Password Maker

[THAIPHUKET]

All the products mentioned in the thread offer encryption, including Lastpass.

You are absolutely correct, my sloppiness in expression, what I wanted to say= go encrypted but not online encrypted on my Mac and PC.

[SoloFlyer]

I've been using lastpass... but geez its annoying... constant prompting, doesnt work on many sites... perhaps I'm doing something wrong??

[PattayaPete]

I did some further research on lastpass after posting here. Really this does seem to be the ultimate solution and so safe as to be virtually unbreakable (apart from sloppy use of the master password, which would be your own fault). I've been using it for a week and it has integrated seamlessly with my PC, Laptop and Smart phone.

I am no Guru but I have read what the gurus had to say and they all agree this solution is as perfect as you will ever get.

Some highlights of my research . . . .

Through a very clever and somewhat complex methodology, lastpass do not know what you master password is. This means they or a rogue employee can NEVER access your data. All they store is a hashed version with 256k encryption. In plain English if you ran a supercomputer for a million years you would have zero chance of cracking it. Because they don't know and can not find out they can't tell anyone, including the government.

Although they have your encrypted information on-line you can also save it to your own computer in plain text (dangerous) or in encrypted form and they provide free of charge a program that can decrypt it with your master password. If they go out of business no problem.

Their financial model looks like a winner to me. Everything is free except smart phone access and some very high end add-ons. Lots of reviewers pay the $12 a year it cost for mobile access not because they need it but because the thing is so dam_n good you just want to pay something for it. I've joined that group and paid my $12.

It doesn't only store passwords but can fill in forms for you as well. This includes tedious payment sites that require voluminous info. I've never used a service like this before because I wouldn't trust anyone to store things like my credit card numbers. With some of the greatest security experts giving their unqualified endorsement to the absolute security of the lastpass system I have gone all the way and have all my sensitive info stored their now. It sure makes life much easier.

If you need to access it from insecure computers like internet cafes they have an answer for that as well. Using a system called the grid you can get in using information that you have printed out and kept in your wallet so even a key logger could not get the password as without the printed info what you input is meaningless. You can also generate a one time password or a list of them. You use it once and then it no longer works. Finally you can set it up so you must have a specific usb drive plugged in to the machine to access the data. Really these guys have thought of everything.

All in all I think this product just rocks and it's not very often I can say that about anything.

[whybother]

I did some further research on lastpass after posting here. Really this does seem to be the ultimate solution and so safe as to be virtually unbreakable (apart from sloppy use of the master password, which would be your own fault). I've been using it for a week and it has integrated seamlessly with my PC, Laptop and Smart phone.

I am no Guru but I have read what the gurus had to say and they all agree this solution is as perfect as you will ever get.

Some highlights of my research . . . .

<snipped excellent review>

You've convinced me. I currently use Roboform. It was great, but doesn't seem to work so well with FF4 (at least the slightly older version - I haven't paid to upgrade yet).

I'll definitely give lastpass a go.

[SoloFlyer]

Great review. You really dont have ANY issues with ANY websites? I get thrown into a reenter password loop often. Better with chrome though.

[katana]

Hi,

For Lastpass, are the passwords stored on your computer, away from your computer at Lastpass.com or both?

[whybother]

Hi,

For Lastpass, are the passwords stored on your computer, away from your computer at Lastpass.com or both?

Here's a good description: Lastpass blog

1. All encryption and decryption happens on your computer.

2. The sensitive data that is harbored on our servers is always encrypted before it’s sent to us, so all we receive is gibberish.

3. We never receive the key to decrypt that data.

[whybother]

double post

Edited March 26, 2011 by whybother

[katana]

Thanks. Will just have to hope the program doesn't secretly send your master pw key to lastpass' server along with the encrypted data.

[THAIPHUKET]

Thank you very much , PattayaPete, for this comprehensive and for a layperson understandable summary!!

If and when you come to CHiang Mai, I would be happy to invite you for a dinner, whatever.

[THAIPHUKET]

Well, I got LastPass, however something which I don't understand. When I open a browser, Firefox or Chrome without a prompt to enter LP password I can open everything, emails etc. I sure did not tell the browser to remember LP password and the Red Star is not red.

The only site demanding for autofill the LP password is Thaivisa, probably TV never remembers my my log in code, it never did.

It is slightly against the purpose that anyone opening my laptop can see everything.

Tried to find answer in settings and in the LP Save but failed.

Any suggestion?

[THAIPHUKET]

This getting less funny. On my desk top is a shortcut to LastPass. Clicking on reveals each and every password by opening the LastPass Vault .........without asking for the LP password. Most charming!

