LastPass Premium - 6 Months FREE - Requires University Email

Related Stores

LastPass

• 

  A Banana4scale on 21/09/2011 - 01:23

  +3

  I've been using this for the past 1 year. It's possibly the only software that I carry with me at all times. Simply cannot live without this software after you start using it.

  • 

    anthony on 21/09/2011 - 09:29

    +1

    As an alternative (if you want to try one)

    There is Firefox synchronization which synchronizes between Firefox on your computers and Firefox on your phone.

    There is also Google chrome however that does not support phones.

    And also Opera which will synchronize between your computer and phone

    • 

      Satoria on 21/09/2011 - 10:59

      Opera Link is wonderful.

    • 

      Garyyy on 22/09/2011 - 02:30

      Although, with LastPass Premium you won't have to go through that hassle of entering sync IDs. All you do is login w/ your email address and password, and boom!

      Big thank you to the OP for posting this. I was thinking of purchasing premium last weekend. The fact that LastPass works on Firefox, Dolphin Browser and multiple platforms is simply amazing.

  • 

    dak52 on 21/09/2011 - 12:22

    I would take evernote over this any day. You can access it from anywhere for free, and if you are creative with how you organize and describe them you can easily stash a few passwords on there.

    • 

      murkywater on 21/09/2011 - 19:15

      Apples and oranges.

• 

  gilbarc on 21/09/2011 - 01:29

  For anyone wondering, the regular price is USD $1 per month.

• 

  Frantic on 21/09/2011 - 01:42

  +1

  Wasn't there a major vuln in LastPass earlier this year?
  Still at the end of the day it's convenience vs security, and there's nothing decent
  for KeePass on iphone

  • 

    A Banana4scale on 21/09/2011 - 01:58

    +2

    wasn't major. Only scare was for people with non-secure passwords, although the downtime was annoying as hell

  • 

    YesPleaseThankYou on 21/09/2011 - 09:53

    Yes, there was.

    KeePass is my preferred.

  • 

    AncientWisdom on 21/09/2011 - 14:17

    There was an issue where they detected abnormal network activity and therefore straight away shut down access to the network.
    I have been following it closely and I believe they were %110 OK in their reaction to what happened as well as transparent. Another company could have easily not even tell users something like that happened.
    Anyway, even if your data was breached, as long as you have a strong password, there is nothing to worry about. That's the whole point of encryption.
    And in regards to convenience vs. security, I actually believe that LastPass offers both, as you have a unique and highly secure password to every site - no need to remember weird passwords, or use the same password to multiple sites.

• 

  lepenseur on 21/09/2011 - 03:47

  +8

  Lastpass suits some people, but has had major customer service issues.

  The two catastrophic sceanarios for any password repository are:
  1. The bad guys get your logins and passwords, all of them (this probably didn't happen, but was suspected)
  2. YOU get denied access to all your logins and passwords (this definitely did happen to lots of people)

  If you use Lastpass, free or paid, you need to make extremely sure you understand all the methods for minimising your reliance on Lastpass' cloud system being up, and you need to make contingency plans in case Lastpass locks you out and you cannot log in, which happened to many thousands of users in a crisis during the past year which lasted over a number of days and which was not well handled by Lastpass.

  You have to really dig around very carefully on the Lastpass web site to find out how this really works and how to protect yourself in case something goes wrong, and their web site is unhelpful on this, tending to minimise the dangers and trivialise the issues you may face, and just selling the benefits and ease of use. (Bear in mind that having no encryption also has great ease of use - it's not a great criterion.)

  For example, their motto "the last password you'll ever need" is inherently misleading, a lie, effectively, for the following reason:
  In order to log into Lastpass, they force you to use an e-mail address as a login ID - there is no choice but to do this - and this e-mail address is really critical because it is (again, no choice) the Lastpass password reset e-mail address to which Lastpass will send an e-mail if they change your password (which they have unilaterally done many times, and may do any time).

  If you have believed the above slogan and you have stored your strong password to that critical e-mail account inside Lastpass, and you rely on that, then the moment you can't log into Lastpass any more, you are royally screwed to put it mildly, because you cannot access password reset e-mails they send. Large numbers of customers lost access to all their passwords and their primary e-mail address because they believed the slogan and didn't think more about it. You must therefore keep at least two very secure passwords outside Lastpass.

  There are also ways of keeping a copy of the password file off-line, but you have to really dig around and experiment and find out for yourself how to do this by extensively reading on the Lastpass web site, and then verify that it actually works before you rely on it.

  Not to denigrate the deal in any way, Lastpass paid or free is better than nothing, but should be used in a careful, informed way.

