back to article LastPass stores passwords so securely, not even its users can access them

Password manager LastPass appears to have had a big night out on Friday, to the point where the service needed a lengthy lie down over the weekend. In fact, for some users it is still horizontal. Social media is awash with customers unable to connect to the service either via the company's website or through its various apps. …

  1. Anonymous Coward
    Anonymous Coward

    "Maybe the current outage is a sign"

    That relying on services with multiple point of failures for critical tasks is usually a bad idea.

    While having a service that let share password across different systems may be useful, relying on it fully without a local backup for emergency access is stupid.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Maybe the current outage is a sign"

      LastPass does normally have a local backup, no idea why that wasn't working for these people.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Maybe the current outage is a sign"

        This was indeed one of the reasons I selected LastPass as you are (allegedly) not reliant on being online to access the vault.

        Let's wait and see the washup to decide whether to renew this year.

        1. Anonymous Coward
          Anonymous Coward

          outage without a public postmortem ?

          If they don't do a public deeply technical postmortem I'll start recommending against them

          1. Anonymous Coward
            Anonymous Coward

            Re: outage without a public postmortem ?

            I've been a customer since 2013 and paying for their service as long as I can remember. Thankfully I was not impacted by this outage but it has made me realize a couple things.

            1. I put too much trust in my password manager without having an updated password list as a backup. I would have been screwed....

            2. The lack of transparency on acknowledging a potential issue isn't settling right.

            I will be sadly looking at alternatives as well if they aren't open about what happened and make improvements to mitigate risks in the future. I will also need to put less trust that my password manager will always just work.

        2. anothercynic Silver badge

          Re: "Maybe the current outage is a sign"

          1Password is arguably in the same boat. I've opted to *not* store my stuff with them, but rather on my local devices.

    2. herman

      Re: "Maybe the current outage is a sign"

      "relying on services with multiple point of failures for critical tasks" - I think you should stay out of aircraft and stay especially far away from helicopters.

      1. IGotOut Silver badge

        Re: "Maybe the current outage is a sign"

        Last time I flew, commercial planes have more than one engine, as does any helicopter that has to fly over a town or city.

        1. Dz

          Re: "Maybe the current outage is a sign"

          and that helps with say contaminated fuel (a single point of failure) how exactly?

          1. Ahosewithnoname

            Re: "Maybe the current outage is a sign"

            or a rotor, perhaps?

            1. Anonymous Coward
              Anonymous Coward

              Re: "Maybe the current outage is a sign"

              last time I looked there were two rotors on a chopper.

              1. Andrew K Jones

                Re: "Maybe the current outage is a sign"

                And both of them are needed to stay in the air.

                1. Captain Scarlet
                  Alien

                  Re: "Maybe the current outage is a sign"

                  Yes which is why I fly everywhere in a flying saucer these days, although the sherbert does sometimes get in my shoes.

                2. P. Lee

                  Re: "Maybe the current outage is a sign"

                  Helicopters are intrinsically non-flying. At least aeroplanes can usually glide to earth and even Boeing does more testing that Silicon Valley.

                  As for LastPass, the whole devops/continuous "improvement" thing is lethal when you have multiple third-parties.

                  1. Killfalcon Silver badge

                    Re: "Maybe the current outage is a sign"

                    Helicopters, provided they have both rotor blades still, do "glide", sorta. The blades will continue to auto-rotate and generate a surprising amount of lift that keeps them from falling too quickly. The aerodynamics make my head hurt trying to work it out, but it's a real thing that saves you if the engines fail.

                    https://en.wikipedia.org/wiki/Autorotation

          2. JassMan

            Re: "Maybe the current outage is a sign"@Dz

            Ithink youwill find that multi-engined helis have separate fuel tanks for each engine, in the same way as multi-engined planes. Often more than 1 tank per engine. There are valves and pumps to allow the pilot to transfer fuel during exceptional circumstances. eg if one engine stops the remaining engines use more fuel so you can transfer fuel from the stopped engine to the running to complete the flight safely. You don't transfer it all at once otherwise it affects your trim

            1. Anonymous Coward
              Anonymous Coward

              Re: "Maybe the current outage is a sign"@Dz

              "There are valves and pumps to allow the pilot to transfer fuel during exceptional circumstances."

