|
Lastpass 2-factor doesn't actually do anything, so I wouldn't bother turning it on. Last I checked, anyway.
|
# ¿ Dec 20, 2015 23:32 |
|
|
# ¿ May 5, 2024 08:42 |
|
Alereon posted:I guess you're talking about it not actually being required in all scenarios by default, like when offline? If security is more important than usability you can disable trusted devices and caching of credentials/vault contents, but that doesn't seem to be a good trade for most people. Could just be certain client apps, but last I checked if you have it enabled in Firefox you can sign in with the password and it will autofill any open web page you have, then you can tell the second factor popup to piss off and you still have the password filled in on whatever page. So I don't think its actually enforced, rather its up to the client app. e: this is when I had it set to not work offline
|
# ¿ Dec 21, 2015 00:16 |
|
Alereon posted:Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. This fact has been a foundational principle of information security practices for quite some time. This is because users will work around inconvenient practices with MUCH less secure practices, such as how users respond to strong password requirements by reusing passwords. This is why the priority when creating a process for users MUST be that the process be so convenient users will never be tempted to work around it. I agree with this. I'm not a high powered pentesting security researcher but I understand the risks. Call me an idiot if you want but I just don't want to deal with the hassle that is keepass. Lastpass is easily more secure than what I was using before, web browser password storage. So it is an improvement, and it means I can use a different, secure password for each site. I say all this as someone who is very much into computers. It's very hard for me to convince anyone not into computers to use lastpass, I can;t imagine trying to convince someone that they should use keepass.
|
# ¿ Dec 21, 2015 22:04 |
|
Also, if you really want to argue that people only need passwords on one machine, then you must know a lot of people that only own a phone and no PC.
|
# ¿ Dec 21, 2015 22:05 |