[THAIPHUKET]

Was LastPass hacked?? It looks like there is reason for concern=

http://goo.gl/IWpu3

International Herald Tribune 5/5/11

.............................This potential breach is a reminder that storing your passwords with a third party like LastPass or competitor 1Password is risky. Their data is obviously a very attractive target for hackers, despite their encryption and robust security arrangements. But you have to weigh that risk against the convenience they offer: Using a password management tool makes it much easier to have a strong, unique password on every service you use. That’s much more secure than using the same password everywhere, which makes large security breaches, such as the recent PlayStation Network hack or last year’s Gawker hack, so damaging, as attackers can gain access to wide range of different services with a single password. However, if you’re concerned about storing your passwords in a cloud service, you could always elect use a desktop password management tool like that stores your passwords in a local database like KeePassX instead; the downside is not being able to retrieve passwords everywhere. Whatever password management tool you choose, ensure you pick out a strong master password that’s not going to be easy to crack via a brute force attack.

Edited May 5, 2011 by THAIPHUKET

[huma79]

Was LastPass hacked?? It looks like there is reason for concern=

Probably not, but their network security detected a small bit of unusual data transfer activity, so they made an announcement just to be on the safe side. This in an odd way is good proof why you should use a service like lastpass. They have much higher security intrusion detection running on their networks and servers than the other servers you would be storing your passwords on otherwise - and they immediately communicate with users about even a minor possible anomaly. Even if they had been hacked, all you have to do is go in and change your master password and you're secure again.

I see a lot of DANGEROUS information in this thread - people actually recommending to re-use the SAME 2-3 passwords.

I can't stress this enough:

Never re-use passwords!. You'd be surprised at the number of security vulnerabilities you open yourself up to if you go this route! Going this route is a ticking time bomb - the question is not if your password will be compromised, but when.

[THAIPHUKET]

in above article it says that clients will be informed and asked to change their passwords.

I am testing LastPass only in selected cases.

1 I didn't get any direct info/warning from Lastpass about the problem. Did anyone else get one?

2. An indicator that the problem may be deeper is the fact the login server of LastPass does not respond, no automatic signing in into ThaiVisa

[THAIPHUKET]

LastPass Security Notification

Update 4, ~10pm EST:

Joe's interview with PCWorld covers more details on what happened, what our thought process has been, and what this means for our users: http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html.

We continue to work as quickly as possible to address user support.

Update 3, ~4:30pm EST:

Logging in offline should be working everywhere if you have logged in using that client before, if you're having problems with this please attempt to login via the website: https://lastpass.com/?ac=1 that should now take you through an email process to enable your current IP.

If you're having problems getting your data with pocket, make sure you're selecting to login to the local file, not logging in at LastPass.com.

If you changed your password and are now having problems we'll help with that too, please email us if that's the case and include your LastPass email address.

For those who haven't been prompted, and have continued to use LastPass without issue -- we've judged the risk to be low if you're using the same IP -- we're only raising the issue once that changes.

Finally if you have issues with password changes please email us at [email protected], we can revert you, or we can pull data from backups, but please try LastPass Icon -> Clear local cache first.

Update 2, 2:15pm EST:

Record traffic, plus a rush of people to make password changes is more than we can currently handle.

We're switching tactics -- if you've made the password change already we'll handle you normally.

If you haven't the vast majority of you will be logged in using 'offline' mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you'll see the bar).

As load lowers we'll increase the percentage of people being sent through email validation / password changing.

For people experience problems please email us at [email protected] -- we have seen a few reports of bogus data post change, we think this is due to you downloading a stale copy and if you go to LastPass Icon -> Clear Local Cache and try again it should work.

You can access your data via LastPass in offline mode or by downloading LastPass Pocket : https://lastpass.com/misc_download.php (choose your OS).

[yoyoyo]

I Use KeePass as well, but a portable version from http://portableapps.com . I run one version on my laptop and back it up to thumb drive. It also runs from the thumb drive in case I need to access it on another computer. You can also store personal information in the files and it has a password generator.

[THAIPHUKET]

1. I was impressed by a very prompt reply for LastPass to a question,

2. Life is full of risks, now it's the digital life. I can live with that knowning never to put all eggs into 1 basket.

[drake]

Check your password—is it strong?

[THAIPHUKET]

interesting link, tempted to test but being extremly suspicious=

how can I be sure=

1. it is a genuine MS site? Anyone can set this up , or??

2. my password is not being caught while traveling the internet.

[BB1950]

interesting link, tempted to test but being extremly suspicious=

how can I be sure=

1. it is a genuine MS site? Anyone can set this up , or??

2. my password is not being caught while traveling the internet.

1. Of course it's a genuine MS site. Your browser should show that it has a Microsoft Certificate.

2. Your password will not be caught the page is a secured web page (identifiable by the 'https:' in the address bar) data transfer is encrypted.

The only thing you have to worry about is a key-logger on your system.

Edited May 9, 2011 by BB1950

[THAIPHUKET]

1. my firefox does not show "certified" what must I do to see?

2. Allow me to probe deeper=

Who certifies and with which level of assurance? More than a rubber stamp? Probably not, given the vast number of certified web sites.

We heard about pinching mails using perfectly fake images of web sites.

And who tells us that a certificate cannot be faked as well??

It's just a program, or is not?

I am not getting phobic, I just want to understand what the risks are so I can make educated decisions

[BB1950]

1. my firefox does not show "certified" what must I do to see?

2. Allow me to probe deeper=

Who certifies and with which level of assurance? More than a rubber stamp? Probably not, given the vast number of certified web sites.

We heard about pinching mails using perfectly fake images of web sites.

And who tells us that a certificate cannot be faked as well??

It's just a program, or is not?

I am not getting phobic, I just want to understand what the risks are so I can make educated decisions

Here is how a digital certificate is displayed on FireFox:

You can also right click on a blank area of the page then 'View Page Info' for more details.

I suggest you do a Google search for 'digital certificate' to get answers to your other questions about digital certificates.

It's a complicated system and difficult to give you simple answers here.

[THAIPHUKET]

Thanks for the hint. I am not good in finding the best answer but this here gives my more reason to doubt certificates, they are for sale, and cheaply so, so cheap that corruption doesn't come into play=

Digital Certificates

Read Later GlobalSign offers a range of PersonalSign (Digital IDs issued to people)

with varying trust levels

Digital IDS for the FDA ESG PersonalSign Certificates

GlobalSign offers a range of PersonalSign (Digital IDs issued to people) with varying trust levels. Digital IDs can be used to access online Government services to submit declarations electronically, authenticate you to SSL VPNs, and secure email by digitally signing and encrypting email using applications such as Microsoft Outlook or other S/MIME email software.

The same Digital ID can also digitally sign Microsoft Office documents. By digitally signing a document or email, you can confirm that you are the originator of the document / email and help prove that the document / email has not changed since the time you signed it.

• Digital IDs for Enterprises
• Digital IDs for Consumers
• Enterprise PKI

COMPARE all PersonalSign Digital IDs Validity Price Next Steps

PersonalSign 1

Low cost, immediately issued Digital ID that can be used to readily secure email and Microsoft Office documents. For use when identity assurance is not required. 1-3 years from $20 Buy / Renew

More Info

Free Trial PersonalSign 2 Pro

Used for individuals representing organization to secure email (S/MIME), authenticate to enterprise online services, and digitally sign Microsoft Office documents. 1-3 years from $90 Buy / Renew

More Info

PersonalSign 2 Department

Used for departmental "identities" (such as Marketing) to secure email (S/MIME), authenticate to enterprise online services, and digitally sign Microsoft Office documents.

. 1-3 years from $249 Buy / Renew

More Info PersonalSign 3 Pro

Access Belgian Online Government Services & Submit Compulsory Declarations Electronically Offers the highest levels of trust and authentication available. Used for individuals representing organizations to authenticate to participating Government online services, submit declarations electronically, secure email (S/MIME), and digitally sign Microsoft Office documents. 1-2 years from €100 Buy / Renew

More Info Validity Price Next Steps

PersonalSign 1

Low cost, immediately issued Digital ID that can be used to readily secure email and Microsoft Office documents. For use when identity assurance is not required. 1-3 years from

$20 Buy / Renew

More Info

Free Trial PersonalSign 2

Used for individuals (not representing organizations) to secure email (S/MIME), authenticate to online services, and digitally sign Microsoft Office documents. 1-3 years from $60.00 Buy / Renew

More Info Next Steps Multiple Enterprise Digital IDs with Enterprise PKIManaged service for standard Microsoft Windows Digital IDs and Adobe Trusted Digital Certificates. Issue Digital IDs to multiple employees, suppliers, and extranet users for authentication, secure email, and document security.

Offers complete lifecycle management and online identity management.

Can anyone provide more substantive info???

PSS I continue to use LastPass !!

[THAIPHUKET]

Does anyone understand what is being said in Wikipedia http://goo.gl/4E0OI

AND render a jugdment on the risk??

[THAIPHUKET]

LastPass service has no equal! Never had any website which reacted more promptly to a question than LastPass.

[Lost in LOS]

I read an interesting aritcle on making passwords that wont be cracked easily and easy to remember

simple example:

ib8bafms6

I brought 8 beers at Family Mart soi 6