Syncing your passwords across the Internet - and entrusting all of them to a third party Web site - is an incredibly bad idea. You can bet that these sites (LastPass and all the others mentioned) will be heavily targeted by system crackers.

Deadhacker

so with this app, if i use both IE and firefox, my password from both apps will be synced?

Jahmon

Damn it! No wonder Gmail wouldn't allow me to sign up with the user name of lpuser11.

I'm still iffy with the storage of all personal passwords being on someone else's servers although they are encrypted locally on your machine before being sent.

jarhead

@Jahmon: Yes, you'll be able to sync both IE and Firefox, on any computer. If you don't login and out, you'll need to go to the LastPass Icon -> Tools -> Refresh sites to sync without a login.

Joe@LastPass.com

Your passwords are almost certainly NOT stored online. Who would create that sort of system? That would be brain-dead. Although I don't know the site or service, I would be almost 100% sure that only encrypted passwords are stored. The question is - does the site deliver an encrypted password to your client, or do you have to decrypt it on their server?

meowsqueak

@ Adam: Thanks for pointing out the downside in a short side-note, I strongly encourage LH to do that more, maybe even in an own column?!

Squirrel

LastPass is an exceptionally poor target for hackers because we only have 256 bit AES encrypted data and unlike many companies, we hardly know anything about you.

We use AES-256 bit encryption, which is frankly extreme overkill for protecting your passwords, but we wanted to do everything in our power to make it safe: to quote NIST: [www.nist.gov]
"Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old. "

This is like storing your passwords in a vault in Fort Knox, and is significantly stronger than leaving them unencrypted on your PC.

Joe@LastPass.com

We at LastPass wanted to make it clear that your passwords never leave you computer -- they're encrypted locally and the result of that encryption is uploaded to LastPass, and you can verify that encryption is occurring.

LastPass never has a way to decrypt your data, so we go out of our way to make it clear that you need to remember your LastPass password.

Joe@LastPass.com

@tasselhoff76:
This is the first valid point on this whole thread as I would be concerned if they did go out of business or started charging.

If I worried every time I faced a situation where my data could potentially be compromised, I'd never do anything - either online or Joe merchant down the street.

purduepete

key logger = password management system. :P

addiktion

This may be useful for stuff that isn't particularly important to me. My financial data passwords & main email account won't be on any key logger whatsoever. But this is just me. Other then that I'm testing it out now to see how I like it versus sxipper. Sxipper is less secure because it just milks the firefox passwords. I'm trying to find something a little more safer but still provides the same functionality pop up as sxipper. Obviously having a master password is greater security in that view too.

addiktion

@Joe@LastPass.com: May I ask you how you did implement the encryption process and how I can be sure you did it the right way? Is the client OSS (I admit I did not check your website)?

Squirrel

@tasselhoff76: You'll be able to export your data at any time even if the company was gone, and could immediately import that data into some other product. That being said, we've got a long runway, and plans to be far and away the best product.

Joe@LastPass.com

I think my main concern with this is if the company went out of business. The nice aspect of KeePass is it is Open Source and will be on your hard drive no matter what. I suppose the information would be there with this program too but you'd have to migrate the information over to somewhere.

tasselhoff76

@jtimberman: I'd argue this is far safer than storing your passwords in your browser -- we encrypt your data with your key locally, and only store that encrypted data -- we don't want the liability, the responsibility, the burden of having any of your private data stored on our servers. If you read my comment above, you'll see why we consider it safe.

Joe@LastPass.com

@meowsqueak: We ONLY have encrypted data, and NEVER have the key. We deliver your encrypted data to your client, where it's decrypted locally -- that's what we're talking about with local encryption.

Joe@LastPass.com

If that's something you can live with, it looks like a strong choice. If not, you may want to stick with an open source local option like KeePass.

No one should be okay with storing their passwords with a third party. In fact, no one should actually store their passwords in their web browser as in the past, malicious javascript has been known to steal passwords.

jtimberman

@Joe@LastPass.com: Sounds interesting enough to check it out. I hope the implementation was carefully done (memory leaks and so forth). Thx for the response!

Squirrel

@Squirrel: We had to do using a Javascript library for the website (which you can audit as it's just html/javascript), using Crypto++ for XPCOM, our Installer, and IE toolbar. We're looking into releasing a fully open source stand alone application for easier auditing purposes. We also have it in Javascript in the Firefox plugin, just in case you're on a platform beyond those supported by us in XPCOM at this point (Solaris, BSD, etc) [lastpass.com] has some additional details as well.

