Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
Did A Google Earth Mistake Cause A Couple's Brutal Murder?
Is Lastpass as good as they make it sound?
You've no doubt learned to take the various claims software developers make about their products with a grain of salt, but the gang at Lastpass may be right on with theirs. Lastpass may just be the last password you'll ever have to remember.
Other DS bloggers have looked at plenty of other options, like Passpack and good ol' Keepass. Lastpass has put together an extremely worthy competitor, and I was impressed with how it performed in my test runs.
Lastpass installs as two parts: the core application and as plugins for both Firefox and Internet Explorer. All data is encrypted on your PC, and only your encrypted file is stored on the Lastpass servers. It's also cross-platform, so you can sync your password data to Windows, Mac, and Linux PCs.
During install, the manager effortlessly captures and imports local passwords from both browsers (which shows you just how much you need an encrypted password store) then gives the option to clear them. It also does imports from RoboForm, Keepass, Password Safe, and MyPasswordSafe.
The web interface also allows you to create groups for your logins, edit entries, add descriptions, rename them, set an auto-logoff timeout, view your login history, and much more. It's even smart enough to provide on on-screen keyboard option to log in to help you thwart keyloggers.
You can favorite sites for quick access via the browser button (which also handles navigating to and logging in to your sites). A customizable strong password generator is also included.
Multi-PC synchronization worked flawlessly for me during testing on two Windows XP machines and my Linux Mint laptop. Some ajax-based logins don't work 100% yet, but it's a known issue and the Lastpass team is hard at work to smooth out the kinks.
I'm sold. I'll be keeping Lastpass on all four of my machines to keep my logins securely in sync.
Comments
37
Subscribe to commentsLee MathewsAug 23rd 2008 9:24AM
LastPass has been working smoothly for me on both my XP/Firefox installs so far. I haven't had any nasty issues yet!
grapeshotAug 23rd 2008 10:57AM
Hey, how about Palm users? I know the iPhone and Blackberry are the new *in* things, and sexier than Pamela Anderson on a clamshell, but the Palm platform still has a sizeable user base, and a lot of us aren't going to throw our Treos, PDAs, or Centrinos away anytime soon.
I use SplashID, which I totally rely on, but it would be cool to be able to export the file to my Mac and my Vista machines as well.
Joe SiegristAug 25th 2008 3:11PM
None of us owns a palm phone (and we do have iPhones and BlackBerries) so the reality is it'll be later than the other two. We'll look into it.
Joe
Omar ShahineAug 23rd 2008 12:22PM
I find it highly unusual that they don't authenticode sign their executable. For a service that's hoping to store your passwords, there is no excuse for not getting a code signing certificate and using that to digitally sign their downloads so that you know it's not from a bad guy.
It costs about $100 do code sign an application.
http://www.shahine.com/omar/AuthenticodeSigning.aspx
Once they code sign LastPass.exe I'll give it a try as it looks like a promising service.
Omar ShahineAug 23rd 2008 1:48PM
I got a reply from LastPass that they are working on authenticode signing their application.
Joe SiegristAug 23rd 2008 9:49PM
While we've been working on authenticode for a while, we specifically made the download URLs https (using SSL), so that you could be sure it was coming from LastPass; please ensure you do not download from anywhere but the https://lastpass.com/ website.
Thanks,
Joe
Joe SiegristSep 8th 2008 12:29PM
Thought I'd mention that authenticode signing for our Download EXE as well as our Firefox XPIs came out with version 1.29, we had wanted to come out with this from the start but spent a month in the review process (it's much simpler as an individual than a new business).
SridharAug 24th 2008 8:41AM
Can any longterm RoboForm user compare how this fares w/ RoboForm?
MichaelAug 24th 2008 9:49AM
To LastPass: So, how do you plan to make money off of this service?
Clearly you are a commercial entity. And, I don't consider that bad. If I decide to use you, I want you to have a sustainable business model to ensure that you stay around.
On the other hand, I'd hate to wake up one day to discover that you either made me pay to access my passwords, or that you quit business and disappeared with all of my passwords. Or that you had stolen my passwords and my identity.
Is this something that I will eventually have to pay for to use when it exits beta? Will I have to see ads somehow?
As a separate question, do you have a means for me to access my passwords from a public computer -- I'm not sure I actually want this because the security implications concern me, but it would be convenient.
Bob BillingsleaAug 24th 2008 4:41PM
Hi Michael,
This is a valid concern and has been addressed on our forums. Please take a look at:
http://forums.lastpass.com/viewtopic.php?f=12&t=6
In addition to the description there, I just wanted to make clear that we intend on never charging you for this service.
To answer your second question, if you are at a public computer, you can access your data securely via our website, even without the plugin installed. (But if you do not have the plugin, you will likely experience limited automatic login functionality)
Bob
Sir LoinAug 25th 2008 11:01AM
This sounds very promising, and I think it's great the developers are here to answer questions directly and care about their service enough to get feedback outside of their own forums.
HaploAug 26th 2008 4:38AM
Hey Joe, great that you guys come over here to answer our questions! That speaks very good of you.
Now, how do you compare against Passpack.com?
I'm certainly no expert here, but I get the "feeling" they're more secure than you.
Joe SiegristAug 26th 2008 6:38PM
Haplo - It's hard for me to say without really studying them, but it looks like they use the same encryption algorithm that we do, and have the same general principals about protecting your data and privacy that we do, though we don't have the 100 account limit or a paid version.
backAug 26th 2008 7:17PM
I've been using my own password solutions. A 10k open-sourced php single file. It served me well for years.
It has all the feature i need desperately:
-- Never stores any password anywhere... (so no "encryption" needed at all, and this also means you never afraid of those behind-the-scene programmers...)
-- Universally availability, at work, at home, Firefox, IE, etc...
-- No (local) installations. Just a bookmarklet.
-- AJAX interface, filling in login forms automatically.
-- Born to be a Key-Logger trojan defender.
However, there is nothing in this world really perfect. Here comes the shorts:
-- You need to find your own PHP-host to put this 10K file on.
-- I'm personally *weak* at marketing this tool, though I think it's the best ever one.
If you are interested, you could have a look at here:
http://gpad.lefora.com/
Sorry if the site's too simple for now. My last words about it is: since it's only a 10K php file, I have absolutely *NOTHING* to hide. All codes are under your nose and I think this is the most important point for any passwords managers.
Joe SiegristAug 27th 2008 9:51AM
back -- Encryption is a necessity, you should consider adding it-- what if the person hosting your program gets hacked? If they do they now have to change their passwords on every site, and worry what happened in the mean time. They may not even notice they've been hacked, and therefore would be in an extremely vulnerable position.
Lee MathewsAug 27th 2008 9:53AM
Also...http is a pretty insecure way to access data. No way would I ever access a password list that way.
Andrew HAug 31st 2008 3:02AM
I have Roboform and now using lastpass.
It imported passwords fine.
Works great!