Main Area and Open Discussion > General Software Discussion

Multiple LastPass Vulnerabilities Discovered Recently

<< < (3/5) > >>

wraith808:
Offline isn't really an advantage to some of us.  My use case, it's a disadvantage.

Deozaan:

Would you care to expound on what, in your opinion, makes KeePass so great compared to the myriad other password managers out there?
-Deozaan (March 22, 2017, 01:22 AM)
--- End quote ---

Certified/audited, open source, offline.

More generally, it really doesn't require a technical analysis or knowing the technology insideout to have reached the point that storing things online is a risk, this is not even paranoia at all, I am hardly paranoid, it's a fact of life. Even a service with a perfect security record is waiting to be the next to fall.
-rgdot (March 22, 2017, 08:46 AM)
--- End quote ---

How do you handle logins from your various devices? Do you sync your password file somehow?

rgdot:
How do you handle logins from your various devices? Do you sync your password file somehow?
-Deozaan (March 22, 2017, 05:12 PM)
--- End quote ---

There have been times where I have had KeePass in Dropbox folder, but mostly everything is already logged in on all devices and a password change only means re-logging on devices 'manually', obviously site admin panels and banking/money related ones I don't stay logged in but that is a special case and banking accounts especially are either memorized or accessed from one machine only.
I see sync as more an appointment, calendar thing than a password thing.

wraith808:
How do you handle logins from your various devices? Do you sync your password file somehow?
-Deozaan (March 22, 2017, 05:12 PM)
--- End quote ---

There have been times where I have had KeePass in Dropbox folder, but mostly everything is already logged in on all devices and a password change only means re-logging on devices 'manually', obviously site admin panels and banking/money related ones I don't stay logged in but that is a special case and banking accounts especially are either memorized or accessed from one machine only.
I see sync as more an appointment, calendar thing than a password thing.
-rgdot (March 23, 2017, 12:31 AM)
--- End quote ---


Yeah, definitely different use case than me.  I have a two pronged problem that lastpass helps me with, and I haven't been able to find anything that really solves them (1Password came closest, but in the end wasn't what I needed for a final solution)

1. I use my passwords on many devices.
2. I share my passwords with my wife in the case that I'm indisposed.
3. I have many devices/items that are 2fa enabled (a lot of them time out after a given time, and a lot of them time out for no particular reason at all)
4. My workplace is paranoid for home workers (they have 2fa every time something happens, i.e. I login to office and am logged  in, then go to skype - which is connected- they text me again for 2fa, and they time out the connections on different intervals.)
5. Their password requirements are very long and complex.

Too much security with too many passwords, with the need to share and be able to 2fa.  I feel like a hacker sometimes with what I have to go through for a simple login, but they probably have it easier.

I had to change my master work password yesterday, and spent a good 2-3 hours getting everything synced and working before I could get back to work.  And heaven help me if I don't have cell/email reception.

Deozaan:
Ouch. Things are looking worse and worse for LastPass. This is the third vulnerability found in LastPass this month.

The flaw, which affects the latest version of the LastPass browser extension, was briefly described on Saturday by Tavis Ormandy, a researcher with Google's Project Zero vulnerability reporting team. When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn't present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault. Ormandy said he developed a proof-of-concept exploit and sent it to LastPass officials. Developers now have three months to patch the hole before Project Zero discloses technical details.

"It will take a long time to fix this properly," Ormandy said. "It's a major architectural problem. They have 90 days, no need to scramble!"-https://arstechnica.com/security/2017/03/potent-lastpass-exploit-underscores-the-dark-side-of-password-managers/
--- End quote ---

Navigation

[0] Message Index

[#] Next page

[*] Previous page