Filed under: Internet, Security, Utilities, Windows, Macintosh, Linux, Freeware, Browsers
Is Lastpass as good as they make it sound?
by Lee Mathews Aug 22nd 2008 at 2:00PM
You've no doubt learned to take the various claims software developers make about their products with a grain of salt, but the gang at Lastpass may be right on with theirs. Lastpass may just be the last password you'll ever have to remember.
Other DS bloggers have looked at plenty of other options, like Passpack and good ol' Keepass. Lastpass has put together an extremely worthy competitor, and I was impressed with how it performed in my test runs.
Lastpass installs as two parts: the core application and as plugins for both Firefox and Internet Explorer. All data is encrypted on your PC, and only your encrypted file is stored on the Lastpass servers. It's also cross-platform, so you can sync your password data to Windows, Mac, and Linux PCs.
During install, the manager effortlessly captures and imports local passwords from both browsers (which shows you just how much you need an encrypted password store) then gives the option to clear them. It also does imports from RoboForm, Keepass, Password Safe, and MyPasswordSafe.
The web interface also allows you to create groups for your logins, edit entries, add descriptions, rename them, set an auto-logoff timeout, view your login history, and much more. It's even smart enough to provide on on-screen keyboard option to log in to help you thwart keyloggers.
You can favorite sites for quick access via the browser button (which also handles navigating to and logging in to your sites). A customizable strong password generator is also included.
Multi-PC synchronization worked flawlessly for me during testing on two Windows XP machines and my Linux Mint laptop. Some ajax-based logins don't work 100% yet, but it's a known issue and the Lastpass team is hard at work to smooth out the kinks.
I'm sold. I'll be keeping Lastpass on all four of my machines to keep my logins securely in sync.
So, just how good at time waster games are you? Think you've got the stuff? Well, The World's Hardest Game 2.0 doesn't think you do.
Yes, amazingly, it's possible to have a sequel to a game called "The World's Hardest Game". It doesn't seem logically possible, since if the first one was actually the world's hardest, how could another one come along and share the moniker? It made me doubt the name in the first place. That is, until I tried the game.
The mechanics of the game are very simple. You are a small red square, ...
Reader Comments (Page 1 of 2)
Peter said 2:40PM on 8-22-2008
That's all well and good, but I'm sticking with KeePass. I'm not going to trust any security app that's not open source and can't have its code and implementation analyzed.
Reply
Joe Siegrist said 4:02PM on 8-22-2008
I'd like to think LastPass.com is a lot better than we make it sound, today we're just a bunch of developers, how could we make it sound good! (Full Disclosure: I work at LastPass.com).
We're standing on the shoulders of the open source movement to make LastPass.com happen, and nothing would make me happier than to release it as open source, but we can't do that right now.
We can release an open source version of how our encryption works (the website is this already actually), and using that you can audit it, and compare it to what we upload and download -- since we're just storing the locally encrypted data at LastPass.com, if you verify our local encryption implementation you can safely use LastPass because LastPass is just storing that encrypted data.
Daniel Blois said 4:02PM on 8-22-2008
I just tried this to see if could replece roboform and it deleted all my Firefox settings and now they won't save. Does anyone know how to fix this? everytime I open firefox it is asking me to setup google toolbar, all in one sidebar, and all my other extensions.
Reply
Joe Siegrist said 6:20PM on 8-22-2008
We've attempted to contact Daniel, and haven't had any reports about this from any other users but to be safe we've made sure that we backup the preference file before touching it going forward.
Matt said 8:05PM on 8-22-2008
Same thing happened to me. I just gave up and deleted my profile. Could it be a conflict with Sxipper?
ixtab said 4:40PM on 8-22-2008
will it support mobile (especially Blackberry) access to the passwords like Roboform does?
Reply
Joe Siegrist said 4:51PM on 8-22-2008
ixtab- We don't have a mobile version out yet, but will definitely have one soon -- iPhone is first, Blackberry second.
Truegod said 4:42PM on 8-22-2008
I would love to use this, I use keepass right now, but their osx client is horrible. I installed and every time I went to the lastpass and logged in it would open a page asking me to create an account... weird (it's in beta though, whatever). Then I imported my KeePass database and now every time I log in I get immediately kicked back to the front page... anyone else having problems??
Reply
Joe Siegrist said 4:57PM on 8-22-2008
Truegod - We use OS X as one of our primary machines, so I'm surprised you're having so much trouble -- When you restart Firefox for the first time after installing LastPass, the create_account page should come up, but definitely shouldn't continue to show up.
Would you mind emailing support@LastPass.com with the version of Firefox and OS X you're using and we'll help you figure it out.
Thanks,
Joe
Fred_Washburn said 5:12PM on 8-22-2008
I am also a long-term KeePass user, and I both love it and trust it implicitly. The only thing missing is better integration with Firefox - AutoType works, but I keep looking for something more convenient.