              The enquiry into the police helicopter crash in Scotland in 2013 seems to have determined that the engines ran out of fuel. The experienced pilot had apparently failed to use his transfer or reserve fuel functions.

        2. Screwed

          Re: "Maybe the current outage is a sign"

          More engines, more chance of an engine fire...

      2. Anonymous Coward
        Anonymous Coward

        Re: "Maybe the current outage is a sign"

        You need to accept only the number of point of failures without with you can't have a working service. Of course even your local backup/copies have point of failures, but a remote service adds many more. If you could fly without an airplane, why take one and accept the risk? Just for the free drinks?

        IoT devices are the same, turning on the lights with a voice command could be useful, but even putting data slurping aside would you remove all physical switches so you can no longer activate anything if one of the layers of the local or remote service fails?

        1. wolf29

          Re: "Maybe the current outage is a sign"

          Which flights in 1973 are those free drinks served on?

      3. imanidiot Silver badge

        Re: "Maybe the current outage is a sign"

        A helicopter is merely a collection of parts flying in very close formation in roughly the same direction. It's the pilots job to direct the formation and keep things going the right way. It is the helicopter mechanics job to make keep formation as close as possible.

    3. Adelio

      Re: "Maybe the current outage is a sign"

      Call me old fashioned but why do i want a password manager to host all my passwords on-line.

      Just asking for trouble. Ideally the data should be stored locally only. or at least if you HAVE to hve it stored on the cloud, then once something is changed on the cloud (new user/password) then the revised details loaded locally (encrypted of course).

      1. Anonymous Coward
        Anonymous Coward

        Re: "Maybe the current outage is a sign"

        old fashioned

      2. the future is back!

        I have two too

        Have a “top-of-the-line” pw mgr with 2FA activated with all the bells n whistles (but I don’t use all of those things that make online life “easier”) anyway - periodically I export the db cvs and store it on a remote encrypted cloud, an external hd, AND import it into another pw mgr I subscribed to for a year just to test it out - one thing about pe mgr 2 is it uses authenticator - better than a text/code. My God, in these 27 character pw days, depending on any ONE service is foolish. Also, at least on iOS, one can use the Safari browser to download a pdf copy of the db and save it ON MY PHONE som no cloud needed.

      3. yosemite

        Re: "Maybe the current outage is a sign"

        You've just sort of described LastPass actually...

  2. Oliver Mayes

    This is why I keep all of my passwords on post-it notes stuck to my monitor. My handwriting is all the encryption I need.

    1. phuzz Silver badge
      Thumb Up

      I'm going to say it. Writing passwords down is just fine for most people.

      After all, the usual threat for the average person is some hacker either brute-forcing their password, or taking one that was revealed in a breach somewhere else, and trying it on other sites.

      If you're using fairly complicated passwords, and not re-using them across sites, then a hard copy is more secure than any password manager from a typical hacker.

      Obviously it's not much use against someone with access to your home, but unless you need to keep your kids out of the amazon account, it's more than enough security for the average person.

      1. Roger Greenwood

        It's easy to keep passwords from kids - put your notes in the fridge. In the salad tray.

        1. IGotOut Silver badge

          " put your notes in the fridge. In the salad tray."

          Or on the vacuum cleaner, laundry basket or even their bedroom floor, under the pile of clothes.

          1. Captain Scarlet
            Paris Hilton

            "Under the pile of clothes"

            What about when he or she brings over a girl/boy friend?

            1. the future is back!

              Their attention ain’t gonna be on anything but the friend.

          2. P. Lee
            Headmaster

            Just write it in their homework exercise book. Tack it onto their vocab list and you'll have someone remember them for you without having a clue as to why.

      2. Velv
        Coat

        "unless you need to keep your kids out of the amazon account"

        No the Amazon account I'm worried about the kids finding the password for. So glad the UK Porn ID got delayed though

      3. a_yank_lurker

        @phuzz

        The main reason I use a local password manager is it can generate a complex password of any length I desire and then store. By default I do not use phones, tablets, or even laptops to access any important account so they do not have the passwords stored on them nor do they need any syncing.

        1. Adam JC

          I must point out the obvious - I presume it's at least backed up somewhere remotely in case of a complete PC meltdown/fire/electrical surge...?