Joe@LastPass.com

I've played around with Lastpass a bit for the last few days and have found it to be nicely executed. Importing passwords from your browser is really easy, it lets you pick which passwords you want imported, and even asks if you want the unsecure passwords that it just found on your browser to be deleted (a nice option, imo). Adding sites with the plugin is also usually easy...all you have to do is log in, and the plugin recognizes that and asks if you want to store the password.

The Lastpass folks seem to have chimed in about the security issues folks have been worried about. The miniscule chance that someone will be able to de-encrypt my data and steal my password is pretty live-with-able to me. And if you don't want, say, your credit card site stored there, just tell Lastpass not to store that password. Meanwhile, for the billion and one other sites, it's mostly about the convenience of automatic login and not having your passwords stored somewhere unencrypted on your computer.

thebaglady608

OK, anyways... For those of us daring enough to use these password managing dealies, how do they compare? Anyone with some experience with these please tell me. I have used Roboform (free) which was OK and I just logged in using Sxipper. I have been using Sxipper and it does what it says, but can be a pain in the ass sometimes when when logging in vs. registering for a web-site that you are already registered for (Mygazines.com). And for the know-it-alls, seeing as how my info is stored on these companies databases why don't you just go crack into their systems and post my information here. Peace.

creamsteve

I will definitely try this one out, have been using "turbo passwords" up until now and it works well but not perfect so i will give LastPass a try.

stonebridge

@EracMan: This is an add-on for Firefox, I assume that won't change. Get the portable version of Firefox [portableapps.com] and install this add-on - you'll be good to go after that.

purduepete

@Joe@LastPass.com: I currently have been trying out passpack but an willing to give your service a shot.

There is only one thing keeping me from trying your service. Do you have a portable version of the software that is required? I have no problem installing it at home (I actually discovered lastpass last night) but company policy prohibits me from installing unauthorized 3rd party apps on my work PC.

Do you have plans to release a portable version so I can run it off a USB drive? Also what if any limits will be put on the amount of entries you can have? Passpack currently limits non-paying customers to 100 entries.

EracMan

I'm glad this market is maturing…a good comprehensive solution is sorely needed. I've tried passpack & clipperz, they still have their own issues.

This is the most promising entry I've seen since Weave from Mozilla. On the up-side LastPass works cross-browser…but Weave will also sync bookmarks, cookies, history, autofill, etc. Weave is Firefox only, and still in very early development at Mozilla Labs. (like, and Alpha, even pre-alpha)

I'm hoping one of these will finally solve my password issues…

gizmo78

apparently my last comment wasn't acceptable for some reason? Anyway, I submitted feedback via the plugin option and Joe responded within 2 minutes. Although lastpass isn't working for my main banking and credit card sites right now. I'll keep an eye on it due to his vigilance. Hope others have better luck!

tedscearcy

The first 2 sites I tried to use this on failed repeatedly, uninstalling it now.

tedscearcy

@EracMan: We have plans to come out with a USB thumb drive version, read only at first but coming very soon. You can always use the website without the plugin if that's an option for you at your work too. It's slightly slower (as the encryption is done in Javascript only), but it works.

@gizmo78: We have plans for bookmarks and autofill cross browser, cross platform.

Joe@LastPass.com

Seems to work as described. Good addon!

gawyn210

I use Passward (www.passward.net) to synchronize my password list across multiple computers via a USB flash drive. Only works with IE though, but I don't use Firefox, so its OK for me, been using it for years.

SillyMattchoo

@EracMan: Missed part of your question -- we have no limits on entries today; the data storage requirements are quite modest, also for you PassPack users we added (to the website only until our next release) an importer for PassPack.

Joe@LastPass.com

Been using this a few hours and I think i'm hooked. Bye bye silly firefox password management.

evilkarma

@Joe@LastPass.com
Thanks for all your helpful comments. So here's the big question. When you come out of beta, how do you folks plan to stay in business?

GBMax

The security of such a service does not bother me, as it is probably no less secure than syncing my Keepass db with Dropbox.

How much of a hassle is this if you want to use it for passwords not in browser, such as network keys or remote desktop?

ian320

@GBMax: They explain their plans here: [forums.lastpass.com]

gpzbc

I think I'll give it a try. I know it is more secure than the FF password manager that I am currently using.

gpzbc

I'm glad you're using AES 256-bit encryption but, and no offense intended, the most important point is: Is it implemented properly?

