Last week, Lifehacker posted an article detailing how to recover your Firefox master password using a freeware password recovery tool, Firemaster. Firemaster generates password guesses on the fly, coupled with other procedures, to rapidly attempt to crack your password. If you lose your master password, you lose access to ALL of your passwords, so being able to recover it is great, right? Maybe not. If you can use Firemaster to crack your password, so can anyone who has access to your computer.
LastPass does offer some additional protections, but all with some caveats. LastPass has the ability for Premium Users to use a YubiKey, a USB authentication device, as a second factor in their LastPass login. If the YubiKey is not plugged in, a user can’t recover his or her passwords. This can be bypassed via mobile access, though, where obviously a YubiKey cannot be used and therefore is not required. Premium LastPass users can also try out Sesame, which allows Multifactor authentication via standard USB thumb drives. This is subject to the same limitations as YubiKey, however. Both YubiKey and Sesame authentication are available to Premium users only.
LastPass also throttles password brute force attacks on the server side of things, locking out a user who guesses five times incorrectly within a certain period. This doesn’t protect your locally stored encrypted database, though.
So, none of the LastPass additional protections are perfect. But do we need perfect? If you’re going to 1) use a weak password, 2) not use Sesame or YubiKey, and 3) use a computer that isn’t in a secure location, then KeePass might be the better choice for you. But as the developers of LastPass point out, even adding one more character to your master password will provide as much protection as key transformation does, as that will add to the time it takes for a brute force cracker to work. With a strong password, a cracker could be looking at years of work before it cracked a password. Further, mobile devices aren’t good subjects of brute force attacks, so the lack of multifactor authentication (YubiKey or Sesame) on them doesn’t matter much in the real world.
The Bottom Line
The bottom line in all of this is twofold. First, use a strong password- pick a password with a combination of letters, numbers, and symbols, and make sure it is a long one. If you do that, a password cracker will never be able to crack your password, regardless of which password manager you use. Second, the choice also comes down to a balance of convenience versus security. As noted in our initial review, LastPass was the one program that actually worked seamlessly, autofilling passwords. Since I use a strong password, that convenience is worth the microscopic (possibly non-existent) drop-off in security to me.
In short, I plan to stick with LastPass, since the security concerns are extremely remote, to the point of being virtually nonexistent, and the program works well. How about you? Do you use a password manager? Are you concerned about programs like Firemaster?