  An excellent free alternative is Keypass or Keypassx or Keypassmobile, available on many platforms.
  Nothing goes into the cloud, you don't depend on any company, you cannot be locked out of your repository by anyone, you can carry your data securely in your phone or USB key ( for example, using the PortableApps.com platform and Keypass Portable - really excellent open source/free projects ).

  • 

    AncientWisdom on 21/09/2011 - 14:13

    -1

    Do you even use LastPass? Your passwords are ALWAYS stored offline on the computer LastPass is installed on. The problem was for the very low percentage of people that were trying to access LastPass from a web browser.
    If you use LastPass, this is very easy to see, simply login while offline, and check your vault. All your passwords are there.
    Still, when I recommend LastPass to friends I always tell them there are actually 2 passwords you need to remember: LastPass and main email account. I also don't store my banking details on LastPass.
    But except for that, I can't recommend Last Pass enough, it's an awesome program (premium user my self).

    • 

      lepenseur on 21/09/2011 - 21:58

      +1

      Do you even use LastPass?

      Readers would probably find it more useful if you could point out anything I have said that is not factually correct rather than simply to question my credentials.
      To answer your question, in case it has some importance, I am a paying Lastpass Premium subscriber for almost a year, I have spent a long period using Lastpass and evaluating it, I have reported many bugs to the Lastpass developers and tried to get them fixed, I decided that I could not trust Lastpass and did not migrate to using it for important data, I closed my account when the suspected security breach occurred, and I still monitor the Lastpass developments and updates.

      Your passwords are ALWAYS stored offline on the computer LastPass is installed on.

      "ALWAYS" ? Well, maybe. Lastpass say they "cache" the password repository, but it is hard to find in order to verify that it exists all the time, and sometimes it is not true, and it is not always there when you critically need it. You just have to trust Lastpass that it is there. Lastpass does not explicitly tell you that it is cacheing a copy of the repository at the time it does it, and it displays no indicator that the cache exists or that the cache does not exist. You have to find it manually.

      In my experience, if the cache is not there then Lastpass says nothing, and you can be caught out. If a user's Lastpass login fails, and they mess around trying to log in enough times, chances are that the cached copy may be gone by the time they find out how to access it. This "trust me" kind of mode of operation may be good enough for some people, but I prefer to "trust but verify", and verification is painful to do. Lastpass could make this safer and much more explicit if they wanted to, but they don't want to. They want you to think security is simple, and that their product "just works".

      Also, consider this in terms of useability: even if the cached copy exists, at the time you get locked out of your Lastpass cloud password manager, you have to know that what you need to do is to UNPLUG your internet connection and attempt to log in to your "cloud" service with no connection. For a cloud service, this has to be the most counter-intuitive action to take. Who would know about this when they are locked out of their account and panicking ? Expert users like you may know about this, but most of the 1,300+ people angrily responding to the Lastpass blog when Lastpass failed did not know about it.

      It's all very well to say Lastpass is great if you are an expert; that's very nice for you if you fully understand it, but most people will just take it at face value and use it as the web site suggests to make life "easy", and they may find that, when it fails because of something happening in the cloud, the consequences can be catastrophic, especially if they don't have an expert such as yourself at their side to advise them at the time.

      I was trying to comment in a way that may be useful to a wide range of potential users, so they understand the risks and not just take Lastpass or any other product at face value. Not everyone is an expert with in-depth knowledge nor wants to take the time to become one. I find that there is too much mindless promotion of security products and too little understanding of their weaknesses.

      What I call "mindless promotion" goes even further. There is so much "affiliate marketing" on the web that you cannot trust much of what is written. You cannot trust blogs, in general. If you look at how Roboform, for example, is promoted, you will find many blogs posting about "this great product I've discovered" but many of these bloggers are being paid or compensated to say what they say, or they have affiliate links to the product they are purportedly "reviewing", and if you post a critical response to their blog they won't allow it to be published. It is difficult to post any critical comments about Roboform.

      The blogosphere is corrupt, lacking in integrity.

      • 

        A Banana4scale on 22/09/2011 - 11:17

        +1

        Blogosphere is corrupt?

        Sure there are fanbois in every major gadget/app blog but I doubt very much that Lifehacker/Gizmodo, Addictivetips and hot hardware would be paid to sponsor Lastpass. I also remember an Engadget editor swearing by Lastpass but can't find the source.

        While ory_zm may have questioned your credentials, you gave an example of Roboform, which is not what the post is about. It would be more useful if you actually gave evidence of Lastpass paying blogs rather than just giving the notion that is it corrupt.

        Finally most of the stuff you have mentioned about lastpass changing passwords etc haven't happened to me yet, I think the password changing/no connection login scenario only played for those people who had pretty weak passwords to begin with, which kind of defeats the purpose of having such a software installed on your computer.

        and yes I'm a Lastpass fanboi like countless other users but I'm no iSheep

      • 

        AncientWisdom on 22/09/2011 - 19:32

        +1

        Hey lepenseur,

        I didn't mean to question your credentials, it just sounded from your first post that you have heard what happened to LastPass and were going based on rumour - not first hand experience or knowledge. Your second post makes it perfectly clear that you do actually know what you are talking about and I agree with most of what you say.

        That being said, in MY experience my cached local copy was available to me. I understand that might not be other people's experience but so far I'm very happy with the way LastPass handled that incident as well as their general ongoing attitude (yes it isn't perfect, an easier way of exporting passwords to KeyPass for example would be very welcome).

        The second point I wanted to make is that although imperfect, I believe the general user would benefit more (=be more secure) with last pass than without. All they need to do is have a really strong password (at least 14 characters, upper lower numbers and symbols - not all made of dictionary words), and remember their email account password. This is important not only because you might get locked out of LastPass, but also because 99% of services you will be able to retrieve/reset your password if you have email access (BTW - that is why email access should be high on people's priorities to be super secure with a strong unique password etc.).

        Also, consider this in terms of useability: even if the cached copy exists, at the time you get locked out of your Lastpass cloud password manager, you have to know that what you need to do is to UNPLUG your internet connection and attempt to log in to your "cloud" service with no connection. For a cloud service, this has to be the most counter-intuitive action to take.

        Not sure about that information, I didn't know users got locked out of their cached dbs… for me I could access my cached passwords but not my cloud ones. If what you say is true then that indeed is a problem. The only solution I see is to export to Keypass or similar every once in a while.

        BTW - all the other solutions you suggested do not sync right? Cause that is the biggest benefit of LastPass IMO - secure sync. Otherwise:
        a) your data is somewhere in the cloud
        b) you have to really fortify it yourself e.g. true crypt

        I think one sentence in your first post sums it up nicely:

        Lastpass paid or free is better than nothing, but should be used in a careful, informed way.

      • 

        lepenseur on 22/09/2011 - 21:58

        +1

        Hi ory_zm,
        I'm trying to reply to you but not sure of this will go in the right place in the postings. (OzBargain is not offering to allow me to reply to you; maybe we are down too many levels.)

        You are right that the KeePass-style solutions don't provide sync and you need to do that manually if you need it. If your logins and passwords don't change a lot that's OK; if they change frequently that will be a problem. That's the downside of the safer solution. The upside is having physical control of your password repository. People need to decide what is most important to them.

        It's a question of whether they absolutely need automatic sync (which is very convenient) and whether they are happy to entrust the data they store in their password manager to a cloud platform. In that case, Lastpass is one of the few possibilities. I have looked at a number of them - there aren't very many - and probably Lastpass is getting more scrutiny than other candidates and that is likely to be a good thing.

        Also, using Lastpass, who hold themselves to be specialists in the security business, may be safer than rigging an amateur sync solution as many people do, using something like KeePass and then adding on some other type of file sharing facility (Dropbox, Sugarsync, etc) to share their password repository around amongst different platforms. Once the password repository starts flying around and sitting on different platforms, there is the possibility that someone might get their hands on a copy of it (this was the suspected breach with Lastpass). Some file sharing/sync platforms have vulnerabilities; security is not their primary business. OK, your personal repository is encrypted, and as someone said "AES-256 has not been cracked". But, if someone has a copy of your password repository to play with, there are now brute-force cracking methods (see "rainbow tables") which are cheap and effective even if the password is moderately strong.

        Whatever we use as a password manager, we not only do we need a strong master password, but we also need to keep the repository safe from getting into the wrong hands, and backed up so we can't lose access to it.

      • 

        AncientWisdom on 23/09/2011 - 13:50

        We seem to be in agreement. As I have a PC, laptop, work machine and smart phone, the sync capabilities are very important to me, so I'm happy with that.
        If someone does not need sync than it is obviously better to have your passwords on your machine, they just need to make sure they are back up safely (e.g. different location etc.)

  • 

    jagsman on 21/09/2011 - 22:48

    +1

    Ok, so just memorise another strong password for your email account, and that negates most of what you are saying. "the second last password you'll ever need" - happy now?

    The real benefit of lastpass is not remembering passwords to email accounts or online banking etc. but all the less frequently used forums and online stores you use. It automatically fills forms, logs in, generates new passwords - highly convenient.

    I agree about Keepass though, but only if you want a secure password repository/password generator with no other features.

    • 

      anthony on 21/09/2011 - 23:05

      The real benefit of lastpass is not remembering passwords to email accounts or online banking etc. but all the less frequently used forums and online stores you use. It automatically fills forms, logs in, generates new passwords - highly convenient.