Just using AES 256-bit encryption is meaningless if not implemented properly. I'd like to see verification by a 3rd party, with the 3rd party being a cryptographic expert.

Has anyone verified that you are implementing encryption properly?

RandyN

@RandyN: We're not offended, doing cryptography correctly is hard and we've used libraries to do it (e.g. crypto++). Implementing AES in Javascript on the website, then in C++/XPCOM and Javascript for Firefox, and again in an IE toolbar, and again in a custom windows installer application also leads you to put some thought into what you're doing and testing to ensure that all these different implementations work properly. Is this perfect? No, but we've included 3rd party auditing in our plan for getting out of beta.

@GBMax: We've covered this a bit here:
[forums.lastpass.com] I'd add that our backgrounds lead us to lean towards the enterprise market, and that we're not going to be pulling the rug out on any existing users. We think that if we make believers out of enough users, our user base that happens to work at large business will help us sell a locally hosted version for that business that integrates well with LastPass.com's version. We think that this is a global problem and we have a solution that we can grow and scale globally.

Joe@LastPass.com

Is there a hotkey? Like the Opera Wand or the Secure Login FF add-on?

gpzbc

Great to see someone from the company active on the comments here. one thing I would like to know is do you have plans to allow people to migrate their stored passwords from other password managers to LastPass? I use Roboform at work and 1password at home. I'd love to consolidate these.

Iczer2

@Iczer2: We support importing from IE's built in password manager, Firefox's built in password manager, Roboform, Keepass, and many more. 1password's support is beta but it's being worked on.

Joe@LastPass.com

@Joe@LastPass.com: Great software, I like it much better than Roboform. I've noticed one problem with your software though.. After I import the saved url & password into LastPass, the url is not the actual login page. I have to find the Login then your LastPass will fill in the username & Password. Is there a convenient way to update existing Saved Lastpass Urls?

Ken

How does this handle FF add-ons like delicious?

SamburgerHandwich

Never mind. Scratch the last post. I read on you FAQ page that you have it in the works down the road. See if you can't fast track that :) So far a great product.

mbrevard

Joe@LastPass.com I was wondering if there were any plans to make it available for Windows Mobile phones? Thanks.

mbrevard

@SamburgerHandwich: There shouldn't be any issue with running delicious and LastPass

Joe@LastPass.com

Roboform + SynchToy (MS). Just find the profile data folder in username/documents and use Roboforms support page to figure out what filenames to exclude when you're setting up SynchToy. I've been using it since we discussed Googles surprise-kill of the browser synch extension. Works great. I've been running test copies of RF before, like the trials you get with a new USB stick, and it took some days to get used to the interface. But it is still much sweeter than Keepass and it comes with autoupdates and support. Go pay! :)

cosmo

So am I. It just seems to risky giving them your passwords. I guess you could use it to store passwords for unimportant sites that you wouldn't mind if someone figured out your password, but if you used it to store you bank account password it would almost be like handing your credit card to a stranger and trusting them not to use it. I for one feel that Firefox's own password remembering system is pretty secure (I'm not sure though, there is a program that you can view saved password with unless they are encrypted). If I needed to trust an important password to something I would probably buy an Ironkey ([www.ironkey.com] Notice the https!!). It is pretty much anything proof (for a pretty hefty price). You know they are pretty secure since the page where you can watch demos of is it HTTPS instead of HTTP!!!

FlashCreations

Looks interesting, I'll give it a go. I've been using Roboform for years, but recently I'm using more computers and its too expensive to be buying licenses for each one. I also like the fact this keeps them all synced.

PR.

I find this more functional AND secure than storing your passwords in your local browser - people talking about how they keep on using their supersafe oldschool passwmanager (like passwsafe/keypass) - but they are more vulnarable to password theft using keyloggers etc than if you use lastpass with autologin. this is actually safer than using your average oldschool password-protected-container.

bollonet

@Joe@LastPass.com: I ran into a little problem with multiple profiles in firefox. I only wanted this is affect one profile but it automatically installed the add-on for both and did not let me choose. (hint hint would be good to add!) After disabling the plug-in passwords would not show up! I figured out it was just because "signon.rememberSignons" was not automatically set back to true. Maybe another bug that could be fixed...but now that I have that worked out it seems to be working as described in my other profile.

sinoke