benneh Wrote:Hi, this looks like a nice program which could potentially replace my use of RoboForm, however first some questions:
1) Is this always going to be free? This question seems to have been avoided and I would have thought would qualify for your FAQ? Whilst this looks equivalent/possible better than roboform in some ways, if it's going to cost people money there is no compelling advantage.
We think we're bringing innovative ideas to the table that surpass roboform significantly e.g. password sharing, online access, Mac and Linux support, etc, etc.
That being said our focus is getting a quality product and a large user base, by treating users well. None of our plans involves charging you. We like the enterprise space, and potentially non obtrusive ads on LastPass.com, or easy sign-ups on LastPass.com, but nothing that would hurt our reputation or brand. We can commit that we're not going to pull the rug out on our existing userbase.
benneh Wrote:2) You need to have an option for offline use where my passwords, encrypted or not, never get uploaded to you. All your arguments about strong crypto so it doesn't matter may be true today, but strong encryption today may not be so strong tomorrow. There is still issues with these passwords being hosted by you, even if that's not apparent for many years. Not having this option will limit many (of your more paranoid) users.
Most of the compelling reasons to use LastPass is due to the online access. AES-256 is strong today, and tomorrow when a new encryption algorithm comes out that's had a few years for researchers to vet it we'll be offering to also encrypt your data with that. To quote NIST http://www.nist.gov/public_affairs/releases/aesq&a.htm
they think AES has strong potential for 20 years, before it's feasible to mount an attack, and this is different than encrypting something incriminating -- you'll likely change your password by the time it's feasible to mount an attack, and then we'll have moved to something better than passwords as they stand today.
benneh Wrote:3) Oh yeah, and for makers of and promoters of security and passwords, you should really do something about your forums not allowing strong passwords. I tried to use a 32 character password and was told it was too long, this doesn't look good. Now there is nothing particularly secret here, but why use forums software which limits this?
Yeah we were a bit shocked at the dearth of good options from a security perspective in existing forum software.