Scripps Employees Called 'Hackers' For Exposing Massive Security Flaw
Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
Is Lastpass as good as they make it sound?
You've no doubt learned to take the various claims software developers make about their products with a grain of salt, but the gang at Lastpass may be right on with theirs. Lastpass may just be the last password you'll ever have to remember.
Other DS bloggers have looked at plenty of other options, like Passpack and good ol' Keepass. Lastpass has put together an extremely worthy competitor, and I was impressed with how it performed in my test runs.
Lastpass installs as two parts: the core application and as plugins for both Firefox and Internet Explorer. All data is encrypted on your PC, and only your encrypted file is stored on the Lastpass servers. It's also cross-platform, so you can sync your password data to Windows, Mac, and Linux PCs.
During install, the manager effortlessly captures and imports local passwords from both browsers (which shows you just how much you need an encrypted password store) then gives the option to clear them. It also does imports from RoboForm, Keepass, Password Safe, and MyPasswordSafe.
The web interface also allows you to create groups for your logins, edit entries, add descriptions, rename them, set an auto-logoff timeout, view your login history, and much more. It's even smart enough to provide on on-screen keyboard option to log in to help you thwart keyloggers.
You can favorite sites for quick access via the browser button (which also handles navigating to and logging in to your sites). A customizable strong password generator is also included.
Multi-PC synchronization worked flawlessly for me during testing on two Windows XP machines and my Linux Mint laptop. Some ajax-based logins don't work 100% yet, but it's a known issue and the Lastpass team is hard at work to smooth out the kinks.
I'm sold. I'll be keeping Lastpass on all four of my machines to keep my logins securely in sync.
Comments
37
Subscribe to commentsPeterAug 22nd 2008 2:40PM
That's all well and good, but I'm sticking with KeePass. I'm not going to trust any security app that's not open source and can't have its code and implementation analyzed.
Joe SiegristAug 22nd 2008 4:02PM
I'd like to think LastPass.com is a lot better than we make it sound, today we're just a bunch of developers, how could we make it sound good! (Full Disclosure: I work at LastPass.com).
We're standing on the shoulders of the open source movement to make LastPass.com happen, and nothing would make me happier than to release it as open source, but we can't do that right now.
We can release an open source version of how our encryption works (the website is this already actually), and using that you can audit it, and compare it to what we upload and download -- since we're just storing the locally encrypted data at LastPass.com, if you verify our local encryption implementation you can safely use LastPass because LastPass is just storing that encrypted data.
Daniel BloisAug 22nd 2008 4:02PM
I just tried this to see if could replece roboform and it deleted all my Firefox settings and now they won't save. Does anyone know how to fix this? everytime I open firefox it is asking me to setup google toolbar, all in one sidebar, and all my other extensions.
Joe SiegristAug 22nd 2008 6:20PM
We've attempted to contact Daniel, and haven't had any reports about this from any other users but to be safe we've made sure that we backup the preference file before touching it going forward.
MattAug 22nd 2008 8:05PM
Same thing happened to me. I just gave up and deleted my profile. Could it be a conflict with Sxipper?
ixtabAug 22nd 2008 4:40PM
will it support mobile (especially Blackberry) access to the passwords like Roboform does?
Joe SiegristAug 22nd 2008 4:51PM
ixtab- We don't have a mobile version out yet, but will definitely have one soon -- iPhone is first, Blackberry second.
TruegodAug 22nd 2008 4:42PM
I would love to use this, I use keepass right now, but their osx client is horrible. I installed and every time I went to the lastpass and logged in it would open a page asking me to create an account... weird (it's in beta though, whatever). Then I imported my KeePass database and now every time I log in I get immediately kicked back to the front page... anyone else having problems??
Joe SiegristAug 22nd 2008 4:57PM
Truegod - We use OS X as one of our primary machines, so I'm surprised you're having so much trouble -- When you restart Firefox for the first time after installing LastPass, the create_account page should come up, but definitely shouldn't continue to show up.
Would you mind emailing support@LastPass.com with the version of Firefox and OS X you're using and we'll help you figure it out.
Thanks,
Joe
Fred_WashburnAug 22nd 2008 5:12PM
I am also a long-term KeePass user, and I both love it and trust it implicitly. The only thing missing is better integration with Firefox - AutoType works, but I keep looking for something more convenient.
I applaud the efforts of the LastPass developers, but I found it too intrusive, as it made changes to my Firefox profile. I'll pass for now, but keep my eye on future development.
Coincidentally, I noticed a recent posting at the KeePass forum where someone is developing "KeeFox", a plugin which integrates KeePass and Firefox. THIS also is one to watch!
Joe SiegristAug 22nd 2008 6:17PM
Fred -
It looks like "KeeFox" is at least a year away (if development continues), will be windows only, and Firefox only at that time, won't provide web access nor will it help portability and syncing. LastPass is here now, has Windows,Mac, Linux on Firefox, and IE on Windows.
As a KeePass user you've already realized you need a password manager, which makes you someone we'd love to get to try LastPass.
As for it being too intrusive -- you can disable the Firefox preference change we make during install (to turn off your built in password manager) in advanced in the installer. And we return your setting on uninstall, so we're definitely trying to do the right thing.
Joe
MarkAug 22nd 2008 10:28PM
I tried this today, Vista 64. It grabbed my passwords but wouldn't send them to your site. I managed to get them to send through through the FF extension hoping the standalone app would allow me to bypass once that was done. WRONG. And silly me, I had the extension remove (I thought hide, it meant delete). I've managed to get the passwords exported to CSV but the password manager keeps starting the installation over and over.
Joe SiegristAug 23rd 2008 8:23AM
Mark -
There's some confusion here that's our fault -- The 'Password Manager' will always install the plugins, it's really more of an installer to get the plugins on to your PC, and to get insecure passwords off your PC and the resulting encrypted data into LastPass.
After install you should be interacting with the plugins and/or LastPass.com
We'll make that more clear in the next version.
Joe
HenkAug 23rd 2008 5:58AM
Just one simple thing. Encrypted or not, I would NEVER store all my passwords on some faraway server up high in the clouds. What if that server goes down? Or what if some Chinese hacker is attracted by this passwords-honeypot and manages to crack even a small part of it? To me, this is like saving your money in a cookie jar on a public park bench. No, thanks!
Joe SiegristAug 23rd 2008 7:59AM
Henk -
LastPass has 2 data centers right now and your passwords are stored locally in a cache, so if we're down, you still have access to your passwords, can still export them, can still use them to login to your sites.
LastPass is an exceptionally poor target for hackers because we only have 256 bit AES encrypted data and unlike many companies, we hardly know anything about you.
We use AES-256 bit encryption, which is frankly extreme overkill for protecting your passwords, but we wanted to do everything in our power to make it safe: to quote NIST: http://www.nist.gov/public_affairs/releases/aesq&a.htm
"Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old. "
This is like storing your passwords in a vault in Fort Knox, and is significantly stronger than leaving them unencrypted on your PC.
KevinAug 26th 2008 12:37AM
Too bad it keeps passwords on their servers. I like my passwords to stay local. For this reason, I'd like to try this, but I won't - and probably never will. When will software developers 'get it' and realize that many potential customers are paranoid (and rightly so) about their data?
I wish KeePass' integration with IE and FF was better, but autotype works well enough for me.
Go KeePass!
Joe SiegristAug 23rd 2008 8:15AM
LastPass doesn't keep passwords on our servers, we keep 256-bit AES encrypted data, for which we do not have the key.
There's a huge difference there.
We're software developers, and believe me, we get it. We're amongst the most paranoid people out there. We used that paranoia in creating LastPass -- worrying about what would happen if our servers were stolen, if we had a rogue employee, etc, etc, and coming up with a solution that is safe because the encryption and decryption happens on your local machine, never at LastPass.
Joe
HenkAug 23rd 2008 9:20AM
OK Joe,
I guess I'm willing to give it a fair try, but only with nonessential passwords for now: not, for example, with passwords for online banking. You know, if I was a fraudster wanting to steal passwords, this would be exactly the kind of service I would setup to collect my data (and then, after harvesting many thousands of them, I would suddenly let it go bust). In other words, how should I know I can really trust the people behind something like this? I don't think I'm paranoid, but I do want to be careful.
Henk
Lee MathewsAug 23rd 2008 9:23AM
That's an excellent point, Henk, and one for anyone to consider when using ANY online password sync service - even the addon for KeePass.
How do you REALLY know that everything's totally safe once it's off your PC?
Joe SiegristAug 23rd 2008 10:27AM
Henk -
It's a fair point, though if you look at our product closely you'll see a lot of features, and a lot of time and effort has been put in to do this right; and I'm talking about the little features that no one notices otherwise because the product 'just works' like refreshing open LastPass.com browser sessions when you add a password in another tab, or offering to replace an existing account, or confirm a password update. These things take a lot of time, and supporting IE and Firefox is more than double the amount of work.
My team and I also have a reputation which we've worked hard to build and wouldn't throw away; I was an executive at a software company which was acquired for $50M, and worked extensively with large Financial Service clients.
We originally started writing this months ago with everything encrypted server side (believe me, that's a lot easier), but stopped and spent an extra few months making sure we could make the entire system run with exclusively client side encryption because we wanted something that would hold up to scrutiny, wanted something we could use comfortably, something where the server could be stolen and we wouldn't be a head line news story.
There are other start-ups out there which are taking your password and keeping it on their servers, or using the built in, insecure password manager -- we didn't want to be like them.
Trust is earned, and we hope we're on the road to earning that trust.
Joe