If I understand correctly this free download (www.lastpass.com) remembers and inserts your passwords when you visit sites for which they are needed. Wouldn’t it dangerous for this info to reside on a computer others may use?
I used to use a similar product.
The data was stored on my local system, but encrypted.
As such, it was useless to anyone who didn’t know my password to get into the program itself.
As long as no one was smart enough to install a keylogger on the machine, you’d be safe.
I think one of the issues is that you can easily brute force a password on a desktop, it’s not so easy to brute force a password on an external server because they’ll probably be locked out, and possibly even have the account flagged after a certain number of attempts. This, however, is balanced out by the fact that a local machine will probably have a lot less bots and malcontents poking around it.
Only bad passwords can be easily brute-forced. The idea behind LastPass is that you can choose a single, very secure password that protects everything else. Further, you’re not limited to the idiosyncrasies of website password schemes (no special characters, etc.).
I use LastPass and I like it quite a bit. It even has protection against keyloggers if I choose to use it; I haven’t yet, but if I were using it at internet cafes or some such, I definitely would choose to use their extra features (like an on-screen keyboard).
As Mr. Slant says, the data is stored encrypted on their servers, so even if hackers were to capture their database, there’s little they could do with it.
Ah, I thought it was just an application that encrypted your password locally. THOSE are easy to brute force because there’s no lockout mechanism, and even if there was, it wouldn’t be hard to bypass with a program that allows you to interact directly with memory. If it’s stored on their server then it is rather secure.
This is on the main page of their website:
it’s SECURE
All of your data is encrypted locally on your PC - only YOU can unlock it.
Unless the website is lying, the data is stored locally.
Only the encrypted version is stored on their server. They transmit the file to your machine to decrypt.
Lockout mechanisms are protection against lousy passwords, such as a simple dictionary word. A decent password of 12+ characters, multiple case, numerals, and special characters is computationally infeasible to brute force except by highly dedicated parties like the NSA. If you use something more like a passphrase with 25+ characters, even the NSA won’t be able to do anything.