      4. Anonymous Coward
        Anonymous Coward

        thisisnotmypasswordbutitturnsoutitisaverylongstringoftext

        See above for new easy ways to remember hopefully safe passwords.

        1. sijpkes

          Re: thisisnotmypasswordbutitturnsoutitisaverylongstringoftext

          A good obsfucation method is to use each nth key to the right/left/above/below the actual letter you want. i.e.. Fido123 becomes Gofp234 (if using right 1) you can vary this to whatever suits.

          If using a notebook, use mnemonics combined with the above for added security. Humans have great brains, we can still use 'em to great benefit.

          1. Ragarath

            Re: thisisnotmypasswordbutitturnsoutitisaverylongstringoftext

            ROT(#) is one of the first things I'd try if I was nefarious and found a book of passwords with..

            <INSERTBANKNAMEHERE> qbttxpse2

            ...in it.

          2. my cats breath smells like cat food

            Re: thisisnotmypasswordbutitturnsoutitisaverylongstringoftext

            literally ancient coding techniques, got it

    2. Anonymous Coward
      Anonymous Coward

      >This is why I keep all of my passwords on post-it notes stuck to my monitor. My handwriting is all the encryption I need.

      You could go the more modern way and have it tattooed onto oneself, that too will become illegible when the ink diffuses and your skin look likes a deflated balloon. Caution, don't get the tattoo done onto ones backside as dropping your trousers in front of your PC at work could be seriously misinterpreted, which would most likely lead to dismissal and arrest.

      1. Anonymous Coward
        Anonymous Coward

        That reminds me of the tale of chap who is pestered by his girlfriend into having her name, Wendy, tattooed onto his manhood, only to find that in a flaccid state one could only make out the W and the y.

        One day, in the local pub loo, he couldn't help having his attention drawn by a well-built man draining the spuds next to him, who also had a W and y visible. Breaking all the rules of male toiletettiquette, the man asks if he also once dated Wendy. "Heck no. Look." says the chap, giving it a quick rub. "It says "Welcome to Jamaica, have a nice day." "

        1. Twanky
          Coat

          W...y?

          Some people are weird - he got an erection while being tattooed?

          Logical phallusy.

    3. Doctor Syntax Silver badge

      "My handwriting is all the encryption I need."

      Mine is certainly write-only.

      1. Chris King

        I should have been a doctor - my careers teacher told me my handwriting deserved to poison somebody !

    4. theblackhand

      "This is why I keep all of my passwords on post-it notes stuck to my monitor. My handwriting is all the encryption I need."

      Do you have any reliability issues following maintenance?

      The cleaners like to treat my monitor rough...

    5. the future is back!

      Posted it

      Red ones or yellow ones? Please, it’s confusing when we’re in there trying to take phone pics of them all

  3. A Non e-mouse Silver badge
    Meh

    This is one of the reasons I use 1Password: It only uses their servers to sync passwords between devices. If I don't have network access, I can still access the passwords on my device.

    Pity they changed to subscription only pricing.

    1. big_D Silver badge

      LastPass works offline as well.

      1. Dave K

        > LastPass is supposed to works offline as well.

        FTFY

    2. Stumpy

      Re: Seems a bit cheap

      When they changed to subscription only, that's when I jumped ship. Now use BitWarden ... not quite as bull featured, but does exactly what I need it to. And it's free. And you can self-host if you're really paranoid about security.

      1. MiguelC Silver badge

        Re: Seems a bit cheap

        Keypass + keeping the password db on your cloud of choice (with local backup)

        That way you can use it on any device

        1. Criminny Rickets

          Re: Seems a bit cheap

          I have an encrypted folder in my cloud account that I keep my Keypass db in, which I can also access from all my devices.

        2. Twanky

          Re: Seems a bit cheap

          Keepass(XC) and syncthing. No clouds need to be involved. You could even swap backups with a (good) buddy. Add versioning/delays for mistakes/ransomware protection. YMMV.

      2. sijpkes

        Re: Seems a bit cheap

        Weird, I'm not subscribed and my LastPass free account is still very active, I use it every day. Could be a regional thing?

      3. Anonymous Coward
        Anonymous Coward

        Re: Seems a bit cheap

        @Stumpy, thanks for the Bitwarden mention, I wasn't aware of it and will try it out.

    3. jdoe.700101

      You can still purchase a perpetual license for 1Password, they are just "de-emphasizing the standalone license option". When you download and start 1Password, it will prompt you to purchase a subscription, or license.

  4. Anonymous Coward
    Anonymous Coward

    With great responsibility

    Amusingly, the headline advert on the main page is for LastPass.

    1. sijpkes

      Re: With great responsibility

      Yep, if any Register readers didn't know what Lastpass was, they do now.

    2. Dz

      Re: With great responsibility

      Wow. They serve ads here? ;)

  5. ThatOne Silver badge
    Facepalm

    Stormy Cloud

    A good reminder to not use cloud-based services for anything important, much less mission-critical...

    My local password manager didn't have a single minute of downtime in the last two decades...

    1. Adam JC

      Re: Stormy Cloud

      Bizarrely, neither did our LastPass account. We use it on all staff mobile phone(s) and laptops/PC's both in and out of the office. Even if LastPass servers were to wobble, I can always (and have always) been able to access the vault on my phone, or on my laptop with no internet connection whatsoever. I'd imagine the not being able to access whilst offline was a PICNIC / PEBCAK error rather than a LastPass one...

  6. big_D Silver badge

    Length of time...

    Nothing to do with how old the account is, I've been a pro member since 2014 and I wasn't having any difficulties.

    Could it be browser based? I use Firefox and haven't had any problems on any platform. This is the first I've heard about the problem.

  7. sal II

    KeePass

    This is why I will keep relying on the good ol' KeePass for my password management needs.

    Local DB, stored on several PCs, flash drives and clouds with massive master password.

    Zero dependency or exposure to 3rd parties.

    1. Anonymous Coward
      Anonymous Coward

      Re: KeePass

      Last time I looked into KeePass, it seemed to be unaware that LastPass existed. Certainly as far as importing data from LastPass was concerned.

      At that point it was useless. I have 600+ logins stashed in LastPass from nearly 15 years of saving logins. I really haven't the time, energy or will to spend ages in some arcane one at a time import process.

      Same goes for all the alternatives.

      Given that LastPass does export into a csv, it's a bafflement that there is no import to other managers.

      (Incidentally, keeping a copy of that csv suitably encrypted and offline is a good idea all and any password managers. Not just LastPass).

      1. Microchip

        Re: KeePass

        Definitely does nowadays - at least Keepass 2 does, not sure about the Keepass 1. Specific configurations for a lot of other password managers, along with a generic CSV option.

        1. cantankerous swineherd

          Re: KeePass

          keepass 1 hopeless for importing, even for it's own exports.

      2. Andrew Yeomans

        Re: KeePass CSV import

        I use KeePassXC, which is a native code fork of KeePass / KeePassX, but uses the same database format. That allows "CSV import from other password managers (e.g., LastPass) ".

        KeePass v2.0 also states it imports from LastPass. https://keepass.info/help/base/importexport.html.

        So have another look!

        1. KSM-AZ
          Thumb Up

          KeePassXC

          I must say keepassXC is one of the better cross-platform KeePass managers. It is under fairly heavy development, so the browser integration is 2 steps up, one step back, 2 steps ... The doc is pretty weak. . . But I run it everywhere, on my Linux, windows and Mac platforms. Placing a kdbx file on a cloud and getting it from my phone or computer or wherever I might be is a huge win. I use my nextcloud server for this, but in the past I have also used dropbox, onedrive, and box. It's really a no-brainer if you ask me. YMMV.

      3. sal II

        Re: KeePass

        Must have been long time ago. It's definitely an option now and fairly sure has been since version 2 release.

      4. billdehaan

        Re: KeePass

        I'm not sure why you're having a problem; Keepass has had CSV import for decades. I remember bringing in a CSV password file from a customer's Blackberry password manager that I worked for back around 2005 without problem.

        Of course, there's no CSV standard for password files (that I know of), but Keepass lets you pick the order. In the worst case, you might have to write a script and/or manually edit the field order so that LastPass and Keepass understand each other, but it shouldn't be hard.

        A quick search finds that there's a tutorial by a user who's done a LastPass to Keepass migration.

      5. Anonymous Coward
        Anonymous Coward

        "it seemed to be unaware that LastPass existed"

        Long time ago, it looks. In my 2.43 version I can see a "LastPass CSV" among the import options.

    2. Anonymous Coward
      Anonymous Coward

      Re: KeePass

      I rely on an encrypted text file stored on an encrypted drive. Is KeePass any better?

      1. sal II

        Re: KeePass

        As with most password managers it allows for copy/past of the password without revealing it on the display. Handy against shoulder surfers in the office etc.

        It also handles well concurrent updates to the same DB file and merge of the changes.

        Neither of these is an option with just a file. I'm sure there are other advantages to it. Not saying it's the best password manager or anything, just pointing out that it's one of the last remaining non-cloud and completely free options for a decent password manager.

      2. billdehaan

        Re: KeePass

        Yes.

        For one thing, you can use Keepass on cell phone/tablet/other computers without lugging the portable drive around.

        Other benefits include things like auto timeout. If you leave your password file open and walk away from your PC, someone could copy your passwords. With Keepass, 30 seconds (configurable) after it gets the last keystroke/mouse action, it automatically locks itself, and you have to re-enter the password.

        Other features include things like clearing the copy/paste buffer 30 seconds (again, configurable) so that if for example, a malicious javascript looks in your paste buffer, it won't see your last password.

        1. nagyeger

          Re: KeePass

          I'm not sure if this affects everything that uses the paste-buffer, it probably does, but beware the clipboard manager.

          xfce4-clipman, for one instance, holds onto paste-buffer history, so if you've got that running then you'll want to wipe history from there, too.

      3. nagyeger

        Re: KeePass

        keepassxc (not sure about other keepassen) can merge database files if you e.g. sync them between devices with git and there's an edit conflict.

        It's got a command-line version of the merge tool too, if that fits your use-case.

        Caveat: It's only a 2 way merge; I think it relies on timestamps in the records to pick the latest version.

    3. billdehaan

      Re: KeePass

      I've been using Keypass since the early 2000s, if not the late 1990s.

      It may be a local DB, but one of the benefits of it being so established, and open source, is that there's always been a port or a version (a 1.x version, anyway) available on every platform I've ever needed, whether it's Windows, Linux, Windows Phone, IOS, or Android.

      The other nice feature is that you can have as many DBs as you like. My general password DB, for things like El Reg and various forums, is on my home PC, my phone, and a keychain thumbdrive. My financial passwords DB is on a VeraCrypt volume on my home PC. Even if someone stole my phone, and somehow got my phone password and my Keepass password both, my banking info isn't exposed, because it's not there to take.

      I've also got a BitWarden account where I copy some of the less important passwords (again, like El Reg) for forums and the like, for when I'm in places where USB can't be connected, and I'd rather not look at my phone to manually type in a 32 byte password of random characters. But it's just a convenience, not a necessity; and they aren't passwords that I'm worried if they were compromised. But my Amazon or eBay passwords? Forget it. Even with Authy authentication, I'm not putting those passwords in a cloud-based manager.

  8. ken jay

    moved to bitwarden myself only 3 weeks ago, lucky me

    1. Locky

      Me to, with thanks to the commentards here for the recommendation of Bitwarden

      1. Anonymous Coward
        Anonymous Coward

        Yeah I did the same, saw the article before Christmas and migrated as quickly as possible.

  9. Anonymous Coward
    Anonymous Coward

    Were they on holiday for Passover ?

    Check calender, nope that's April so it must be the post New Year IT celebration of fallover.

  10. Pascal Monett Silver badge

    Why is it so hard to learn ?

    What is it with people who just have to have their life online without backup ? Nothing against password managers, but for Pete's sake don't you have a local backup ?

    I coded my own password manager. I have it where I need it, and I have a backup at home where it is easy to get to. Of course, I'm not using three different platforms to access the Internet, so managing the password database is much easier for me, but still : I have a backup.

    Back it up, people. It will save your bacon one day.

    1. phuzz Silver badge

      Re: Why is it so hard to learn ?

      Lastpass is supposed to have a local backup, clearly that's gone wrong for some people as well (been working just fine for me).

    2. FrogsAndChips Silver badge

      Re: I have a backup at home

      A local backup is not a real backup.

      1. Anonymous Coward
        Facepalm

        Re: I have a backup at home

        If your service is remote, a local backup is a backup....

  11. Dabooka

    Right I know I'm about to get battered for this

    I have to confess that this is why I've just stuck with a little Moleskine notebook. In my defence I've had it longer than LastPass has been around, and it generally provides an incomplete picture anyway (i.e. it doesn't name the site implicitly, and sometimes it's just a reference I need prompting on).

    Sure it's not idea,l but it's not quite as bad as the Post It on the side of the monitor or the word 'pencil' written down inside a book left on a desk either.

    It is actually looking rather tatty of late, I may inbest in another. 15 yrs isn't too bad after all.

    1. Chris G

      Re: Right I know I'm about to get battered for this

      My local backup is a little black book, for additional security, should I decide to use it, I actually do have a disused lavatory in my garden and it does have a filing cabinet in it. The cabinet is mostly full of old rusting tins of paint and European black widows and their webs as is the rest of the lavatory so the leopard sign is not really necessary.

      Other hiding places are available.

    2. Guus Leeuw

      Re: Right I know I'm about to get battered for this

      Dear Sir,

      "it doesn't name the site implicitly" Does it name the site explicitly?

      Best regards,

      Guus

  12. vincent himpe

    ahh the cloud : somebody else's computers i should trust with my passwords .. no ?

    I don;t understand why this banks on a server. When i store passwords : they are stored on their machines ?

    It's time to have a piece of hardware to store passwords. Like a usb stick ,or bluetooth box or phone app. something that does not bank on the cloud but stores the passwords in the machine. One master password then can access the stored data. And there needs to be a way to backup and replicate if the piece of hardware dies. Like an encrypted file that can be simply dragged back to the piece of hardware.

    does that exist ? if not : business opportunity.

    1. Roj Blake Silver badge

      Re: ahh the cloud : somebody else's computers i should trust with my passwords .. no ?

      And do you carry this device around with you all of the time? What happens if you leave it at home and need to access something?

  13. Claverhouse Silver badge
    Black Helicopters

    On The Not Trusting of Strangers

    One of the many, many reasons I would never place my passwords online.

    As a non-internet repository Empass is pretty good. Somewhat confusing, with too many categories, but excellent at it's purpose. Indian in origin, so safe from Western curiosity *.

    I would back up to other drives, naturally.

    .

    * No offence, but even for offline apps I can imagine some American 3-letter entities leaning on a maker to include backdoors for dear old Uncle Sam.

    1. NetBlackOps

      Re: On The Not Trusting of Strangers

      In that regard, I uses PasswordSafe. Good luck leaning on Bruce Schneier.

    2. Anonymous Coward
      Anonymous Coward

      Re: On The Not Trusting of Strangers

      "Indian in origin, so safe from Western curiosity"

      There is a suspicion that India is not the place to trust with any personal details that can be keys to a monetary resource. Some call centres forbid employees from leaving with written notes - but that can't prevent someone with Kim's memory training.

      When "BT" or "Microsoft" cold callers from India are challenged about their criminal activity they merely shrug it off. If a culture allows people to to earn a living in that way - then it becomes normalised in all strata of the society.

  14. Anonymous Coward
    Anonymous Coward

    I use offline only passwordsafe, stored on my nas and backed up to my local computer.

    Much safer, at the minor expense of not being available everywhere, which I've never needed that much.

    1. Brangdon

      Would it survive if you house was hit by lightening and burned to the ground? You should at least have off-site backups. The only reason not to do this is if you don't trust the encryption you used with the backup.

      And once it is backed up offline, you might as well make the backup available across multiple devices so you have passwords everywhere.

  15. Reginald Onway

    Paaper? What's that?

    Write your passwords down on a piece of paper then don't show it to anyone. Old tech works.

    1. Charles 9

      Re: Paaper? What's that?

      Does "anyone" include yourself...because you've lost track of it?

  16. veszelovszki

    "Limited" my *ss

    LastPass is a piece of cr*p any time of the day. Sometimes it's not even available, sometimes just doesn't let you sign in, sometimes it loses passwords. We've been using it for years and it's one of our worse pieces of software.

  17. Stuart Halliday

    Working

    Had LP for over 3 years.

    Never had any issues with it to date.

  18. razorfishsl

    Absolutely NO reason (other than to bilk & milk users for cash ) to have a web enables service to store passwords......

  19. CaptSmegHead

    I keep all my passwords in the 'Notes' app on my iphone. Safe as houses.

    1. macjules
      Paris Hilton

      Always handy for when the FBI need to access your cloud storage. I commend you for your public spirit Sir.

      1. Anonymous Coward
        Anonymous Coward

        "Always handy for when the FBI need to access your cloud storage."

        In England you face recurring two years of jail time if you refuse to reveal your encryption passwords. If you have become a LEO target - warranted or not - then you're already in trouble from their need to find something or anything to justify their actions.

  20. Confuciousmobil

    Forgot

    I forgot my LastPass password a couple of years ago and never managed to get back into it.

    My passwords are all in a note on my iPad which has more security than writing them in a notebook.

  21. Z00T

    Sounds More like either a DNS attack or MITM....

    sounds/looks like mitm/dns attack to me, i mean, it is a very big target.

  22. Jaggers

    Keepass for ever!!!

    As long as you keep a reliable backup of it, it's rock solid (have used it for 10 years with no probs).

  23. Cuddles

    "a fraction of a percent of our user base"

    100/1 is a fraction.

    Why is it so difficult for companies to actually apologise? It's always waffle about how hardly anyone was affected, security is our number one priority, and all that nonsense. How hard is it to just say "Sorry, we screwed up. We've found and fixed the problem, and we'll learn from this mistake so we can try not to do it again."? Personally I'd trust someone who said that far more than someone who makes multiple statements about how it wasn't really a problem because hardly anyone was affected.

    1. Robert Carnegie Silver badge

      Re: "a fraction of a percent of our user base"

      They don't need to apologise to The Register, for which it is providing a news story. They don't need to apologise to most Register readers, who, going by replies here, are mostly not using this service, preferring the little black book or the mysterious tattoo. I don't have access to Twitter, but I expect they are apologizing there to their actual customers.

  24. Colonel Mad

    I'm alright Jack

    My, paid for service seems OK.

  25. Ozan

    perfect timing

    I ditched lastpass when it changed hands. I am on bitwarden for now.

  26. Muscleguy

    I'm semi analogue. I store pwords in a notepad app in munged form only I can untangle. Mostly initial phrases which mean nothing to anyone else or are from my, unpublished, poetry. The numbers are in a Navajo code talker type format. Unless you can count in that far, far away language, no dice.

    I had a pword manager type browser thing which decided to ignore my pword. I gave up on 'put all your pwords in one place, we'll look after them' things after that.

  27. Tweetiepooh

    It not just remembering passwords

    it's entering those long random strings in to the right box with the right userid. It's hard enough on a proper keyboard, on a phone it's much harder though to be fair some can link the login to biometrics so you can use that sometimes. Yes cut/paste is available from a different store.

  28. Spindreams

    404 error with lastpass chrome extention page so you cant install it.

  29. Anonymous Coward
    Anonymous Coward

    A friend had an apparently irrecoverably corrupted W8.1 laptop. Fortunately a System Image on DVDs was available from when it was first installed - so that was restored.

    Unfortunately the user "has no time" for practices like creating a spare "techie" administrator user - so there was only her one user on the system. She could not remember her password used at that time.

    In theory her Microsoft Account would be synchronised with the W8 login. Unfortunately she had forgotten that password too - in fact she denied ever setting one up. She had used a throwaway Gmail account to set up the Microsoft account - and had forgotten that password too.

    Fortunately she still had the same mobile number - so Gmail was reset first - then the Microsoft account was reset via that. Unfortunately the W8 login refused to accept the new Microsoft account password.

    The iSunshare login reset utility was purchased and it was amazingly easy to create another administrator account - and to reset the user's W8 password to an iSunshare preset string. Finding out how to change that to her new password proved to be a Google exercise - which also revealed how to disconnect her login from her unwanted Microsoft account.

    After installing 2GB of W8 updates I made a new System Image. Not having (yet another) USB stick for the archive I did it the traditional way to DVD. A BIG FAIL with a repeated error message.

    The problem was that part of the W8 backup's DVD writing process needs to format the DVD first. Unbelievably - the error is because W8 programs can be incompatible with W8.1 in calling a "progress bar" control. Microsoft have an advisory support notice about doing a manual format for each DVD and ignoring the error message - published in 2014.

    My first prolonged experience of W8 - and I can safely say it makes me even more determined to stay with W7.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon