Originally published at: http://www.howtogeek.com/176038/how-to-run-a-last-pass-security-audit-and-why-it-cant-wait/
If you’re practicing lax password management and hygiene, it’s only a matter of time until one of the increasingly numerous large scale security breaches burns you. Stop being thankful you dodged the past security breach bullets and armor yourself against the future ones. Read on as we show you how to audit your passwords and protect yourself.
While the guidance provided here is sound (and quite complete) one has to find the right balance between security and convenience. I follow many of the suggested practices but draw the line on multi-factor authentication to access my LP vault. It is already quite awkward using LP on an android device unless you opt to use the integrated browser. Firing up yet another app to access my my well secured LP vault is just plain tedious. Yes, considerable damage could be done if someone got into my vault but this seems exceptionally unlikely.
That makes sense, but I enabled 2FA on my LP account for precisely the reasons outlined in the article. However, on my most common computers that use LP (home workstation, encrypted laptop, and my work computer), I told it that it's a trusted computer. That way, I'm only asked for my 2FA authentication on unknown or public devices (which I never set to trusted, even if I use the same one frequently, like at school).
It also sounds like you're using LP Premium (you mentioned "integrated browser"), so your mileage may vary.
I also check my security challenge frequently, and am in the process of updating my duplicated passwords (from before using LP), despite not ever coming up on any published leaks.
I prefer to use KeePass. It store the password file on your computer, with 256-bit encryption. You can have plugins that sync the file with your phone, so you always have it on the go, it sync's with a Google chrome (or other web browser) extension allowing you to login through a web browser. You can have plugins to make the password pronounceable or made up of certain words and characters. LastPass has more of a risk of being leaked because they are stored on an internet server, this has hardly any, as it has up to 3 ways to unlock the encrypted file, including a master password, key file, and Windows User Account. There is also a portable version of KeePass, which can be stored on a USB, and it does not require install on other computers.
The best part is, it's absolutely free!
Link to KeePass: click here
Verson 2.24 Professional edition is the best to get, not classic edition.
The article is, as usual, clear and to the point. But, as mentioned, with Android, it get's a little more cumbersome. I use LP extensively, but my score is low (or high) because I use the same password for harmless sites, such as BAhtsold, Bangkokpost, DAnes www, Dba, Europeantour,DGU, Formel1 etc, but these PWs are distinctively, different from my other PWs. I have 135 PWs and managing them via LP would be in sane. Out of these 11 are related to financial institutions and they are not managed by LP. For those, I use a SD card and Google Drive.
Jackrock makes a good point about trusted computers. Have to give some thought to granting that designation to portable devices as it negates the intent of 2FA should they go missing. I do like the idea of raising the bar for those seeking access from devices I don't own. I already restrict access to selected regions but that's pretty easy to get around via proxy.
I use LP to manage all of my passwords (last count was 256 ... interesting number) and only know a handful for direct entry. Like kandt43 my LP security audit score is low due to the use of duplicate passwords for harmless sites. Kinda anoying; I wish there was a way to exempt certain sites from the audit but I suppose that might lead to artificially inflated scores and/or a false sense of confidence.
I only have 20-30 websites I have a account with, and all have a unique password I remember.
I would be easier to use a password manager. Just in case. Also makes it quicker to type them into a browser, you don't have to! Never store your passwords in Chrome, it uses plain text, and doesn't even require a prompt to show!
This topic was automatically closed after 10 days. New replies are no longer allowed.