I applaud the efforts of the LastPass developers, but I found it too intrusive, as it made changes to my Firefox profile. I'll pass for now, but keep my eye on future development.
Coincidentally, I noticed a recent posting at the KeePass forum where someone is developing "KeeFox", a plugin which integrates KeePass and Firefox. THIS also is one to watch!
Reply
Joe Siegrist said 6:17PM on 8-22-2008
Fred -
It looks like "KeeFox" is at least a year away (if development continues), will be windows only, and Firefox only at that time, won't provide web access nor will it help portability and syncing. LastPass is here now, has Windows,Mac, Linux on Firefox, and IE on Windows.
As a KeePass user you've already realized you need a password manager, which makes you someone we'd love to get to try LastPass.
As for it being too intrusive -- you can disable the Firefox preference change we make during install (to turn off your built in password manager) in advanced in the installer. And we return your setting on uninstall, so we're definitely trying to do the right thing.
Joe
Mark said 10:28PM on 8-22-2008
I tried this today, Vista 64. It grabbed my passwords but wouldn't send them to your site. I managed to get them to send through through the FF extension hoping the standalone app would allow me to bypass once that was done. WRONG. And silly me, I had the extension remove (I thought hide, it meant delete). I've managed to get the passwords exported to CSV but the password manager keeps starting the installation over and over.
Reply
Joe Siegrist said 8:23AM on 8-23-2008
Mark -
There's some confusion here that's our fault -- The 'Password Manager' will always install the plugins, it's really more of an installer to get the plugins on to your PC, and to get insecure passwords off your PC and the resulting encrypted data into LastPass.
After install you should be interacting with the plugins and/or LastPass.com
We'll make that more clear in the next version.
Joe
Omarra Byrd said 11:41PM on 8-22-2008
I actually love the RoboForm software myself. I use it all of the time and it takes all of the menial everyday tasks that I have to perform on my computer daily and shortens them extremely! What once took me fifteen minutes to complete now takes me only one second because RoboForm does the same task with just one click. In fact I wrote a Report about a lot of RoboForm’s capabilities for use that aren’t even touched on in the User’s Manual for RoboForm. You can get that Report here:
http://www.booksbonkers.com/TheRoboFormReport!2.html
Sometimes this link gets broken and puts you on a 404 error page. If that happens, then just copy and paste the whole link above in a new web browser page.
Reply
Henk said 5:58AM on 8-23-2008
Just one simple thing. Encrypted or not, I would NEVER store all my passwords on some faraway server up high in the clouds. What if that server goes down? Or what if some Chinese hacker is attracted by this passwords-honeypot and manages to crack even a small part of it? To me, this is like saving your money in a cookie jar on a public park bench. No, thanks!
Reply
Joe Siegrist said 7:59AM on 8-23-2008
Henk -
LastPass has 2 data centers right now and your passwords are stored locally in a cache, so if we're down, you still have access to your passwords, can still export them, can still use them to login to your sites.
LastPass is an exceptionally poor target for hackers because we only have 256 bit AES encrypted data and unlike many companies, we hardly know anything about you.
We use AES-256 bit encryption, which is frankly extreme overkill for protecting your passwords, but we wanted to do everything in our power to make it safe: to quote NIST: http://www.nist.gov/public_affairs/releases/aesq&a.htm
"Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old. "
This is like storing your passwords in a vault in Fort Knox, and is significantly stronger than leaving them unencrypted on your PC.
Kevin said 12:37AM on 8-26-2008
Too bad it keeps passwords on their servers. I like my passwords to stay local. For this reason, I'd like to try this, but I won't - and probably never will. When will software developers 'get it' and realize that many potential customers are paranoid (and rightly so) about their data?
I wish KeePass' integration with IE and FF was better, but autotype works well enough for me.
Go KeePass!
Reply
Joe Siegrist said 8:15AM on 8-23-2008
LastPass doesn't keep passwords on our servers, we keep 256-bit AES encrypted data, for which we do not have the key.
There's a huge difference there.
We're software developers, and believe me, we get it. We're amongst the most paranoid people out there. We used that paranoia in creating LastPass -- worrying about what would happen if our servers were stolen, if we had a rogue employee, etc, etc, and coming up with a solution that is safe because the encryption and decryption happens on your local machine, never at LastPass.
Joe
Henk said 9:20AM on 8-23-2008
OK Joe,
I guess I'm willing to give it a fair try, but only with nonessential passwords for now: not, for example, with passwords for online banking. You know, if I was a fraudster wanting to steal passwords, this would be exactly the kind of service I would setup to collect my data (and then, after harvesting many thousands of them, I would suddenly let it go bust). In other words, how should I know I can really trust the people behind something like this? I don't think I'm paranoid, but I do want to be careful.
Henk
Reply
Lee Mathews said 9:23AM on 8-23-2008
That's an excellent point, Henk, and one for anyone to consider when using ANY online password sync service - even the addon for KeePass.
How do you REALLY know that everything's totally safe once it's off your PC?