Single Use/Disposable Lastpass.com password

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

Single Use/Disposable Lastpass.com password

Postby ToxMox » Wed Aug 27, 2008 10:32 am

Hi I am really liking lastpass.com
Here is a feature request.
If I am on an unknown computer or on vacation I would prefer to login to lastpass with disposable passwords.
ToxMox
 
Posts: 50
Joined: Wed Aug 27, 2008 10:29 am

Re: Single Use/Disposable Lastpass.com password

Postby sameer » Tue Sep 23, 2008 9:21 am

ToxMox Wrote:If I am on an unknown computer or on vacation I would prefer to login to lastpass with disposable passwords.


hi ToxMox,
Unfortunately this is somewhat complicated for us to implement at this time since all of your
data is locally encrypted with your master password. To give you a disposable password,
we'de have to store your master password encrypted...which would require a lot of security
testing on our side. They would also have to 1 time use passwords (otherwise there really isn't any point),
which adds a further complication.

Our current solution to the vacation/internet-cafe scenario is to advise people to enter their
password using our screen keyboard accessible from https://lastpass.com/
For now, this solution seems to be easiest to understand and use for the average person.

Thanks for the suggestion - we'll reconsider it at a future date,
sameer
sameer
Site Admin
 
Posts: 268
Joined: Tue Aug 19, 2008 9:43 pm
Location: Toronto, Canada

Re: Single Use/Disposable Lastpass.com password

Postby Gerry » Wed Sep 24, 2008 6:31 pm

ToxMox Wrote:Hi I am really liking lastpass.com
Here is a feature request.
If I am on an unknown computer or on vacation I would prefer to login to lastpass with disposable passwords.

Anybody could easily be watching and recording everything you do in real time, so your "one use" password or that virtual keyboard don't mean much (unless every password you access is "one use").

Bring your iphone/lappy and only connect to secure sites or stay off the net and enjoy your holiday. Anything else and you're just deluding yourself.
Gerry
 
Posts: 46
Joined: Wed Aug 27, 2008 2:25 pm

Re: Single Use/Disposable Lastpass.com password

Postby ToxMox » Thu Sep 25, 2008 11:17 am

I previously went on vacation and planned on going online once or twice a day on the cruise ship. So I generated about 15 single use passwords for Clipperz and brought them with me and then I only used the one time passwords. Never entered a real password anywhere just would log into Clipperz and then autologin from there to my sites. I don't feel I was deluding myself.
ToxMox
 
Posts: 50
Joined: Wed Aug 27, 2008 10:29 am

Re: Single Use/Disposable Lastpass.com password

Postby Gerry » Thu Sep 25, 2008 3:20 pm

ToxMox Wrote:Never entered a real password anywhere

Yeah but Clipperz would have. How does Clipperz transfer your data to the site? I haven't used Clipperz, so I don't know for sure, but it seems to me that that would be the point of failure.

*a bit later after a quick test of Clipperz*

Next time you use Clipperz to enter in a password for you, check what's logged in liveHttpHeaders (https://addons.mozilla.org/en-US/firefox/addon/3829) after you clicked the button. There are equivalent methods for all browsers and if somebody is wanting to log data entered into a browser, this is probably the best place to pick it up, not as you type it. Why use a key logger when something like this is far more readable and labeled? Every thing must be reliable from point a to b if you want security. Any weak links will be exactly the place an attacker will target. I'm a programmer and really don't know jack about security (other than common sense stuff), but yet I could have set up something on a machine that would grab your passwords weather you're using the one use Clipperz passwords or the virtual keyboard that is used here.

The virtual keyboard would be harder or more manual with somebody physically watching the screen via vnc or something (something which wouldn't be hard for somebody who worked in the area where you access the untrusted computer). This is why I asked if all the passwords you used were one use (not just your Clipperz password)... this is the only thing that would cause a problem. Although as I've said, I'm not a security expert/hacker, it would be much easier for somebody who was, as they would know better and easier ways of attaining your data.

But it really does come down to common sense... an untrusted computer should not be trusted.
Gerry
 
Posts: 46
Joined: Wed Aug 27, 2008 2:25 pm

Re: Single Use/Disposable Lastpass.com password

Postby ToxMox » Fri Sep 26, 2008 10:09 am

The big difference here is that even if there was something stealing my passwords on the untrusted computer it would only be able to steal the accounts I logged into via Clipperz and not have access to my Clipperz account where ALL my passwords live. This way I could login to sites that aren't extremely sensitive and not worry about my other sites being compromised.

I also have one of those PayPal/Verisign security Keyfobs that I would love to see LastPass support.
https://www.paypal.com/securitykey
ToxMox
 
Posts: 50
Joined: Wed Aug 27, 2008 10:29 am

Re: Single Use/Disposable Lastpass.com password

Postby sameer » Fri Sep 26, 2008 7:08 pm

ToxMox Wrote:I also have one of those PayPal/Verisign security Keyfobs that I would love to see LastPass support.
https://www.paypal.com/securitykey


Yes, a 2nd factor of authentication is a much better solution than 1 time use passwords.
It's on our TODO list, but we're generally shuffling our priorities based on what people
are voting/asking for the most...so to get it sooner, please vote for the "Multi-factor authentication"
in the sticky post in this board.

sameer
sameer
Site Admin
 
Posts: 268
Joined: Tue Aug 19, 2008 9:43 pm
Location: Toronto, Canada

Re: Single Use/Disposable Lastpass.com password

Postby ToxMox » Fri Sep 26, 2008 7:31 pm

sameer Wrote:..so to get it sooner, please vote for the "Multi-factor authentication"
in the sticky post in this board.
Already done :)
ToxMox
 
Posts: 50
Joined: Wed Aug 27, 2008 10:29 am

Re: Single Use/Disposable Lastpass.com password

Postby Gerry » Mon Sep 29, 2008 1:01 am

ToxMox Wrote:The big difference here is that even if there was something stealing my passwords on the untrusted computer it would only be able to steal the accounts I logged into via Clipperz and not have access to my Clipperz account where ALL my passwords live. This way I could login to sites that aren't extremely sensitive and not worry about my other sites being compromised.
Absolutely, point well made and taken. Although I'd imagine more often than not, the thing people would check while on holiday (if anything) would most likely be their bank and not their youtube account.

ToxMox Wrote:I also have one of those PayPal/Verisign security Keyfobs that I would love to see LastPass support.
https://www.paypal.com/securitykey
Haven't really though this through, but on the face of it, it seems like a neat idea.
Gerry
 
Posts: 46
Joined: Wed Aug 27, 2008 2:25 pm


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 16 guests