Dirk41

Level 17
Verified
Hi everyone ! I open this thread to discuss what are the best settings ( without being overkill: it can't take an hour for a login :p )
I admit I also like to discuss this kind of things, it's not all about fear :p

( if you google you can find some articles about past hacks.. I am not saying you should not trust LP, just be careful )

Let's go step by step. If you like to reply , please mention the point / number

1) do I really need to download and install the installer on desktop?
I always installed the mobile app and the plugins in browsers and it seems it works . After the login in the plugin I can access the vault and do whatever it seems
What I am missing if I don' install the installer on desktop ?

2)in the plugins you can opt out to display the vault just after the plugin. Does it provide any kind of security to not display it immediately ?

3) is it dangerous to surf the net with LP browser ( mobile app ) outside website you login through LP?

4)regarding the email account you use to sign up in LP, is it safe to protect it with the same pw manager that could be hacked ? ( that email is already protected by two steps , that means sms on the phone );

5) 2FA for registered websiteS in LP: what is best to use for the second step( that means code in email or sms)? The option the website provides or one of those suggested by LP( mobile apps I see , and I don't know if they provide more security than sms or email )?

6)let's suppose LP emails everyone to change the PWs due to suspicious activities in their servers: how can we do to change all PW as soon as possible ? There is a one-click option ?or you have to change one by one ?

7) for every website you add you have 4 option :
-require reprompt: If I turn this off, in case hackers steal and decrypt ( I now it is not easy) the pw , they can change it without masterpass ?
-never autofill: what to do ?
-autologin: what to do ?


8)is it true LP knows nothing about masterpass?
Perform security challenge : how they know how much strong is the masterpass?

9) allow costum keyboards: am I the only one that if I turn that off , when I come back to check , it is on again ? I never installed other keyboards, I only use multiple languages keyboard
Is it better to turn it off right ?

10) when you login on desktop you can choose to use a virtual keyboard : is there any difference between click with the mouse or use the touchscreen ?

11) add what you want ( please don't insult me :p )

Thank you for reading :)
 
Last edited:

Solarlynx

Level 14
1) do I really need to download and install the installer on desktop?
>> If you are about LastPass for Applications then No. You are missing the need to login there as well.

2)in the plugins you can opt out to display the vault just after the plugin. Does it provide any kind of security to not display it immediately ?
>> Maybe yes. I make it don't display as usually I don't need the Vault.

3) is it dangerous to surf the net with LP browser ( mobile app ) outside website you login through LP?
>> I believe it's safe.

4)regarding the email account you use to sign up in LP, is it safe to protect it with the same pw manager that could be hacked ? ( that email is already protected by two steps , that means sms on the phone );>>
Interesting idea, never thought about it. I like the post of @shmu26 above mine.


5) 2FA for registered websiteS in LP: what is best to use for the second step( that means code in email or sms)? The option the website provides or one of those suggested by LP( mobile apps I see , and I don't know if they provide more security than sms or email )?
>> I use LastPass Authenticator as it can send sms - can help when the clocks on mobile is wrong. As for email - I don't like this idea.


6)let's suppose LP emails everyone to change the PWs due to suspicious activities in their servers: how can we do to change all PW as soon as possible ? There is a one-click option ?or you have to change one by one ?
>> I believe they say to change your master pw for LP only. There's no one-click option for all your sites - you can check it in your security challenge.

7) for every website you add you have 4 option :
-require reprompt: If I turn this off, in case hackers steal and decrypt ( I now it is easy) the pw , they can change it without masterpass ?>> sure


8)is it true LP knows nothing about masterpass?
Perform security challenge : how they know how much strong is the masterpass?
>> Then you are about Security Chellenge on android. I can assume your master password is kept locally in the browser while you are logged in. Though I wish to know that myself.

9) allow costum keyboards: am I the only one that if I turn that off , when I come back to check , it is on again ? I never installed other keyboards, I only use multiple languages keyboard
Is it better to turn it off right ?
>> actually I see no problem here


11) add what you want ( please don't insult me :p )
>> You can restrict countries to log in.
 

Spawn

Administrator
Verified
Staff member
LastPass comes pre-configured. You can add protection such as 2FA and Country Restrictions if you're not a worldwide traveller.

If you use Google Chrome, you can lock Profiles to further protect your browsing sessions' profile.
 

Dirk41

Level 17
Verified
I sign in to lastpass with an email address that I use for no purpose other than that.
If you use your regular email address to sign in, a hacker could get a hold of your address pretty easily, and then he only has to hack your password.
Thank you ! Interesting advice !
But Why you say that ? Why a hacker could enter easily an email address protected by 2FA with a different pw manager ?
And what pw are you referring to? My Masterpass ? It has 23 character and for sure everyone can do better ( it is not so difficult to find methods to remember long pw)

But even with a dedicated email for LP? Is it safe to protect it with LP?( in case LP hacked ? I meant that , maybe I did not explained well )



1) do I really need to download and install the installer on desktop?
>> If you are about LastPass for Applications then No. You are missing the need to login there as well.

2)in the plugins you can opt out to display the vault just after the plugin. Does it provide any kind of security to not display it immediately ?
>> Maybe yes. I make it don't display as usually I don't need the Vault.

3) is it dangerous to surf the net with LP browser ( mobile app ) outside website you login through LP?
>> I believe it's safe.

4)regarding the email account you use to sign up in LP, is it safe to protect it with the same pw manager that could be hacked ? ( that email is already protected by two steps , that means sms on the phone );>>
Interesting idea, never thought about it. I like the post of @shmu26 above mine.


5) 2FA for registered websiteS in LP: what is best to use for the second step( that means code in email or sms)? The option the website provides or one of those suggested by LP( mobile apps I see , and I don't know if they provide more security than sms or email )?
>> I use LastPass Authenticator as it can send sms - can help when the clocks on mobile is wrong. As for email - I don't like this idea.


6)let's suppose LP emails everyone to change the PWs due to suspicious activities in their servers: how can we do to change all PW as soon as possible ? There is a one-click option ?or you have to change one by one ?
>> I believe they say to change your master pw for LP only. There's no one-click option for all your sites - you can check it in your security challenge.

7) for every website you add you have 4 option :
-require reprompt: If I turn this off, in case hackers steal and decrypt ( I now it is easy) the pw , they can change it without masterpass ?>> sure


8)is it true LP knows nothing about masterpass?
Perform security challenge : how they know how much strong is the masterpass?
>> Then you are about Security Chellenge on android. I can assume your master password is kept locally in the browser while you are logged in. Though I wish to know that myself.

9) allow costum keyboards: am I the only one that if I turn that off , when I come back to check , it is on again ? I never installed other keyboards, I only use multiple languages keyboard
Is it better to turn it off right ?
>> actually I see no problem here


11) add what you want ( please don't insult me :p )
>> You can restrict countries to log in.

Thank you !
I am on iOS anyway and there is a typo in my post ( of course it is not so easy to decrypt )

LastPass comes pre-configured. You can add protection such as 2FA and Country Restrictions if you're not a worldwide traveller.

If you use Google Chrome, you can lock Profiles to further protect your browsing sessions' profile.
Thank you I will look for the settings that allow me to use your suggestions regarding profile lock and country restrictions ( I suppose they could be disabled anytime )

Even for the masterpass it is possible to use 2FA?( yes already found LP authenticator)

What to you thing about the interesting advice from @shmu26

Anyway I am not sure it is correctly preconfigured : reprompt is disabled by default If I remember well


Thank you all once again :)
 
Last edited:
  • Like
Reactions: Deleted member 2913

Svoll

Level 12
Verified
Is 2FA same as Dual security account management or duo enable system. Is my school just using different jargo to sound more professional?

Their FAQ:

What is Duo?
Two-factor authentication provides additional security by requiring both something you know (your username and password), and something you have (such as a cell phone, hardware token, and/or landline) any time you authenticate to a Duo-enabled system.

MIT's LastPass Enterprise account makes use of Duo Two-Factor Authentication. This helps keep your LastPass account secure by ensuring that an attacker will not be able access your data, even if they obtain your LastPass Master Password.
 

Dirk41

Level 17
Verified
additionally block Tor users.
Wow thank you , it seems you have to manually enable that feature anyway
Increase the Security of Your LastPass Account with Two New Options | The LastPass Blog

Anyway ..

Have you ever sign up in their forum ? It ask your LP id and MT: so even there they not store your MT?


And a practical question: if I launch the login , here on MalwareTips, it does not display " stay logged in ". Just " remember device for 30 days " . How can I have back " stay logged in " ?
 

Dirk41

Level 17
Verified
Unfortunately at MT 2FA cannot be forever, only for 30 days. Then you again will have to use 2FA. That's why I have to refuse from 2FA on MT.
I don't want to stay forever : I browse in private mode, so I'd like to stay logged in ( but it is the same for other websites! ) unitil I close the browser

I was not talking about 2FA , I was talking about staying logged in
 
Last edited:
  • Like
Reactions: Deleted member 2913

Dirk41

Level 17
Verified
Country IP selection, If user select specific country, a hacker can use VPN & select the specific country server & so can bypass country IP security?
anyway -> account settings -> advanced -> allow only your country and the use of vpn is automatically disabled

@shmu26 I thought tha even if you use a dedicated account , an hacker could has "only to hack your pw " as well


did you enabled a phone number to regain access if you forget the masterpass?and the secondary email?
 
Last edited:
  • Like
Reactions: Deleted member 2913