Relying on LastPass just a little bit too much

[Arsen258]

Don't get me wrong, i love LastPass and have used it for a couple of years now but there is always this one thing at the back of my mind. I do realize that they provide a really good level of security so I'm not really worried about data being leaked etc. but let's imagine that LastPass ceases to exists tomorrow for some reason and users are unable to access their passwords. (I don't have a scenario for this so just bear with me) Now for regular users like myself using LastPass Password Generation thingy this will be fine, i cannot remember passwords like" !HF%(&HFGD$JDS89@" but i can request password changes for 10 accounts or whatever but imagine that happening in case of Linus or any other power user. This would be a disaster possibly causing some serious financial setback especially for companies. With Linus strongly promoting data backup, keeping at least one offsite backup of the data etc. I wonder, whether users should keep additional copy of all the passwords? Possibly using another program similar to LastPass? 

[Levent]

I lost my lastpass key and pretty much lost past 5 years of passwords. I since then switched to keepass, it has plugins for chrome and firefox.

[WereCatf]

1 minute ago, Levent said:

I lost my lastpass key and pretty much lost past 5 years of passwords. I since then switched to keepass, it has plugins for chrome and firefox.

I've never used Lastpass, but I've used Keepass for closer to 10 years or so. My strategy is quite simple: I have the Keepass-database on my phone, tablet, laptop, desktop and my two servers and my Nextcloud manages multiple revisions of it, so I can always recover the database from somewhere, if e.g. I had some malware encrypt some of my files. As for the password to my database: I obviously chose one I can remember and which I am unlikely to forget, but I also have it stored in another database and the password to that database stored in a couple of locations -- should I e.g. develop dementia or something, the password could be retrieved and the database accessed, it'd just require some extra steps.

[Arsen258]

7 minutes ago, Levent said:

I lost my lastpass key and pretty much lost past 5 years of passwords. I since then switched to keepass, it has plugins for chrome and firefox.

This happened to me as well but the SMS password reset option worked like a charm. 

 

4 minutes ago, WereCatf said:

I've never used Lastpass, but I've used Keepass for closer to 10 years or so. My strategy is quite simple: I have the Keepass-database on my phone, tablet, laptop, desktop and my two servers and my Nextcloud manages multiple revisions of it, so I can always recover the database from somewhere, if e.g. I had some malware encrypt some of my files. As for the password to my database: I obviously chose one I can remember and which I am unlikely to forget, but I also have it stored in another database and the password to that database stored in a couple of locations -- should I e.g. develop dementia or something, the password could be retrieved and the database accessed, it'd just require some extra steps.

That sounds perfectly reasonable. Great multi-level backup. The only thing i have against Keepass is that is not really intuitive and is intended for offline use. That works for some people just like yourself but what i really love about LasPass is the fact that I can update the password on my PC and can use it on my phone 30 sec later. 

 

I'm thinking about simply downloading passwords from LastPass running LastPass Pocket and then transferring them to KeePass or something similar but there are 2 problems with this. First of all this has to be done manually and for it to work i would have to do it every lets say 2 months, for companies that can even be weekly. Second of all, i don't know how KeePass handles duplicates with batch import and this may be a huge issue for power users.

[Yeroh]

As convenient as these services are, I'm a bit too paranoid to entrust one of these companies all of my passwords. I'm sure they're taking every measure imagineable to protect their client's data, but given the type of information they're hosting, they seem to be the optimal target for hackers and the like.

 

Like WereCatf, I've been using KeePass for a couple of years now, and I've become a big fan. I keep multiple versions of it to reduce the likeliness of losing the database, plus a cloud backup. Of course there's also the risk of a data breach, but then the database would still have to be broken into seperately, so it feels like a decently safe option.

[martward]

4 minutes ago, Arsen258 said:

what i really love about LasPass is the fact that I can update the password on my PC and can use it on my phone 30 sec later

I have a keepass database which I keep on a cloud platform that is synced on my phone, desktop and laptop. If I edit a password and save the file, it will automatically be synced on my other devices. Of course it's a bit less secure since if someone manages to get in the cloud environment they can delete or take my database file, but since it's protected with another password I'm not to afraid of that happening. Also don't I keep the password to my gmail account in that database, so even if I loose that database I can recover all the accounts I care about.

[WereCatf]

37 minutes ago, Arsen258 said:

The only thing i have against Keepass is that is not really intuitive and is intended for offline use. That works for some people just like yourself but what i really love about LasPass is the fact that I can update the password on my PC and can use it on my phone 30 sec later

I did mention that I run a Nextcloud-server of my own; I take it you're not familiar with it, but it's a system that lets me sync my files between any of my devices -- including the Keepass-database. This is to say, I can do exactly what you just said: update the database anywhere I like and use it anywhere I like.

[Arsen258]

2 minutes ago, WereCatf said:

I did mention that I run a Nextcloud-server of my own; I take it you're not familiar with it, but it's a system that lets me sync my files between any of my devices -- including the Keepass-database. This is to say, I can do exactly what you just said: update the database anywhere I like and use it anywhere I like.

How would you describe the amount of pre-configuration that is required for KeePass to work with Nexcloud. Is it an out of the box functionality? 

[WkdPaul]

You can export your LastPass vault (that's what I do from time to time, just in case).

 

Also, don't use the "complex password" BS, use a sentence that you can easily remember. For my LastPass account, it's easy to remember (for me) but would be hard to even guess since it's in different languages.

[Lurick]

5 minutes ago, wkdpaul said:

You can export your LastPass vault (that's what I do from time to time, just in case).

 

Also, don't use the "complex password" BS, use a sentence that you can easily remember. For my LastPass account, it's easy to remember (for me) but would be hard to even guess since it's in different languages.

Linus Spank Daddy Nasty Tips is easy to guess

[captain_to_fire]

2 hours ago, Arsen258 said:

Possibly using another program similar to LastPass? 

If you want something similar to LastPass, use Dashlane which I currently use. From what I have read so far,  Dashlane had way fewer security woes compared to LastPass. But if you want total control on which cloud service it would back up, use Enpass or Keypass.

[captain_to_fire]

6 minutes ago, wkdpaul said:

different languages

changing my master password now using a passphrase that isn't English. Thanks for the idea.