Best Password Manager
Tom_Reingold said:
@lanky, the data of yours that they save is encrypted and can't be decrypted without your passphrase, which they don't have.
What happens if someone learns your PIN? How will it help them break into your accounts?
I guess I'd be compromised. But it hasn't happened yet. Seems like most the serious sites (banks etc) have pretty serious guardrails to prevent fraud. When fraud does happen, e.g. when someone steals my credit card number, I am not responsible for the charges.
lanky said:
Tom_Reingold said:I guess I'd be compromised. But it hasn't happened yet. Seems like most the serious sites (banks etc) have pretty serious guardrails to prevent fraud. When fraud does happen, e.g. when someone steals my credit card number, I am not responsible for the charges.
@lanky, the data of yours that they save is encrypted and can't be decrypted without your passphrase, which they don't have.
What happens if someone learns your PIN? How will it help them break into your accounts?
From the stories I have read about what it's like to have your entire identity stolen, I'm sure no one would want to go through that. I think it's worth taking reasonable precautions against.
Tom_Reingold said:
lanky said:From the stories I have read about what it's like to have your entire identity stolen, I'm sure no one would want to go through that. I think it's worth taking reasonable precautions against.
Tom_Reingold said:I guess I'd be compromised. But it hasn't happened yet. Seems like most the serious sites (banks etc) have pretty serious guardrails to prevent fraud. When fraud does happen, e.g. when someone steals my credit card number, I am not responsible for the charges.
@lanky, the data of yours that they save is encrypted and can't be decrypted without your passphrase, which they don't have.
What happens if someone learns your PIN? How will it help them break into your accounts?
Once again, I am naive in this arena, doesn't that (identity theft) usually involve SSN theft? I don't think any of my online accounts have that cached anywhere.
@lanky, I suggest you read about it. I just found this by googling. There are companies that offer insurance against it. I think it's basically legal services to get you through it, but there will still be a hassle.
I'm a heavy user of last pass, but I don't follow all of the prescriptions for password security. One problem I have with last pass is that it's operation seems to be kind of clunky. It often saves multiple passwords for a given domain, even though the url is different. So sometimes I'll get a choice of as many as ten id/password combinations for a given site. Sometimes it automatically fills in the id/password fields, sometimes it doesn't. Sometimes it seems to ignore a site altogether. Sometimes it doesn't update itself if I change a password. Sometimes it tries to store a site as a new site when only the password is available.
Too many "sometimes" behaviors. It's quite annoying and makes me a bit distrustful of the product.
drummerboy said:
I'm a heavy user of last pass, but I don't follow all of the prescriptions for password security. One problem I have with last pass is that it's operation seems to be kind of clunky. It often saves multiple passwords for a given domain, even though the url is different. So sometimes I'll get a choice of as many as ten id/password combinations for a given site. Sometimes it automatically fills in the id/password fields, sometimes it doesn't. Sometimes it seems to ignore a site altogether. Sometimes it doesn't update itself if I change a password. Sometimes it tries to store a site as a new site when only the password is available.
Too many "sometimes" behaviors. It's quite annoying and makes me a bit distrustful of the product.
I haven't actually looked at the html on a given website to confirm this, but I suspect for the "sometimes it automatically fills in the id/password fields, sometimes it doesn't" issue what's happening is that the form fields on the site in question isn't using the standard password input element. I suspect similar html weirdness accounts for much of the other behavior you called out, too. The url issue I've also noticed, which I find more surprising -- parsing badly written HTML is hard, but figuring out that two sites with the same base URL are the same site seems like it should be pretty straightforward.
Anyway, all of which is to say these all strike me as cosmetic issues rather than ones that personally make me distrustful of the actual reliability of the product. I usually don't do the autofill either, but make use of the "copy" option from the browser extension and then paste it into the appropriate fields.
PVW said:
drummerboy said:I haven't actually looked at the html on a given website to confirm this, but I suspect for the "sometimes it automatically fills in the id/password fields, sometimes it doesn't" issue what's happening is that the form fields on the site in question isn't using the standard password input element. I suspect similar html weirdness accounts for much of the other behavior you called out, too. The url issue I've also noticed, which I find more surprising -- parsing badly written HTML is hard, but figuring out that two sites with the same base URL are the same site seems like it should be pretty straightforward.
