, rather than using it to give access to the Government under a "court order" or "patriot act" etc.?). In order to fully experience Lastpass as I would use it, I paid for membership since it was trivial and purchased a Yubikey. Technically, it is fantastic. But at the end of the day, it comes down to trust. I then stumbled across Verisign's PIP - which is still in Beta but essentially provides the same core offering as Lastpass (and one would presume they will expand their offering in the near future). Granted Verisign could very well have a backdoor as well, but they have a lot more to lose reputation-wise than Lastpass. Verisign is at the core of Internet security and trust and is one of the key members of OpenID etc. Today, who has the better technical solution? Lastpass. But who is more trustworthy and who would you turn to for managing your online identity and encrypted passwords etc? Verisign (plus they are backed by money, in case something goes wrong and they need to reimburse people due to financial loss/litigation). Will Lastpass be around in 1-5 years? Who knows. Will they be able to handle a class action suit financially if needed? Doubtful since they cannot even afford a 3rd party audit. An analogy, sadly, would be putting your life savings into a non-FDIC backed bank run out of your neighbor's house vs. a major international financial institution which is insured, has a reputable and long history of banking, an established name etc. (and granted what the big banks did to us lately, I realize the humor in this analogy). What I would wish would be for Verisign to actually buy out Lastpass and directly utilize their outstanding implementation while offering Verisign's well known name in the trust business. Sadly, when it comes to items as precious as your finances and personal identity, the greatest technology may not be as relevant as dealing with a company that has the same core offering but has a proven reputation revolving around trust.

JCitizen
JCitizen

This explains very clearly what the folks at LastPass were trying to tell me in our support ticket. I was double checking as I was aware of the information stored at LastPass, and wanted to make sure it wasn't compromised at their end of the situation. But I can see, that it would be way easier for the criminal to attempt this on my end. Which with Prevx should be durn near impossible. Also since LastPass checks the URL and HTTPS status for me when logging on to one of my sites, I don't have to rubber neck all the time, to make sure the URL is spelled correctly and whether the SSL session is on. Of course Comodo Verification Engine reminds me of that anyway with its SSL checker! If I don't see the evaluation pop-up, I get concerned and start finding out what is wrong.

Ron K.
Ron K.

...that their secure download page has unauthenticated content shown by the little lock in Firefox with a warning sign. :^0 Trust their password security tool even though you can't fully trust their secure page. You betcha.

ranaonline
ranaonline

Lastpass has made my life so difficult because sometimes I wonder if it is not there anymore, I will not be able to access my mail, bank, ftp, social network.. pretty much anything online! I am so dependent on lastpass.. and I am happy to be so relaxed! It is the last password I have to remember..

birkenhoffs
birkenhoffs

Password manager tools are potential security threat. Criminals who hack into the computer can use the password manager to log onto any services that the user is registered to. Websites that aggregate usernames and passwords are even more dangerous. What makes defense difficult is that the compromise is likely to be at the user's endpoint. Has anyone thought about reinventing the password to enhance the security of Web 2.0 applications, federated single sign-on, OpenID and popular client-side applications while maintaining compatibility with any antivirus suites of your choice (Free or Paid)? Securworkplace and Dynamic Identity Protection I would recommend the adoption of Securworkplace - strong password authentication with built-in identity theft prevention and dynamic data privacy protection. Securworkplace provides users a login that cannot be guessed, phished, or stolen. Users need only type ** to log in to any website or popular application, and type *+ to generate strong passwords unique to each account. Securworkplace protects sessions seven ways: by generating strong password on-the-fly, by intercepting then neutralizing both phishing and key logging attacks; by encrypting the working sessions, then deploying its dynamic endpoint sanitization system to rigorously monitor all live user interactions and to continually protect the operating environment. The system then scrubs all session footprints after the session is ended. All files saved in the secure drive on the user device are strongly encrypted to AES256. Securworkplace is available now for Windows PCs, Windows Phones, and USB mass storage devices. Greg Hauw Founder & CEO Ohanae, Inc.

dreneeps
dreneeps

Sincerely forgive me if the features Lastpass currently offers were not available at the time of your comment. If they were though I would like to defend my beloved password manager by saying you are wrong on ALL of the things you stated to be flawed about Lastpass! The data stored on Lastpass's servers is useless without the user's local data which its transferred portion of data also encrypted and salted locally before it is encrypted and salted again on the server side. So even beyond the encryption what hacker dreams of obtaining a lot of useless incomplete data? I don't know much about keepassX but, Lastpass I believe offers not only that but the ability to add fingerprint security, 260 custom questions of which 4 are randomly chosen, specific device only authorization, So go ahead and take my usb drive too and I'll have my account changed remotely before you get the chance to use it even if y9u somehow managed to get that far. It does not require and internet connection to access it if you want to set it up that way, or had the wisdom and foresight to perhaps use other means to access/securely store all your important information contained in Lastpass using an independent offline encrypted archive. Lastpass's security is dynamic and can be adjusted fit whatever the needs of the user may be. It's design is also to be convenient, save time, and be extremely versatile. Oh wait...whats that up there above all the comments?...a well written article that I pretty much just summarized in brief? I guess maybe I could have just said: "Excuse me jeffpk, please read and understand what was communicated and stated in an article before you post negative comment what I feel is a service/software is truly exceptional and has become and invaluable tool.

Michael Kassner
Michael Kassner

My financial passwords are all together different. I do not trust and password vault with them. I do trust TrueCrypt explicitly though and that is how they are kept safe. My contention is that LastPass makes it so easy to have all the right things going on. So, I consider it the lesser of two evils.

JCitizen
JCitizen

and reputation wise, I must agree with you. For smaller organizations, lastPass may be good enough; it depends on how bad the loss of data can damage the individual or organization. In my case, I have several layers of defense, both in my network, and my banking, so I can keep the damage to a minimum. I'm reading more and more about how much attention has been paid to the LastPass organization over the last several years, and they have been pretty well vetted; but no comparison to Verisign, that is for sure.

Michael Kassner
Michael Kassner

I don't get the same information. Can you provide more details?

Michael Kassner
Michael Kassner

You can export the password database in several different methods, including a .cvs file.

Michael Kassner
Michael Kassner

Little difference between your offering and LastPass. You are using a slightly different approach, but everything you advertise LastPass seems to have as well. Unless I am missing something.

SkyNET32
SkyNET32

I've noticed after reading your post on their forums for Feature Request that support for windows logon was the most voted on feature request. I plan on buying the Premium addition for myself, (not the Enterprise, overkill for me) but I would love it if I could use Lastpass for a machines windows login. Don't know how they would do that though? Did they give you any idea as to how they would do that?

anony_reader
anony_reader

You do not trust and password vault with whom? You are correct in that LastPass, today, offers the best solution hands down and it is awfully convenient (as I said, I am fully paid member testing it out today). Another interesting question is: if you delete your LastPass account, all of your information (passwords) is presumably destroyed on its servers, but are they destroyed off of their backup servers/devices/tapes?

Michael Kassner
Michael Kassner

I may agree with both of you, but I talked to the LastPass crew and there is something special going on. Besides, I rather have the company do one thing really good, than many things so-so.

Ron K.
Ron K.

I used the link in your article to navigate to the download for LastPass. The download page is supposedly a secure page, https:// As is generally my habit on secure pages I look at the 'lock' symbol in my browser, at the bottom of the page, right of center, and the lock has a red exclamation point through it. Clicking on the symbol tells what the warning is.

jpk
jpk

No thanks.

JCitizen
JCitizen

I like your moniker; maybe you are also a T series fan such as I? I'm renting the Sarah Connor Chronicles now; I missed it on Fox last season; got to catch up! Man is it awesome in blu-ray!!

SkyNET32
SkyNET32

I hear you about the RDP scenario, but at least Teamviewer doesn't support Intel's vPro technology. Could be a potential back door for a hacker to remote wake up your pc. Teamviewer isn't one of the many companies who plan on supporting Intel's technology. We'll just have to see

JCitizen
JCitizen

it would take putting a remote desktop solution on the PC along with the browser plugin - something LastPass would rather for-go, I'd imagine. Anytime you introduce an RDP thing like that, you could compromise the PC, as such a solution could be utilized by the bad guys too. Logmein is the only remote client I trust right now; if they put an addon to that, it might be cool - but would be hard to secure, I imagine. If you use standard accounts and your PC is in a secure room, with no one able to mess with it, why not just get rid of the password on the standard account? This would not be for laptops, of course, that are mobile, but for at home PCs, it shouldn't be a problem.

JCitizen
JCitizen

the folks at lastpass said they never see the key; and they don't need it. I'm ignorant of just where the "key" is stored, so I must digress.

anony_reader
anony_reader

I understand that they encrypt locally to the server, but in the situation I am speaking of, it becomes irrelevant. Again, I'm speaking about a decryption key "backdoor" that essentially allows the information on the server to be decrypted. A backdoor as required/requested by the government. And then this decryption "key" falls into the wrong hands of a rogue employee who decides to steal everybody's identity, sell information, steal money etc. Again, I refer to Hushmail's incident. In a perfect world, Lastpass and all others would admit that such a backdoor exists as required by them and then let us know what they've put in place to protect such a decryption key from a rogue employee situation.

JCitizen
JCitizen

...so far it has stopped anything that has tried to read my keyboard or screen. Whether it is truly putting that bubble around the browser will have to be seen, I suppose. Hopefully I can get one of my clients to test [b]Rapport[/b] here very soon; so I can guesstimate how well it does the same thing.

Michael Kassner
Michael Kassner

About key loggers and malware that steals PII locally than a backdoor at LastPass. I have checked the traffic going to their servers and it is total gibberish.

JCitizen
JCitizen

are for limiting government intrusion in this area. We are pushing our politicians to review the Constitutionally of the latest violations of personal privacy. I can assure you there will eventually be a fight on this. We are not willing to give up freedom for safety. That is a fools game and everyone in America knows it, or should know it. For the few I run into who do think this intrusion is okay, I have a vigorous argument for them. That is if it will do any good to argue with them. You can't fix stupid.

anony_reader
anony_reader

They claim that they have no key to the encrypted data, the same way Hushmail and other similar cloud services do. However, we know that the US government wants back doors, or even requires them, into everything encrypted. This might very well be the case for Lastpass and so there might be a backdoor somewhere to access encrypted information. The chances that the government will want to spy on the average person like you and me is slim (I hope) - so I don't fear this so much. However if a backdoor indeed exists, this means that there could be a rogue employee, e.g. at Lastpass, who could access data the same way the government can, because the method exists. The problem is that no company, that has a back door, will ever mention it because that would kill their business. Since the average person has no idea about the government and back doors, it is easy for service providers to keep it silent. Companies could build more trust if they were truly honest about their existence and explain what processes they have put in place to prevent rogue employees from stealing personal data and what the process is for providing (only) the government access.

JCitizen
JCitizen

Maybe Michael can correct me, but certain types of encryption self destruct if the wrong key is attempted upon cracking the code. Similar to IPsec; if you interrupt the data stream to try to gain the packets, the data is instantly scrambled and unusable. I should think a permanent data encryption for files would work the same way. Since even the LastPass employees don't have the key, this would only result in loss of data, nothing more.

JCitizen
JCitizen

someone has to step up to the plate. I choose LastPass, until I get compromised, and can trace it back to them. I look at my defenses first, of course, as that is many times the first leak. I thank both Michael and your contributions on this subject. This is relevant discussion! Many of my clients are barely making it financially wise, and I have to reflect their needs. Just because they are poor, doesn't mean they can't be ripped off by web-criminals. This type of crime is so automated, the criminals do not have to do much to get their ill gotten gains, and even $20 gets them web-space on their next command and control server.

anony_reader
anony_reader

Hushmail also had something very special going on and did one thing very well, then we learned they had secretly implemented a backdoor to their encryption so that access to all their customer's encrypted information was accessible, even though they also repeatedly touted and claimed that it was not possible. Again the analogy of banking, do you place your life savings with a previously unknown SoHo bank with great service but no FDIC insurance etc? Or a bigger bank established and reputable bank, where regardless of service, your money is insured and they insure you fully against online fraud/online bank hacking, etc.? I'm not belittling the folks at Lastpass, but anybody starting a business will want to sell it and market themselves as "special", that's natural. It's just too easy to sign up for such a service online these days and buy into hype and then place all your precious information in the hands of a company you really don't know. Only time will build their reputation.

JCitizen
JCitizen

I'm hooked, LastPass with be the last password tool I'll need, until second factor gets underway, but since they are already for that also, I doubt I'll have to switch! Also on concerns for keyboard entry, I wanted to say that I never have to enter any of my site passwords through the keyboard, I always generate them, and save them automatically. Now of course I have to enter the password for the vault, but as the article points out, one can use techniques to enter that information without entering through the keyboard anyway. Since, I have confidence in Prevx anti-key-logger blocking technology, I'm not particularly worried about it. The thing I really like is all I have to do to deploy this to all my machines, is download the plug-in; then logon to the console, and wallah! I got all my passwords I need to get onto my sites! This is very handy if you do a lot of re-installing of operating systems or have many PCs inside your network. I let LastPass do my deployment, I just download it! =D

JCitizen
JCitizen

********(New INFORMATION)*********** Joe at LastPass, got hold of me and updated me on their certificate change. All is good now, and networking4all reports a perfect score. [b]NOW THAT IS A COMPANY THAT CARES!![/b]I'm glad I purchased the premium support at LastPass! *************** EDITED!! *************** Their certificate fails with Comodo too, but I always double check on networking4all, what is specifically wrong with it first, before passing judgment. [b]SSL Certificate correctly installed[/b] [i]This certificate should be trusted by all major web browsers[/i] This website has the possibility to send data across a secure connection.[b] This is no guarantee that this indeed will happen, it is however a good indication.[/b] To be sure we advise you, before you submit any personal information, to check if the url in the address bar starts with https:// in stead of the insecure http:// The additional ?s? stands for security I marked the weaknesses with a carrot below, and one glaring deficiency with [!]. -SSL Certificate is not expired -Site is listed in the certificate > Organization details are not listed -Encryption strength is at least 1024-bit -Signature Algorithm is strong [b][!] Accepting low encryption cipher suites[/B] > No connection upgrade to 128-bit for old browsers > No Extended Validation on company details -No Debian weak key present -No known security issues for this Certificate Authority -No unlawful obtained Subject Alternative Name General info The SSL Certificate for lastpass.com is signed by Starfield Secure Certification Authority wich is signed by Starfield Technologies, Inc. wich is signed by http://www.valicert.com/ wich is signed by http://www.valicert.com/ . The SSL Certificate will expire on dinsdag 11 januari 2011 this means it is still valid for 279 days. I have pointed this out with LastPass, and they seemed nonplussed, but very encouraging to me that everything is OK. I told them it doesn't exactly engender confidence, even if their system is beyond the level of secure because of the nature of their product and the heavy encryption they use. I will however continue to use LastPass, as it is one of the neatest things to come out since Trend Micro started encrypting personal information on the computer back in 2006. Norton also has a built in browser vault that auto fills forms. However LastPass is more granular control, and way intuitive to use. I rarely read the instructions, and stumble around with it. But it is so easy,it would take longer to read the instructions than to simply change what I'm doing and easily correct the procedure!

Ocie3
Ocie3

explains why Perspectives was developed and how it works. To understand why your browser was reporting an error, but did not do that after you installed Perspectives, read the short "Description" section on the first page of the Perspectives web site. It reminds me of Cormac Herley's assertion that almost all SSL certificate warnings are "false positive", as discussed in the Tech Republic IT Security article "Are users right in rejecting security advice" by Michael Kassner ( http://blogs.techrepublic.com.com/security/?p=3275&tag=content;col1 ).

Michael Kassner
Michael Kassner

It was developed by Bruce Schneier. I still use it for none Web-site passwords.

Ron K.
Ron K.

The 'trust no one' approach may suit me.

Michael Kassner
Michael Kassner

I was hesitant at first too. I am hooked on its convenience (only human). I have used Password Safe for many years and still think it is probably the the most secure ( trust no one) approach. But, it requires a lot more attention.

Ron K.
Ron K.

I don't think that LastPass is for me but I appreciate your bringing it to my attention.

Ron K.
Ron K.

I couldn't find SSL Blacklist. After installing Perspectives there was no error. I'm going to disable Perspectives so that I can see if a secure website has errors. I want to know.

Ron K.
Ron K.

I may try those add-ons to see if I get the alert.

Michael Kassner
Michael Kassner

I have Perspectives and SSL Blacklist add-ons and they are not alerting me either.

Ron K.
Ron K.

"I used the link in your article to navigate to the download for LastPass." I didn't say that it lead me directly to the download page even though the link does take you to a page having a big download button on the right side.

Ocie3
Ocie3

but I have not been able to find a link in Michael's article that is for the "download page" at the LastPass web site. The first link that I see is for the home page, the other links are for pages about LastPass features. Accessed from the home page, the download page is: https://lastpass.com/misc_download.php Firefox doesn't report a warning when it fetches that page for me. When I put the mouse cursor on the "lock", the message "Authenticated by Starfield Technologies, Inc." is displayed.

Michael Kassner
Michael Kassner

I am still evaluating the app. But, any packets that are destined for LastPass are encrypted. So, I tend to agree with your assessment.

Gerbilferrit
Gerbilferrit

if you'd read the article proper you'd have understood how they store your information. I've been using LastPass for about a month and it is a real gem of an app. Your concern is an obvious one and the creators have seen through and solved many of the issues of such a system quite elegantly, and made it really user friendly. This is by no means some dirty quick fix for storing passwords in the cloud.

Editor's Picks