You are viewing a single comment's thread from:

RE: A More Secure Setting for LastPass!

in #mac6 years ago

I have been contemplating changing from LastPass to a different method. Simply because of the fact that LastPass is a cloud service and my faith in them dwindles a little every day.

I was thinking of a hardware solution: https://www.themooltipass.com/

But I haven't had a chance to do all my research yet, want to see if it is really worth the hassle.

I may just be unessecarily paranoid 😊

Sort:  

I have the mooltipass. It is definitely much more secure than online password managers and you can backup your information as well. However, there are some limitations a) You need to carry around the device b) The backup process is not automated. You need to manually initiate it. c) 31 character limit on passwords d) Only passwords can be stored no security questions /notes etc..

Thank you for your comment @anarcist69. I have a friend whose computer was hacked. They emptied all his crypto wallets, made several brute force attempt to crack the LastPass password and were not able to do so.

What you are showing me is interesting, but there is still the risk to lose the device, and your passwords, and somebody hacking in it. I believe it's easier to crack a device than a very secure server.

I beg to differ. Any good device should have a good encryption method for storing its data for me to even consider using it.

This particular device says that it uses a PIN number to access the additional AES-256bits key that will decrypt the data.

If someone was to steal the device AND the card they only have three attempts to guess the PIN before the card is disabled. Once that happens, unless they have some super computer there is no way they could crack the encryption code.

My experiences with servers show that even a slight slip up in security can compromise significantly. At least a physical device isn't exposed to the millions of devices that are connected to the internet.

Just my opinion and I thank you for yours :-)

I agree with your point, but all passwords are still lost when losing the device unless you can do a backup and store it in a very safe place?

In LastPass, my financial sites are in "Secure Notes" and I also remove 4 secret characters in the password, so if it's cracked, it's still not a complete password.

You can backup the Mooltipass.
With lastpass , if your client computer is compromised(with a keylogger and database stealer) ALL your passwords are compromised. With Mooltipass or Trezor PM, only the paswords that you type in the machine are compromised. (As passwords are individually encrypted).

Thank you very much for your feedback. That's why the computer has to be checked and clean of spyware and keylogger or LastPass is vulnarable. I will check out the solution you suggest.