Nov 24, 2009

LastPass Featured by PC World

Technology and Security Journalist Erik Larkin recently featured LastPass in his article for PC World.

He highlighted the recent large-scale password stealing headlines pointing out that average users are highly vulnerable and effused that everyone should take steps to protect themselves.

From the article:

LastPass fills in your username and password for verified sites that match a real URL; phishing scams that use similar but fake Web addresses won't deceive it. And because you don't type your password, keylogger malware can't capture your keystrokes and nab your password.

The full article can be found here:
Keep Your Passwords Private--and Handy--With LastPass

2 comments:

  1. Hi,

    I should add, as also discussed in the forum, that LastPass still fully discloses the account username and password while it's being typed in, so a screencapture keylogger can compromise the entire LastPass account. Multi-factor doesn't help, since if you use webmail, that login will also have been captured, allowing the hacker to fully disable multi-factor authentication and completely take over your LastPass account. If you get a keylogger that does screen capture, you can lose your entire account. This still hasn't been address in repeated updates, and the developers seem to be in denial about it, despite the fact that screen-capturing keyloggers are prevalent. These are basic security steps that it's stunning haven't been carried out. LastPass is NOT secure against a keylogger. Not even with multi-factor authentication.

    ReplyDelete
  2. Anonymous, This isn't really the place for it, but you seem to have not understood the forum posts so we'll recap: LastPass fills passwords like your email password without using the keyboard _at all_ unlike some other solutions out there. They won't be captured by a screen-grabber nor keyboard capture. They're dynamically filled via DOM, so multi-factor is certainly a safe way to protect yourself from this threat.

    Plus if you're worried about your multi-factor being disabled you can set it up on a little used email account that you don't login to except to disable your multi-factor.

    ReplyDelete