Every time this sort of thing comes up I recommend +LastPass as it simplifies keeping your passwords random, different for each site, and yet always available and simple to use. Once unlocked you can configure LastPass to auto-log into websites. So no need to remember those pesky, unique, passwords. LastPass Sentry even monitors your accounts for security breaches for free! In addition to LastPass you should use Authy or Google Authenticator (which works with LastPass) and use two-step authentication. You should use it because 2-step verification can significantly reduce the chances of having the personal information in your Google account stolen by someone else.
LastPass: https://lastpass.com/f?618786
Authy: https://www.authy.com/
Google Authenticator: http://www.google.com/landing/2step/
h/t: +Simon Cousins for the heads up on this one
Reshared post from +Simon Cousins
Password changing time…
#CNET #UseLastPass
Usernames and passwords stolen as CNET is hacked
More than one million users have had their usernames and passwords stolen as technology site CNET is hacked.
LastPass and other password manager programs were all recently compromised.
a) cite your source
b) Not the case with LastPass. Maybe you're referring to this: http://blog.lastpass.com/2014/07/a-note-from-lastpass.html
Keepass?
http://www.theregister.co.uk/2014/07/14/popular_web_password_vaults_blurting_codes
I'm sure you'll equivocate and say "well they didn't hack ME". Hacked is hacked. Cloud based password storage is never secure.
Wrong +Eric Hansen. Bad info. +LastPass has not been compromised.
Get the facts from the Security Now podcast.
The vulnerability in several web based password manager was responsibly disclosed and fixed.
The main stream media who care little about facts and more about sensationalist headlines and click-bait did not report the issue accurately.
Also, when using a YubiKey, or other similar multifactor addon to +LastPass, the compsomise of a master password, if ever possible, is still irrelevant as hackers do not have physical access to my Yubikey device.
Even if Lastpass hasn't been compromised now, it's still a single point of failure for all your online accounts if it does actually get compromised in the future. Even if my data is encrypted and it would take hundreds of years to decrypt, I still wouldn't feel comfortable with anyone else having that data.
Lastpass is also very dated looking these days and it can be annoying to deal with. If I were to go with any online password manager these days, it would be Dashlane, but as I said I don't feel comfortable putting my passwords in an online service like that.
Yeah, that's what that post said, that it potentially affected 1% of users, and was exploited by a research team. Did you not read it or did you just really want to make a assholeish comment?
Also, a few points about the article you linked to:
* The exploits were done by security researchers. Not to downplay any vulnerability but let's be clear this wasn't a botnet or hacker group gaining access to anything.
* "…to issue a statement playing down vulnerabilities affecting its Java bookmarklets and…." There was no issue in a Java bookmarklet because there is no such thing. There are JavaScript bookmarklets, but JavaScript is not Java. Again, not to downplay anything but given they can't get basic facts straight and the tone of the article I'd say they are using shock value to get readers.
What's your solution then +Eric Hansen? Oh nevermind, I just saw on one of your posts, you keep them…. in your head. rolling eyes
I never made a claim that anything was 100% secure. Anybody who makes that claim is full of shit. And yes, having a local password manager could be MORE secure, provided you can completely secure that box, but there's a trade off you're making for convenience. The lack of convenience in passwords is why most people use the same password EVERYWHERE. Also, I stated to use Two-Factor authentication.
Well +Luke Larris, sending an encrypted blob of information to +LastPass, that they have absolutely no ability to ever decrypt, is far more secure than the multitude of online services where they store passwords in plain text of non-salted formats. People who do not use +LastPass seem to have no clue about the important aspect of them only having an encrypted blob that only you can ever decrypt.
I also use 2-factor auth on every service that supports it, but that doesn't give me peace of mind enough to use an online password manager. To each their own though.
Then you miss the point ot 2-factor +Luke Larris. Without both factors each factor is not enough on its own to access a system of service. 2-factor is like a bike with 2 wheels. Take a wheel off and you cannot ride it.
Dashlane is pretty I'll give them that, but looks aren't the most important thing for me when it comes to this type of app. (Not a knock against Dashlane, just that LP has been around longer and I'm already a user of that one).
Good description of two-factor +Simon Cousins.
I'm more interested in a secure product that has been audited, reviewed, tested and beat on multiple times than eye candy.
LastPass is a fantastic service. The last few updates have reduced some of June "ugly", too. 🙂
Agree +Scott Duensing the last few have made it more visually appealing. I'll agree that Dashlane is still prettier, but that's not my primary concern.
Pretty is nice, but LastPass works. It's as secure as anything I've ever seen. It works on every single device I own. I can share secure data with other family members. It audits my password collection. They monitor security breaches and help you stay updated. And almost all of that can be had for free. I'm a very happy Pro user. 🙂
Yeah I happily pay the $12 to be a pro user. Totally worth it in my book.