Anyone ever use them?

I've used GoogleDocs before, but they still don't support per-document passwords. So since GoogleDocs is likely tied to E-mail account, it would stand to reason that a very strong password should be protecting my e-mail/drive.

In this day and age, why would you keep something of such value on the Internet, especially hosted on US soil (as LastPass is)?

I'm not worried about the NSA. I'm worried about random Chinese/Russians/Script-Kiddies getting access to my password file. My wife's accounts have been compromised before, and once my debit card (which got picked up immediately, some kid buying... WoW stuff). But not everyone is as thorough as by bank/credit card in keeping my data safe. My random Linux box connected to the internet isn't going to have staff keeping an eye on it.

And it's not that passwords are hard. It's that every bloody website has their own idea of what constitutes a "valid" password and many of them do not overlap.

GoDaddy requires you to use an account number instead of a name for frak sake. I mean what is this, the stone age?

Let me clarify. GoogleDocs would be great if only it allowed an additional password for file access instead of giving gaping access to my e-mail, social media, and documents. Which of course, is why I have to use my strongest password on my e-mail. It's good too!

I use LastPass. If you're talking NSA, why do they need your passwords? They already have all the backdoors they need. Plus, unless they're lying, there's no way to get at your passwords without your master password anyway.

Google Docs, or any Google service for that matter, is one of the last places I'd store sensitive data like passwords. They have absolutely zero reason to make it secure enough (if they can't read it, then they can't use it to target ads at you).

Please, use the proper tool for this job... a proper password manager.

[edit]
But yes, to answer your question, I do use LastPass (premium) myself. I've not had any problems with it, and the Chrome plugin is great. There are only a handful of passwords I have committed to memory, the rest are unique, long, randomly generated strings of shit.

I use Lastpass. Works great.

I store passwords in my password manager for more things than just random websites. While each random website (especially if it is hosted on US soil) could be/is compromised, those items individually are not as likely to be.

You guys store your passwords online? Mind blown

I store mine on sheets of paper which my roomies would be unable to decide what they're for or how they're used.

Everybody does.

Your password here is stored as bcrypt hash. If somebody gets access to the database and they wish to target you, they'll be able to crack your easy-to-remember password. And if it is the same as your other passwords, or similar enough, they may easily be able to get in to your other sites.

The difference with using Lastpass is that those dozens of insecure sites you use all now have different, random, and very hard to crack passwords.

And what's the difference between storing your encrypted file of passwords on your workstation that is connected to the Internet, or a Lastpass server that is connected to the Internet? I bet it's easier to break into your computer.

Impossible! I'm running OS/2 Warp!

I heard a funny story from a security admin at a conference about boxes he connected to the internet that he told the world "own my box." More or less every box would be "owned" sooner or later except one in Alaska... that he forgot about. It was running a FreeBSD distro so old that it had custom compiled binaries that didn't use modern binary formats (whenever that big switch happened) so all of the exploits people tried to run didn't work because they weren't binary compatible. [Vagueish story it's been a few years.] I'll see if I can find the source [Notacon 4 2007, Bruce Potter]

Is there any way to use LastPass with standalone android apps?

edit: nevermind, theres an ime.

I don't know about that other stuff, but I'm pretty sure it would be a major pain in the ass for someone in Eastern Europe, Africa, or China to get hold of my local file of secret stuff

Actually, a great idea that would stump even government officials? NTFS Alternate Data streams. You can hide entire files inside files... that won't show up even in disk usage, and won't copy if the original file is moved out of the partition.

It'll still show up with data recovery tools, which they probably use.

Personally I think that having a "password file" is incredibly stupid. You underestimate the capacity of your brain if you think that you can't remember complex passwords. Granted, we don't like to learn new ones. I'd never record them anywhere. That goes for a file on my machine (which could easily be compromised without me knowing), and a third party service (which could also easily be compromised without me knowing).

I imagine I do what most [smart] people do: reuse passwords based on a "class" system of importance. Most sites I consider useless and I avoid storing any deeply personal information on. I really couldn't care less if my account on these sites is compromised. I only created the account because I had to for some trivial function (that probably could have been granted without an account, but the programmer is "special"). Those sites all get a simple password that would be trivial to crack, and I'm certain that I have inadvertently sent it to an IRC channel more than 3 times. The password that I choose for any given site is also based on how much I trust them to secure it.

