Helping people with computers... one answer at a time.

I recommend LastPass because of their transparency and security model: even LastPass cannot recover your login!

I recently installed LastPass on my desktop PC. However, through one of my other newsletters, or Googling, I caught an article regarding a suspected security breach on LastPass fairly recently and I started reconsider the whole cloud storage approach for specifically my password information. The alternative I'm considering is Roboform. Now, I know from past newsletters you've praised both software and I understand it's also personal preference, but what is your take on the breach and storing passwords away from your own system? I look forward to your response.

In this excerpt from Answercast #17, I look at the proactive nature of LastPass's security practices, including their high levels of encryption.

LastPass security breach

Well, I'll put it this way. I'm a heavy LastPass user.

So there are two things going one here:

1) If it's the security breach that I'm thinking of, it wasn't a breach at all.

The LastPass people saw what they considered 'suspicious activity' on their network. There was never any confirmation that any kind of a breach had actually happened. They took some proactive steps at that point to notify everybody to say basically, you know, this probably isn't a problem but you may want to change your password.

In other words, they were being abundantly over cautious which I really appreciate.

Server-side encryption

Now, the thing I like about LastPass is that your information is encrypted on their servers. In fact:

2) It's encrypted in a way that even they cannot recover: you lose your password, you lose your LastPass.

The only time that LastPass information is decrypted is when it's on your PC and you've specified the correct password to perform that decryption. It's one of the things that really draws me to LastPass because that's the level of security I really appreciate.

Cloud storage

Now, you're thinking of replacing it with RoboForm. To be honest, it's kind of funny because RoboForm is a cloud solution, too.

RoboForm stores all of your information up in the cloud, so if it's the cloud that has you nervous, LastPass to RoboForm doesn't really change anything. RoboForm, like I said, is a cloud-based solution that is really similar to LastPass.

I do not know their encryption strategy. I'm sure it's good. I don't know, for example, if they were faced with a court order, "could" they decrypt stuff. I really don't know. I don't think LastPass can, I honestly don't know about RoboForm.

In terms of the features and the functionality of the two tools, I used RoboForm for many years. I switched to LastPass a couple of years ago because I really appreciate the openness of their security model and the security model itself.

I don't have a problem using either of them and, like I said, I'm not aware of a security breach, a true security breach, for LastPass that would have me concerned at all. So I'd use them both.

Keep using LastPass if you like it.

End of Answercast #17 Back to - Audio Segment

Article C5343 - May 14, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

9 Comments
Steve (PC Resolver)
May 15, 2012 12:45 AM

I converted from Roboform to LastPass and trust them implicitly. I explain why here: http://bit.ly/pcrLastPass but I recommend you listen to Steve Gibson's in-depth analysis during his SecurityNow video podcast: http://www.youtube.com/watch?v=r9Q_anb7pwg&feature=related The coverage of LastPass starts at minute 50. He has subsequently commented on the 'breach' rumour and says just the same as Leo - they did exactly the right thing and, if anything, were over-cautious.
Here is a link to Steve's website for the audio version: http://www.grc.com/securitynow.htm {Search for 'lastpass'}

It was Steve Gibson's analysis of Lastpass that prompted me to look into it originally. You do have to take responsibility for remembering your own password, but with that comes a great deal of security/
Leo
15-May-2012
Jon F.
May 15, 2012 12:14 PM

My "problem" with Last Pass is this: After installing a new Verizon broadband "air card" that's 4G capable no matter what we did, IE-9 would not give reliable or many times no internet connection. Reluctantly had to switch to Firefox.
If anyone has a fix for me I'd love it. (IE-9 did work but only if Last Pass was disables.)

keith
May 15, 2012 3:04 PM

My IE9 x64 works fine with Lastpass. But, I don't use IE. I use Firefox. It's much, much better and I'd be happy to here your relunctancy to switch over, especially when IE doesn't work and Firefox does work.

flatom
May 15, 2012 3:47 PM

Since LastPass is used and recommended by Leo, Steve Gibson, and Leo LaPorte I consider it a no-brainer. Highly secure, highly effective, login available from any PC. Data is encrypted on the host machine and then transmitted to the cloud.

I have no worries about password theft and have only one password to remember. I love it.

Bob
May 16, 2012 1:19 AM

I love lastpass been using it ever since it came out never had any problems. It's great to remember only one password.

GaryT
May 19, 2012 6:43 AM

I use LastPass because Steve Gibson vetted it & uses it. Also love secure notes that give me a place for keeping reference notes available from anywhere you have network access. LP appears to act responsibly & is improving their product. Thanks for covering this Love..

Lester
August 9, 2012 7:00 PM

I installed LastPass only to discover that the free version won't work with their iPhone app. Sort of disappointing. I guess I'll have to try RoboForm

Correct - the free version of Lastpass does not include mobile device support. $12/year gets you premium and in my mind it's worth every penny.
Leo
10-Aug-2012

chovy
January 18, 2013 8:31 PM

I don't believe lastpass is that secure. I use it for firefox and it supposedly encrypts the password locally and then stores that value on the server. HOWEVER - I then logged into my lastpass.com account in safari and was able to see all my passwords. SO they absolutely can decrypt your data on their server, I used no plugin in Safari. I think its totally possible they could get hacked, or be compelled to release passwords w/ a court order.

They did NOT decrypt on the server. The encrypted information was downloaded into Safari, and decrypted there, on your PC. Lastpass remains safe.
Leo
19-Jan-2013

Randy
April 4, 2013 10:33 AM

Welcome back Leo,
I use Norton 360 as my Anti-Virus program & it has Norton Identity Safe password manager built in. They also have an app for Android Tablets & phones. Can you compare this product to Lastpass as far as encryption in the cloud. I want to know if I'm at risk to decryption in the cloud using the Norton identity safe & should I dump it for Lastpass?
Thanks,
Randy

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.