Helping people with computers... one answer at a time.

If you are worried about hackers coming in through the internet, you're worried about something much larger than LastPass.

LastPass recommends that you stay logged in at all times, provided that no one in the house has access to your computer. I feel that this policy gives an internet hacker easy access your password vault. Do you agree? I ask the LastPass people this question and their answer makes me think that they didn't understand the question.

In this excerpt from Answercast #63, I look at the safety of keeping your computer logged into LastPass.

Logged into LastPass

So, the short answer is no, I don't agree or I should say that I don't agree with you.

I, for example, am logged into LastPass the whole day. And in fact, depending on how I shut down (or don't shut down) my computer, I may be logged into LastPass constantly for multiple days at a time.

Protecting your passwords

Why is this not a risk? Well, the concern that you mentioned is hackers on the internet: giving them easy access to what's in LastPass. Guess what? if hackers can get to your computer, you have bigger problems than LastPass.

I have a firewall in place; I have anti-malware software in place; I have common sense; I know what to click on and what not to click on. It's these things that are protecting me. Not the fact that I'm not logged into LastPass.

In-home protection

My strong recommendation is that you use LastPass however you feel the most comfortable using it. But I really don't consider being logged in for long periods of time as an issue - except, as the LastPass people have suggested, if other people can walk up to your computer and start doing something with it. Those are the kinds of scenarios where yes, you really want to log out of LastPass automatically.

The fact is there are probably a number of things you want to do automatically if that kind of thing could happen.

The most common one, the easiest one that I strongly recommend for people in that situation is to fire up a screen saver that has a short duration (a short time out) so that screen saver kicks in, in like five or 10 minutes - and that screen saver requires that you specify a password in order to go away. What that means is that nobody (while that screen saver is running) can just walk up to your machine and start using it.

That is a level security that I recommend. With tools like True Crypt, with tools like LastPass, I believe you can specify a time out or they will say, "I'll remember that you're logged in, but I'll only do it for maybe 30 minutes or maybe 60 minutes."

Again, if people can walk up to your computer and actually touch and deal with your computer while you're not around, those are things absolutely to be aware of. But if you're in secure situation like I am here (I'm at home; it's myself and my wife and that's fine), then leaving it logged into LastPass really doesn't add that high of a level of security issue.

Worried about hackers

If you really are worried about hackers coming in through the internet, you're worried about something much larger than LastPass; you're worried about the fundamental security of your PC. That means you really want to have the fundamentals in place:

  • The firewall

  • The anti-malware stuff

  • Knowing what to click and what not to click on

  • Not falling for phishing attempts

All that kind of stuff that protects your machine inherently protects LastPass as well.

Article C5942 - October 21, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
Steve Gledhill (PC Resolver)
October 22, 2012 1:04 AM

I'm the same as Leo - I have LastPass logged in for days and don't worry.
Instead of having my screensaver on a short fuse I simply use the Windows Key and 'L' to quickly go to the Windows Login screen. I always do this when I leave the house in case I have an uninvited guest whilst I'm away.

George Cathcart
October 23, 2012 10:46 AM

Thanks for that answer. That question's been in the back of my mind for some time, and now resolved to my satisfaction. There's never anyone else in my computer room at home. LastPass is a great program IMO.

Kevin
October 23, 2012 10:50 AM

Hi Leo
Maybe not such a popular one this, but totally agree with ya.
I as an OAP living alone often use "Remember Password" left on even though not in house temporarily.
Reason is that so many of my sites that require passwords are really of no consequence to me. An example would be my Golf Handicap.Would I really care if a burglar found it as it is nearly public knowledge anyway these days.
As a result of this I regularly leave "Remember Password" turned on.
This of course does not apply to "Secure Notes" or to 3 other sites at the moment. To access these the password must be entered.
All really sensitive data as I see it is secured by True Crypt.
When away from home all criteria change. Dual Authentication etc come into play and of course am much more careful.
Regards.

Texas Mike
October 24, 2012 6:13 AM

By that logic, then simply using Windows' password storage would be just as adequate. If there is no one to have physical access to your computer, if you have a hardware firewall, and adequate anti-malware protection, as well as knowing what to avoid being suckered into, then your computer is pretty much safe either way. In fact, I've done just the opposite of what the experts say. I have short passwords, and I use mostly the same few for every access. And in all these years, I've had NO issues with it. As Leo says, I'm just not that interesting.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.