The main thing that keeps me coming back to LastPass premium ($12 a year) is the fact that I can enable secondary authentication on my account via a Yubikey. LastPass works like this in a big TLDR:
- Make an account.
- With every account you have what is known as a vault.
- In this vault are your passwords for any website you choose to save the username and password for.
- By default (LastPass free) you have a username and a password (known as a master password). This master password is the password that's used to log into your vault. If you however buy premium, you can add different multi-authentication methods. For example, as I mentioned above, mine is setup with a Yubikey (one time password USB device). When I open Firefox, LastPass pops up and asks me to enter my username and master password. After I give LastPass this information and press login, it then prompts me to insert my Yubikey and press the button to generate my one time password. Once I do this, LastPass authenticates me and I log in to my vault. Immediately after I am logged into my vault, that password that was just generated is already junk and cannot be used again.
I do this for the main reason that I can comfortably log into my LastPass vault anywhere out in the world, on any device, without being in fear that the device is infected with malware (keylogger for example) that can get my master password, or the device is on an insecure network, etc. If you have my master password, you have all of my passwords.
There's a few other neat things that just go along with it that I like, such as the ability to generate random and really strong passwords. You can choose any # of characters from 1-whatever, and then select whether or not you want it to contain symbols, capitals, etc. All of my passwords are pretty long character-wise and I'm being 100% honest when I tell you I have no idea what any of my own passwords are for sites I log into every single day, because my vault takes care of all of that for me. When you want to log into a site, LastPass has a button to autofill your username and password that you've given to LastPass within your vault.
The major downfall to doing all of that is if I ever lose my Yubikey, or every single LastPass server somehow explodes and all records are lost, I'm really screwed :grin1: Aside from that though, it's really amazing. Again, I've never used KeyPass or any other password manager, so I don't know if any have similar features, the same features but better/worse, etc. I have been with LastPass now going on three years, and I am being completely honest when I say I have absolutely zero complaints.
As far as I know, there are only two breaches on record. One was confirmed to not have leaked any master passwords, and the other was an XSS vulnerability which was a little bit controversial as it was argued whether or not it was a 'serious' exploit. In any case, as far as I know, since it was a white-hat exploit and was properly notified to LastPass, no master passwords were exposed either.