Alarmingly I find that financial sites (bank, PayPal, etc.) are actually the worst for password limitations. I'd attempt to give them an extremely complex passphrase only to discover that I can't because all of the various character classes that I'm using aren't allowed and/or they have a physical size limit... OMFG, shake my head... I've even messaged my bank several times telling them they need to fix it. The response I get back is always, "We appreciate your feedback, but the limitations we have on our passwords protect you from dangerous characters!" Which is really just another way of saying that either the programmers employed by that bank are incompetent, and/or the managers are...

one of my credit cards has a site that requires digits in your username. now isn't that super extra secure!

So basically your method doesn't work.

No method works with them. Their system is inherently insecure. And they're too incompetent to comprehend the weaknesses. They're convinced that they're making things more secure.

I've got LastPass setup so my wife can have her passwords automated, and routinely dump the LastPass passwords into KeePass (every month or so; we usually don't update or add passwords more frequently than that).

KeePass + Dropbox, where the KeePass database requires both a password and a key file (which I don't store in Dropbox).

I use KeePass because LastPass doesn't work in Incognito mode, nor do I want LastPass "tied" to me when I'm on the TOR network.

Google: My main accounts have 2-step authentication, where some use an SMS message and the others uses the Google Authenticator app. I've got Application Passwords enabled (or whatever the official name of those are called) so my email and contacts can't be accessed with my normal login password.

I also visit YouTube on a browser running AdBlock with which I've never signed into my Google accounts. It gives me ad-free videos without linking all those into my Watched History.

And if I ever need to check something from work, I just ssh tunnel into my home computer and make it handle all my requests from there.

So anyone can just ssh into an open ssh port on your home computer? I'd never feel safe with that.

Have you ever done it? Used ssh, I mean.

Yes, ssh-tunneling so I can use the internet from work. What I'm saying is I don't feel it's safe at all.

Not bad... not bad... if I need more, then I'm probably someone hiding something expensive enough to hire security professionals, or at the very least, the time and effort to increase the difficulty.

[edit] It appears that PR documentation is old and 2048-bit is standard. But don't quote me on that yet.

[edit 2]

Booya.

That's a lot of work to get access to my bloody resume.

What precludes you from using a key instead of a password? I assume OnlineCop has only a single work computer to generating a single key pair shouldn't be a problem.

I am using a key, but anyone with access to my work computers harddrive as well as the NSA have it as well :p

Well there's your problem right there.

That could be a good thing ... "I didn't download all these movies and music, someone ssh'd into my computer and did it!"

More seriously, why not password protect that key? I recently switched to using password protected ssh keys for exactly that reason... it's a bit of a pain to use ssh-agent all the time, but I find that I feel a lot safer.

Yeah, but you lose the automation factor of not having to enter a password.

But in general, if your computer is physically compromised, a password on the key file isn't going to help you. Even if your password file has a 16368-bit cipher, it won't help if it's already logged in!

My work bought me a new Macbook Pro, which I wiped and reinstalled the OS. I take it home with me every day, and I'm paranoid enough to always lock my screen whenever I walk away (it's nice to have a hotkey to lock the desktop).

So I'm pretty confident that none of my co-workers have accessed my laptop and obtained my private key. My router only accepts SSH on a specific port (something like 16666 or some other) and it denies all SSH requests that don't already have a key pair set up.

The router forwards that port to 22, through which I connect to my home computer.

It's very possible that I've forgotten something and have already been hacked, but I never do anything illegal from that work computer anyway (I just want to use it to remain anonymous ).

If you guys have suggestions on how to be more secure, I'm all ears. I figure you can always be paranoid, but can you be paranoid enough?

You enter it once per session (or, if you set a time out, only every couple or so minutes). Either way, there's more to using public key login than just convenience.

ssh-agent has a timeout option, and so does Keepass (which is what I use for my password management). You could also always manually log out if you hear the partyvan pull up.

If you have a Mac, thanks to the absurd hyper-valuation of mac products (both new and as old as the Apple II!), you're biggest problem with your Mac is it being physically stolen and sold at a pawn shop/flea market/directly-to-college-kids. The computer itself is a thousand times more valuable and easy to access than anything you might have on your computer.

On my work laptop it's the opposite. The computer itself is maybe 1000€, my boss' secret code on there is (at least according to him) worth millions.

That's what I'm getting at. Security is application dependant.

My laptop is a lot harder to steal:

http://oldcomputers.net/pics/compaqI.JPG