Friday, December 17, 2010


Here's my personal take on LastPass Password Manager. I am not a user of LastPass myself but from the website, theoretical knowledge and video, I make my deductions.

LastPass Sesame Youtube Video:

If you have watched the above LastPass Sesame Video, you may just end up confused by the complicated steps to simply setup LastPass sesame on your portable executable device (thumbdrives, flash storages...). You had to also use a web browser to access an email sent by LastPass to verify your setup devices and all sorts. It really is so complicated, my thought of trying LastPass sesame got put down by that video.

LastPass technology page:

According to LastPass's technology page (link above), LastPass have a data centers keeping a store of your passwords and you have a local copy too. The idea of having your passwords in LastPass's hands is simply absurd. Would you trust your passwords in someone else's hands ? Anyone can claim and vow that they have encrypted your passwords and whatever in a way only you can decrypt and they can't. Anyone can vow that they don't know your master password and only you know it. I think even if it's really true, it technologically possible for LastPass to betray that trusts if they want secretly and thus putting users at a huge risks.

I am a huge advocate against leaving sensitive personal information, especially passwords, in someone's hands or servers.

For those who need solid portable password managers, you are best off having a cross-platform (better if it's Java-based) where you can simply have one running on your main desktop or work computer and the other one on your different portable devices. The password manager requires a synchronization capability where you can sync up your portable device password manager and main computer password manager. It is very inconvenient in terms where you have to keep synchronizing the password managers but at least you don't have to rely on someone's servers. You can have your password managers have different master passwords (making it hard to inflitrate all your password managers) or simply just have a single master password to all of your password managers.

PasswordStore, a password manager I built with the intend of it being portable (it's still lacking the portable and sync portion) is an interesting and useful example to review.

No comments: