Hi,
Let's say I have 100 active passwords. 90 of them are DonationCoder, BitsDuJour, various Bible and Business forums. The only ones that are actively sensitive are financial (banks, credit cards, Amazon, Paypal). Maybe two or three social could be considered a bit sensitive (Facebook, Linkedin).
To what extent do you think that the following group of techniques would allow LastPass web browser continuing:
a) safe browsing techniques (no gambling, porn, etc)
b) Avast or another decent web shield
c) make all important sites have unique user-password combinations
d) 2FA on all sites with financial capabilities
LastPass is in fact very convenient. And most of what it is used for is non-essential stuff (there used to be discussions about having two "last" passwords, one for critical, one for general, for awhile I tried two LP accounts).
The goal I see is to make it so that if passwords are stolen, damage is limited, essentially zero.
I think of 2FA as only affecting the first time signing in from a locale (not sure what is the definition of a locale with a moving laptop). A cell phone buzz is a very minor extra step in those cases. And a google email is not much trouble. I prefer the buzz because it is more accessible and less hackable.
Switching to a personal Dropbox style alternative is in fact an attractive alternative, e.g. using Keepass, one has to weight the utility lost.
Switching to an alternative web browser alternative (Dashlane?, 1Password?) likely means similar vulnerabilities, although perhaps less likely to be exploited simply because the size of LastPass makes them an attractive target.
The big help with browser integration is automatic adding and updating of passwords. You could enter by hand from a vault, but the real-time web browser update help saves time, and helps make sure the passwords are accurate.
Why is not a review of 2FA and password practices on those big 10 (or 20) accounts sufficient?
Steven