      Your web browser can do that and keep your passwords synchronized between computers all for free with no extra software needed.

      • 

        AncientWisdom on 22/09/2011 - 19:34

        Yes but how secure is that? <rhetorical question - it isn't>

      • 

        anthony on 23/09/2011 - 11:10

        Yes but how secure is that? <rhetorical question - it isn't>

        Probably as secure as lastpass (Maybe more secure)

        I use firefox so i can only explain how it works.

        When you make your firefox synchronization account you are given a randomly generated encryption key which is about 30 characters long.
        This key is used to encrypt all of your information before sending it to firefox so the only thing firefox gets is your encrypted data.
        Your other firefox installations then download this encrypted data and use the encryption key to decrypt it before they add it to firefox.

        For someone to get access to your firefox synchronization account they would also need to know your username and password (your password is just like the lastpass "last password")
        And they would also need your encryption key to decrypt the data.

        I dont know how lastpass works but i am guessing if i knew your username and password i could sign in to your account and see all of your passwords?

        If i gave you my firefox username and password you could not do anything as the only way to view my passwords is to download the encrypted file and have firefox decrypt it with the encryption key.
        I don't think you would even be able to get access to my encrypted data as you can not set up firefox synchronization without a matching username, password and encryption key.
        You could sign in to my firefox synchronization account through a web browser but all you would be able to do is change my password or delete all of the encrypted data.

      • 

        AncientWisdom on 23/09/2011 - 14:00

        You raise interesting points.
        You are correct, you can gain access to LastPass with a user name and password. In that regard the FF sync (which I use BTW, just not for passwords) is more secure.
        My problem with FF sync is that the level of protection is unknown. With LastPass you know there is a company dedicated to the safety of your passwords, that and nothing else. With FF, I do not know who verifies whether the method is truly secure or can be hacked etc. Maybe the data is encrypted better with FF, but if it sits in a less secure location this could even out (well maybe not even out but you know what I mean).
        When I started using LastPass, FF password feature was really weak. I am happy with LastPass now so I see no reason to go back (I also like the cross browser support as I use Chrome at work for example).

        BTW if you are really serious about security, LastPass supports the use of YUBIKEY - I promise you no one would get into your account without access to the physical USB key.

• 

  jonnois on 21/09/2011 - 04:10

  does not work with griffith emails, [email protected]

  • 

    lsp on 21/09/2011 - 04:15

    nawwww

  • 

    jonnois on 21/09/2011 - 06:22

    Edit: - i sent them an email and it works now

  • 

    kheob on 21/09/2011 - 14:47

    -1

    Because Griffith isn't a real University.

  • 

    Tilduke on 21/09/2011 - 17:11

    regex fail.

• 

  [Deactivated] on 21/09/2011 - 08:11

  I use msecure, you can sync via wifi, email, iOS / PC / Android and you don't have to store your passwords on an online server which is a security concern

• 

  theworks on 21/09/2011 - 08:30

  +16

  I keep my passwords on post-it notes on my screen

• 

  dealman on 21/09/2011 - 09:26

  Another way is where Passwords are stored in Chrome with the Chrome Sync and Google A/c Encryption..

• 

  Wallyt99 on 21/09/2011 - 10:02

  Just quietly, University passwords are actually worth alot on the 'black market' for passwords. They give you access to what equates to hundreds of thousands of dollars worth of online resources (at an indicidual level, university subscriptions are well into the millions).

  • 

    A Banana4scale on 21/09/2011 - 10:19

    this is just the email, you don't have to/can't/shouldn't use your uni password anyways. Mine is 20 characters long so pretty safe IMO

  • 

    anthony on 21/09/2011 - 10:26

    I dont think that a single password is worth much because there is no subscription associated with it.

    To access the subscriptions that the university is paying for you need to access the content from a university computer as the subscription access is based on the university IP address.

    • 

      lano on 21/09/2011 - 10:41

      Depends on the Uni I suspect. I can use my Monash account from my home computer to log in and download peer-reviewed papers, etc.

    • 

      Tilduke on 21/09/2011 - 17:11

      My uni requires you to log in then acts as a proxy for viewing journals.

• 

  Dealsclaw on 21/09/2011 - 13:55

  how about roboform? I use it to manage my passwords. I find it pretty good.

• 

  R3XNebular on 21/09/2011 - 15:44

  Love last pass now I can use it on my android!!!

• 

  Frantic on 23/09/2011 - 05:25

  Been using it for a few days and have to say the Premium version is pretty cool.. hmm if anyone doesn't have a uni email I wonder if australia.edu free email would work? I mean at the end of the day we're all students of life in some way or another, right? lol