Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass
 
  • Post
  • Reply
bobbilljim
May 29, 2013

this christmas feels like the very first christmas to me
:shittydog::shittydog::shittydog:
Lastpass 2-factor doesn't actually do anything, so I wouldn't bother turning it on. Last I checked, anyway.

* # ¿ Dec 20, 2015 23:32
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 5, 2024 08:42
  • Quote
bobbilljim
May 29, 2013

this christmas feels like the very first christmas to me
:shittydog::shittydog::shittydog:

Alereon posted:

I guess you're talking about it not actually being required in all scenarios by default, like when offline? If security is more important than usability you can disable trusted devices and caching of credentials/vault contents, but that doesn't seem to be a good trade for most people.

Could just be certain client apps, but last I checked if you have it enabled in Firefox you can sign in with the password and it will autofill any open web page you have, then you can tell the second factor popup to piss off and you still have the password filled in on whatever page. So I don't think its actually enforced, rather its up to the client app.

e: this is when I had it set to not work offline

* # ¿ Dec 21, 2015 00:16
  • Quote
bobbilljim
May 29, 2013

this christmas feels like the very first christmas to me
:shittydog::shittydog::shittydog:

Alereon posted:

Here's the problem. Convenience is so vastly more important than your theoretical security concerns that I am stunned we are still having this discussion. This fact has been a foundational principle of information security practices for quite some time. This is because users will work around inconvenient practices with MUCH less secure practices, such as how users respond to strong password requirements by reusing passwords. This is why the priority when creating a process for users MUST be that the process be so convenient users will never be tempted to work around it.

I agree with this. I'm not a high powered pentesting security researcher but I understand the risks. Call me an idiot if you want but I just don't want to deal with the hassle that is keepass. Lastpass is easily more secure than what I was using before, web browser password storage. So it is an improvement, and it means I can use a different, secure password for each site.

I say all this as someone who is very much into computers. It's very hard for me to convince anyone not into computers to use lastpass, I can;t imagine trying to convince someone that they should use keepass.

* # ¿ Dec 21, 2015 22:04
  • Quote
bobbilljim
May 29, 2013

this christmas feels like the very first christmas to me
:shittydog::shittydog::shittydog:
Also, if you really want to argue that people only need passwords on one machine, then you must know a lot of people that only own a phone and no PC.

* # ¿ Dec 21, 2015 22:05
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass