What makes LastPass so secure?

"Aside from allowing you to create unique, complex passwords for each site, we also offer free second factor authentication: Grid. So your username and password are not enough to access your data when Grid is used.

In addition, your passwords are not stored in Firefox's or IE's password managers which are generally insecure (just run our installer and watch how we can pull all of the passwords).

As for storing in the cloud, everything is encrypted locally before it is sent to the server and your key is never sent to us. You can read more about how we keep you safe on the technology page on our website."

"What makes it secure is simply that they cannot tell anyone what your passwords are, even with a gun to their head. Even when using the web interface, your passwords are encrypted locally before being transmitted.

Yes, it is true that it provides a ""single point of failure"" unless Grid is used. However, you could have a ridiculously strong master password - who cares if you have to type a 100 character password if you only do it once a day? And because it saves your ""sub passwords"", you can have them a lot stronger than you normally might.

Another advantage is that most people won't have different passwords for every website (or will have a pattern), and LastPass lets you ditch this. So whereas before every single site you were on was a potential entry point to all other sites you were on, now only your LastPass account is. Cracking any ""sub password"" yields no extra information to an attacker.

This is useful because you have no idea whether sites you are on are encrypting your password, or salting it. I could name a website with 11 million users that stores passwords unencrypted in their database.

Finally, LastPass offers features like one time passwords for accessing your passwords in untrustworthy locations, which keeps your account secure from even the most advanced keyloggers."

"No online password storage tool can assure you security. They claim that the host proof password storage mechanism hides the passwords from the host, and only the client side knows the key and the decrypted form.

But the following blog post shows a flaw in that assertion:

One reason why we can't trust online password storage"

"Using LastPass with the Chrome plugin I was able to pull a password by navigating to a login page, filling in the password and entering the following in the console (press F12).

document.querySelectorAll(""[type=password]"")[0].value

This is with two-factor authentication and with the ""require master-password to show/copy password""-option enabled. I'm guessing it would not be hard to automate this, meaning that passwords can be pulled easily from LastPass just like other password storage, contradicting what ""Bob from LastPass"" seems to be claiming.

I guess LastPass is considered better than manual password management by security experts like Steve Gibson simply because the risk of compromise from a weak/reused password or by a generic keylogger is bigger than the risk from malware that's specifically attacking LastPass. Still I would only use it for sites that I can afford to lose, and never for banking/primary email/Dropbox, etc.

A password manager requiring two-factor authentication for every password that is downloaded from the server (LastPass only requires it on first login) would limit the damage to only the passwords that were used on the infected computer, but I have not found a password manager with that option yet."