You can install our site as a web app on your iOS device by utilizing the Add to Home Screen feature in Safari. Please see this thread for more details on this.
Note: This feature may not be available in some browsers.
Excellent info. I posted this earlier about AES-256, but it's worth repeating as not everyone understands the technology used by the Federal Gov't (among others) on the most secure networks.Your passwords are all stored in a single encrypted blob aka vault, which is encrypted by the client using your master password and sent to the server. The server does not ever store your master password. You login to your account, to download the vault, using your master password but they do this by creating a hash of your username that is encrypted by your master password on the local system and then storing that on their server. So basically when you login your "password" is really just your username encrypted locally using your master password and is just as secure as the vault itself. Your master password is never sent to the server or stored on the server. The password is only ever used on the local device.
Here's the whitepaper if you're interested...
https://enterprise.lastpass.com/wp-content/uploads/LastPass-Technical-Whitepaper-3.pdf
In addition to all the encryption they protect the server side with extra hashing, so your encrypted user name is encrypted again using their own server side encryption. They also cut off brute force attacks by locking and account after a few failed attempts. And they also offer two factor authentication which won't even allow you to try to download without a code and they only accept authenticator apps or special security key devices for 2FA, no SMS, so there is no way to spoof that.
But lets say they cracked the server and downloaded everyone's vault file. Every single one is encrypted using a different master password using AES256 encryption. A brute force decryption of even just one file would require hundreds of years using current technology. And because they're not stored with any identifying information, only that encrypted and hashed user name which would also take hundreds of years to decrypt, it is literally impossible for them to crack your vault without knowing, or guessing, your master password.
So I stand by my statement that it's impossible. Unless you use a stupid master password that's easy to guess.
Another technique I heard about recently that increases security even more is setting up an email with an anyone@ domain. An anyone@ domain will accept email addressed to anything @yourdomain.com and route it to a single inbox. You then use the password generator in LastPass to generate both a unique email AND a unique password. Talk about impossible to crack. If someone happened to hack a site and gain access to your email and password for that site not only would the password be unique but the email would be unique, so they'd have no way to tie any information back to you. If you connected the anyone@ domain to a forward domain they wouldn't even know where the email is actually being sent.
My point is if you want to get crazy with security you can and it's relatively easy with the tools available today.
I'm imagining a homeowner who puts a steel door on his house with seventeen locks and a bar across the door, and then the burglar breaks a window and burgles the house. Once it's more difficult to pick the lock than to break a window, a better lock serves no further purpose. From the descriptions above, LastPass is like a reinforced steel door on a glass house. For people who cannot remember several difficult and unique passwords, it sounds convenient.
You can also generate a token that gives no control of the vehicle and only offers read-only access to the API's data. Which is exactly what I've done. The only way to send a command to make my car do something is from my Tesla app, or if you're Tesla.
The password managers built into all 3 major browsers have been hacked. They aren’t safe at all.
This is only sort of true. Some of the "hacks" involved requiring you to go to a specially crafted site that embedded the site you actually wanted to go to, and capturing the login for the second site by the first site. Not exactly what you'd call a common or transparent vector. Other "hacks" involved being able to collect the automatic password reset link from a site's URL value (they all encrypt that field now), and I believe another of the hacks was the ability to fetch unencrypted notes data.
The real vulnerabilities of these tools has historically been not scrambling and then clearing the clipboard contents, and not scrambling / randomizing their own internal stack space. As far as I know they've all addressed those issues, which prevent other privileged apps from scanning memory space and finding the in-RAM data structures.
These apps are vastly more secure than using crappy passwords, or attempting to be clever and only coming up with what is an easily cracked crappy password that's hard to remember.
To those in the security world my main question is:
Why when I log in to a site I only get a few attempts to get it right before being locked out or delayed but in the examples above hackers get 1000’s of attempts per second?
It's been a while since I looked at this. Good to know they're improving the internal password managers. People are more likely to use these things if they're built right into the browser.
Sadly, not all do.
You log into LastPass with your master password on your computer (or other device) and your website passwords are downloaded to your computer or device. When you go to a website, LastPass will auto-fill the username and PW for that site. If you have 2FA setup for a particular website, you will then still get that push to complete the login from that website.Can someone tell me how I as a user would interact with LastPass? Let's say I have LastPass in my browser or on my tablet and I want to log in to my bank. Right now I would enter my user name and password. If I'm on a new device I'd get a text on my phone with an authentication code. Otherwise I'd be logged in. How would this process work with LP? Would I still type my my user name and then my long master password into a LastPass pop-up window?
They say everything is stored locally but accessible from any device. If I have LP on two different browsers on my desktop computer and the app on my phone and my tablet, I take it they communicate with each other, but if everything is stored locally, how do those LP-generated individual passwords get from my computer to my phone and tablet?
What about a forum that normally I'm automatically logged into? Would I still be logged in automatically, or would LP require my master password every time?
I went on their web site and looked through "How it works" and there's a bunch of jargon about how it protects data, but I couldn't find anything about the user experience.
Thanks.
. But if they can steal the has of your password they can sit down and try to crack the hash locally on their own computers without touching the web site at all.
How are these typically stolen?
Even if stolen, and you use the browsers built in password manager or have the same simple password for all noncritical sites (using a noncritical email account) and unique passwords for critical, the risk seems small, or am I being naïve?
Nothing wrong with having auto-fill enabled for LastPass, that’s the whole point of it. The UN/PW are presented from your computer or device. Or are you talking about a different kind of auto-fill?First off I want to say you should NEVER EVER have auto-fill enabled EVER. That's begging for something malicious to happen, turn it off.
Your LastPass (or 1Password, or any other) data is stored in LastPass' cloud service. Your client downloads an encrypted blob of data and decrypts it locally at your device. So your data is never sent unencrypted to anywhere. Every device must do its own decryption and encryption of any changes that need to be sent to the cloud.
The lastpass client can be (should be) set up to use a 2FA when logging in, and you can choose to authorize a device for 30 days so it doesn't ask every time. Whatever sites you use should also be configured to use 2FA so that even if someone broke into your password manager, they'd still need to unlock your mobile device, or physically possess your second factor token or recovery codes.