Healthy Passwords



LastPass Password Manager Review - Page 6

Screen Keyboard

The lastpass screen keyboard (Virtual Keyboard) is only available for the Lastpass master password login. From the browser plug-in's login prompt you must select screen keyboard. You will be redirected to https://lastpass.com/?sk=1, which will present the following screen: Lastpass virtual keyboard

The screen keyboard lacks any type of hover-over to select option. Many keyloggers take screenshots with every mouse click, so the virtual keyboard will not avert keyloggers taking screenshots.

Grid Based Multi-Factor Authentication

Lastpass offers a free printable grid for multi-factor authentication.
Lastpass Paper Grid

Once configured, your successful master password prompt will be followed by prompts for grid coordinates. Your printed grid is different than any other grids.

Lastpass Grid Prompt

YubiKey Multi-Factor (Premium Only)

Yubikey order screen

We ordered the cheapest White YubiKey and Lastpass Premium 1 yr subscription. We found a coupon code for an $4.50 discount. The next day a shipment email arrived saying the key had shipped via the USPS. The following day the key arrived. (Our office is located in western Pennsylvania). The key is much smaller than we expected. It measures approximately 4.5 x 2 centimeters ( 1.78 x .78 inches ) and only 3 millimeters (1/16 inches) thick.

Yubikey image on keychain

We used the lastpass plug in on chrome to active the key by following on screen instructions. The settings allow you to disable the YubiKey for mobile and offline access. This may be the Achilles Heel for Lastpass. Because the YubiKey is USB based, most mobile devices cannot use USB, so disabling for mobile leaves a vulnerable attack vector. A more standard LCD OTP device is preferred in our opinion.

Yubikey Activation Screen

We've tested the YubiKey for more than four weeks now and find standard LCD display multi-factor tokens to be much more convenient. We expected compatibility issues with the YubiKey, but found none between several versions of Windows, OS-X and Linux. We did find it frustrating when using remote sessions through terminal emulation, but average users probably will not have issues like this.

Trusted Devices

Lastpass allows trusted devices bypassing multi-factor authentication. To trust a device, you must check the “this computer is trusted, do not require a second form of authentication” after authenticating the first time. Trusting laptops or other devices which can easily be lost is not recommended.

Page 1      Page 2       Page 3       Page 4       Page 5       Page 6 Page 7       Comments     

McAfee SECURE sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams




Home | Live CD Listing | Password Worksheet | Third Party Ratings | Purchase | Errata | Contact | News | News Archive | Legal

Copyright © 2011, Sustainable Alternatives, LLC | Ligonier, PA 15658 | 724-238-9560 | All Rights Reserved.

 Sustainable Alternatives, LLC BBB Business Review