personally I always thought services like this was just an accident waiting to happen, if you store your passwords securely on your local machine it must be a better idea than having them all on some public server that is advertising to the hacker world ' Hey look I've got all these passwords, come and get them!'

I use an encryped sql database for mine and only run the mysql server when I actually need to access the information.

1 members found this post helpful.

<sarcasm>But lookee! How convenient! An' I don't even have to think about nuthin'!</sarcasm>

You windows user you

So in other words, they did actually take good security and passwords weren't divulged since they were hashed. Having salts exposed seems like it exposes it to rainbow tables but otherwise as long as users change their pass, nothing was really compromised except user emails. It also looks like they used a difficult cipher so it'll take awhile to find out what the master passwords are.

So the real loss was email addresses were leaked.

I don't use lastpass but it still looks like a useful service. Definitely a better option then using a simple pass for everything. Not to mention rather then needing to change hundreds of passwords, the only one that needs to be changed is the master one.
Of course, critical ones (bank) should also be changed.

Yeah, the hackers didn't get any passwords because LastPass was doing things right. I'm not a user, but my confidence in them has increased after hearing this.

I use ccrypt to encrypt my text file with my user accounts and passwords and when I need to generate a strong password I use an alias like
For my important accounts that has my financial information, I'll change the passwords every six months or so. One thing is certain, nothing is fail proof. We have to be proactive even though it's an inconvenience at times.

LastPass doesn't even have the master password, AFAIK. All they have is the encrypted file, not your master password. Password reminders might be of some help to hackers in some cases, but if you really need a reminder of your LastPass password, you're not doing it right. I've never given them a reminder, so it won't help anyone. And the email address I use for it is a throwaway. GMail addresses are plentiful and free, and useful for some things, such as this.

my password reminder there is F**k you

well if your password IS
"MargaretThatcheris110SEXY"

a VERY VERY GOOD explanation

http://blog.erratasec.com/2015/06/sh...thash-was.html

It means either that you are Blind, or that you are Utterly Mad, or that you are Poor Mr. Thatcher.

As for me, I ordinarily either use the "Keychain" service of something like OS/X, or a more-transportable tool such as PasswdSafe. With the latter, a file containing the encrypted content can be moved among multiple systems, say, phones, all of which can read it. (But I have had some transportability issues.) PasswdSafe in all of its implementations is, I believe, open-source.