List of ideas

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

List of ideas

Postby reliam » Fri Sep 04, 2009 6:17 am

1. Encrypt the database on-the-fly with a hash of random system components so the copied database can not be used on other computers. They would have to log in and download the database again in which case it will be re-encrypted with the new system hash.

2. Add a feature to save Firefox sessions with the database locally so they are secure from others the computer is shared with and they can be restored and not have LP load after the tabs do making you log in again. This could also be a premium feature allowing users to upload the session to their online account and resume it elsewhere.

3. Make Pocket Lastpass more user friendly and secure by allowing right-click on items to either copy username/password or even launch the browser and have it log them in. Also add memory security similar to Keepass which wipes the clipboard after 15 seconds and keeps the memory encrypted among other things.

4. For mobile users add SSL certificate authentication. A certificate generated specifically for that account and is downloaded and installed after logging in and is required to log in there afterward. This can be enabled only for the mobile website. This technology is used by Verisign PIP

A Browser Certificate is a unique digital ID that VeriSign installs within your browser or user certificate store. PIP uses Browser Certificates to protect your online identity by limiting access to your account to only the computers and browsers you authorize. This greatly reduces the risk that your account can be compromised if an attacker gains access to your PIP account username and password (for example, through a successful phishing attack). After Browser Certificates are enabled, everytime you sign in to PIP, PIP verifies that you have a valid Browser Certificate on your computer.


5. Allow secondary email to be added for notifications so an email that is not used often can be used for Lastpass log in (security reasons I have stated in other posts) and you can have notifications sent to the one you use on a regular basis.

6. Have Lastpass memorize the websites that use SSL to login or even have a list that LP will check locally or on your servers then have it disable autofill/autologin and warn that it is insecure the user should still be able to manually copy the password if they want to risk it.


If I think of more I will edit this post and add them ;)
reliam
 
Posts: 38
Joined: Mon Aug 17, 2009 5:09 pm

Re: List of ideas

Postby JoeSiegrist » Fri Sep 04, 2009 10:21 am

reliam Wrote:1. Encrypt the database on-the-fly with a hash of random system components so the copied database can not be used on other computers. They would have to log in and download the database again in which case it will be re-encrypted with the new system hash.


Interesting idea -- but if LastPass can read the system components to create the hash as a key, then an attacker could read the same components to make the same hash and attack the file that way...

reliam Wrote:2. Add a feature to save Firefox sessions with the database locally so they are secure from others the computer is shared with and they can be restored and not have LP load after the tabs do making you log in again. This could also be a premium feature allowing users to upload the session to their online account and resume it elsewhere.


We will likely expand here, after or in coordination with bookmarks.

reliam Wrote:3. Make Pocket Lastpass more user friendly and secure by allowing right-click on items to either copy username/password or even launch the browser and have it log them in. Also add memory security similar to Keepass which wipes the clipboard after 15 seconds and keeps the memory encrypted among other things.

4. For mobile users add SSL certificate authentication. A certificate generated specifically for that account and is downloaded and installed after logging in and is required to log in there afterward. This can be enabled only for the mobile website. This technology is used by Verisign PIP


Pocket already clears the clipboard, we'll be adding more to syncronize pocket and firefox/IE with each other to allow this stuff and do have something similar planned for mobile...
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am

Re: List of ideas

Postby reliam » Fri Sep 04, 2009 10:37 am

JoeSiegrist Wrote:Interesting idea -- but if LastPass can read the system components to create the hash as a key, then an attacker could read the same components to make the same hash and attack the file that way...


Thats why I said random :)
reliam
 
Posts: 38
Joined: Mon Aug 17, 2009 5:09 pm

Re: List of ideas

Postby reliam » Fri Sep 04, 2009 10:41 am

JoeSiegrist Wrote:Pocket already clears the clipboard, we'll be adding more to syncronize pocket and firefox/IE with each other to allow this stuff and do have something similar planned for mobile...


Sorry was thinking of Sesame that needs to clear the clipboard.
reliam
 
Posts: 38
Joined: Mon Aug 17, 2009 5:09 pm

Re: List of ideas

Postby reliam » Mon Sep 07, 2009 11:53 am

reliam Wrote:5. Allow secondary email to be added for notifications so an email that is not used often can be used for Lastpass log in (security reasons I have stated in other posts) and you can have notifications sent to the one you use on a regular basis.

6. Have Lastpass memorize the websites that use SSL to login or even have a list that LP will check locally or on your servers then have it disable autofill/autologin and warn that it is insecure the user should still be able to manually copy the password if they want to risk it.


No thoughts on these two... both should be fairly easy to implement and would increase security significantly.
reliam
 
Posts: 38
Joined: Mon Aug 17, 2009 5:09 pm


Return to Feature Requests

Who is online

Users browsing this forum: Google [Bot], Google Feedfetcher and 8 guests