Helping people with computers... one answer at a time.
If you are worried about hackers coming in through the internet, you're worried about something much larger than LastPass.
LastPass recommends that you stay logged in at all times, provided that no one in the house has access to your computer. I feel that this policy gives an internet hacker easy access your password vault. Do you agree? I ask the LastPass people this question and their answer makes me think that they didn't understand the question.
In this excerpt from Answercast #63, I look at the safety of keeping your computer logged into LastPass.
So, the short answer is no, I don't agree or I should say that I don't agree with you.
I, for example, am logged into LastPass the whole day. And in fact, depending on how I shut down (or don't shut down) my computer, I may be logged into LastPass constantly for multiple days at a time.
Why is this not a risk? Well, the concern that you mentioned is hackers on the internet: giving them easy access to what's in LastPass. Guess what? if hackers can get to your computer, you have bigger problems than LastPass.
I have a firewall in place; I have anti-malware software in place; I have common sense; I know what to click on and what not to click on. It's these things that are protecting me. Not the fact that I'm not logged into LastPass.
My strong recommendation is that you use LastPass however you feel the most comfortable using it. But I really don't consider being logged in for long periods of time as an issue - except, as the LastPass people have suggested, if other people can walk up to your computer and start doing something with it. Those are the kinds of scenarios where yes, you really want to log out of LastPass automatically.
The fact is there are probably a number of things you want to do automatically if that kind of thing could happen.
The most common one, the easiest one that I strongly recommend for people in that situation is to fire up a screen saver that has a short duration (a short time out) so that screen saver kicks in, in like five or 10 minutes - and that screen saver requires that you specify a password in order to go away. What that means is that nobody (while that screen saver is running) can just walk up to your machine and start using it.
That is a level security that I recommend. With tools like True Crypt, with tools like LastPass, I believe you can specify a time out or they will say, "I'll remember that you're logged in, but I'll only do it for maybe 30 minutes or maybe 60 minutes."
Again, if people can walk up to your computer and actually touch and deal with your computer while you're not around, those are things absolutely to be aware of. But if you're in secure situation like I am here (I'm at home; it's myself and my wife and that's fine), then leaving it logged into LastPass really doesn't add that high of a level of security issue.
If you really are worried about hackers coming in through the internet, you're worried about something much larger than LastPass; you're worried about the fundamental security of your PC. That means you really want to have the fundamentals in place:
The anti-malware stuff
Knowing what to click and what not to click on
Not falling for phishing attempts
All that kind of stuff that protects your machine inherently protects
LastPass as well.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.