I'm a heavy user of last pass, but I don't follow all of the prescriptions for password security. One problem I have with last pass is that it's operation seems to be kind of clunky. It often saves multiple passwords for a given domain, even though the url is different. So sometimes I'll get a choice of as many as ten id/password combinations for a given site. Sometimes it automatically fills in the id/password fields, sometimes it doesn't. Sometimes it seems to ignore a site altogether. Sometimes it doesn't update itself if I change a password. Sometimes it tries to store a site as a new site when only the password is available.
Too many "sometimes" behaviors. It's quite annoying and makes me a bit distrustful of the product.
Anyway, all of which is to say these all strike me as cosmetic issues rather than ones that personally make me distrustful of the actual reliability of the product. I usually don't do the autofill either, but make use of the "copy" option from the browser extension and then paste it into the appropriate fields.
yeah, I'm a coder myself, and I haven't bothered to examine the HTML either.
The URL thing is puzzling to me too. The worst case is with my intranet sites at work, where everything ends in companyname.com but the leading and trailing qualifiers are different. This should be a simple bug to fix. Can't imagine that it's the desired behavior.
More complaints - I find their search function when you're in "My Vault" to be pretty crappy. e.g. I wanted to see what passwords were stored for comcast.net, but when I search, it also turns up all of the gazillion sites where myname.comcast.net is the userid. I should be able to specify to just search the url.
Still, I've checked out other pw managers, and I've stuck with LastPass. Warts and all. I'm a loyal but disgruntled customer.
grrr
drummerboy said:
I'm a heavy user of last pass, but I don't follow all of the prescriptions for password security. One problem I have with last pass is that it's operation seems to be kind of clunky. It often saves multiple passwords for a given domain, even though the url is different. So sometimes I'll get a choice of as many as ten id/password combinations for a given site. Sometimes it automatically fills in the id/password fields, sometimes it doesn't. Sometimes it seems to ignore a site altogether. Sometimes it doesn't update itself if I change a password. Sometimes it tries to store a site as a new site when only the password is available.
Too many "sometimes" behaviors. It's quite annoying and makes me a bit distrustful of the product.
I get the same behavior with Dashlane on some of my sites. I still maintain a separate text file with all of my passwords and copy it out of there for those sites.
I bought the upgraded version that lets me use it and sync my passwords on all of my devices. It's quite handy. There were a lot of things I never used to do on my phone because I didn't have the password handy, but now with Dashlane I can do anything on my phone that I do on my desktop. Glad I got it.
Does anyone use LastPass on their phone? I have the app but I don't quite understand how it works - or even how it's supposed to work. Is it supposed to be able to enter passwords for other apps?
drummerboy said:
Does anyone use LastPass on their phone? I have the app but I don't quite understand how it works - or even how it's supposed to work. Is it supposed to be able to enter passwords for other apps?
I do, on my iPhone. Up until the most recent major iOS update, the automatic fill-in wasn't supported (although I understand it has been available longer for Android.) However, now it is supported somewhat better, at least on some websites. I think it depends more on the target website than LastPass, whether you are talking about the browser version or the phone app. If they do non-standard things with their login code (such as not accepting copy/pasted passwords), then it may not work. I have sent emails to more than one site complaining when I couldn't even do copy/paste from LastPass. The response often was that it was "for security reasons" and my reply was that it was less secure to write down the passwords in order to be able to move to their page to enter it. Nobody ever replied to concur, but I have noticed that some have later started working with LastPass after all. A LOT of people use it, probably including their own IT staff members, so hopefully that situation will improve. It's a fairly small fraction of sites, though. Most seem to work just fine with it.
So much for encryption. The usual we deeply regret. Hope the password clouds to a better job than Starwood did:
Marriott discloses massive data breach affecting up to 500 million guests
More advanced encryption standard? You think? Not using AES which has been around awhile? Another clump of clueless incompetents. Its like a bank leaving their cash on the teller counters overnight, hoping the front door lock will prevent theft.
I use KeyPass. Its open source and therefore reviewable by independent cryptologists. Its not in the cloud. You don't have to worry about their cloud being unavailable. The downer is its more work to setup and get used to it and you need to keep copies of your KeyPass data separate from your computer (in case your computer disk drive is lost).
I keep KeyPass data on my computer for logons and backed up to a USB stick and an external Passport WD MyPassport drive.