LastPass Offline Access - YES or NO?

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

CredulousDane

Well-known member
Sep 26, 2020
62
6
Hello!

I've disabled offline access but I'm not sure if it's necessary at all - maybe it's only an issue if the devices with an rOTP is stolen but then again, a long and strong password would make it very hard to break. I'm curious to what your setting is on offline access?
 
I don't know what you think you're achieving? Offline access simply means it will cache data locally on your PC so you can still get a password if LastPass goes offline. I don't see that as a risk unless you assume your PC is unsafe to you.
 
  • Like
Reactions: CredulousDane
I don't know what you think you're achieving? Offline access simply means it will cache data locally on your PC so you can still get a password if LastPass goes offline. I don't see that as a risk unless you assume your PC is unsafe to you.

Yeah you're right, I don't know why I thought it would be necessary.

Thanks for replying :)
 
I have offline access turned on since I want to be able to access my passwords if the internet is down. However, there may be risk vectors I'm unaware of in doing that. Having said that, I think there's been at least one time when offline access didn't work for me. So, if you want to be sure, shut down your router and see if your password database is accessible, on each device. It may be that you need more setup, or you need to update the database or the plugin when you haven't in a while. Also, you'll have to know your lastpass master email and password. If you use a custom email for them, as I do, you may not remember it.

May your bits be stable and your interfaces be fast. :cool: Ron
 
  • Like
Reactions: CredulousDane
I have offline access turned on since I want to be able to access my passwords if the internet is down. However, there may be risk vectors I'm unaware of in doing that. Having said that, I think there's been at least one time when offline access didn't work for me. So, if you want to be sure, shut down your router and see if your password database is accessible, on each device. It may be that you need more setup, or you need to update the database or the plugin when you haven't in a while. Also, you'll have to know your lastpass master email and password. If you use a custom email for them, as I do, you may not remember it.

May your bits be stable and your interfaces be fast. :cool: Ron

The only risk I can think of is, if you have OTPs lying around, then access will be possible through that (as I understand them) but it's a good idea to test it with the router offline. I don't know if 2FA is in the middle of accessing the vault when being offline but the test will reveal that.

About the master email - have you then created an email you only use for LastPass - a unique one? If that's so - great idea.
 
2FA is in the middle of accessing the vault when being offline
No, 2FA is basically a barrier to using your master password online. A true application of a second factor is only useful if you have someone inter-mediating your login. There is no such encryption that uses an interactive password (thus any 2FA). You could derive some portion of a password from a second factor, in theory, but then it would just become a different master password (i.e. first factor), and you could still work offline (as an attacker) to determine what it is.
 
  • Like
Reactions: CredulousDane
About the master email - have you then created an email you only use for LastPass - a unique one? If that's so - great idea.
@CredulousDane I own a domain name so doing this is a little easier for me. But, almost EVERY vendor I deal with gets their own email address which forwards to my actual address. Actually it goes through an intermediate forwarding address, so if I have to change my actual inbox, I don't have to update 500 forwards. Something like this:
vendorcustomaddr@mydomain.com ---> myintermediatefwd@mydomain.com ---> myrealaddr@mydomain.com
Hope that helps.

May your bits be stable and your interfaces be fast. :cool: Ron
 
  • Like
Reactions: CredulousDane
@CredulousDane I own a domain name so doing this is a little easier for me. But, almost EVERY vendor I deal with gets their own email address which forwards to my actual address. Actually it goes through an intermediate forwarding address, so if I have to change my actual inbox, I don't have to update 500 forwards. Something like this:
vendorcustomaddr@mydomain.com ---> myintermediatefwd@mydomain.com ---> myrealaddr@mydomain.com
Hope that helps.

May your bits be stable and your interfaces be fast. :cool: Ron
It does, thanks :)
 
Continuing on rfrazier's comment of "vendor/use/account specific" e-mail use. It seems he and I are very close to the same in setup. While I create specific "forwarder" class e-mail addresses for accounts, there is a feature that's becoming more popular that can help others who are not controlling their own e-mail system - "Plus Addressing". Google/gMail and perhaps others support the feature (cPanel sites look to offer it, Microsoft might too). It can be used to create a unique, use-specific e-mail addresses "on the fly".

With gMail one simply adds a plus sign and some desired text between the username and the @ sign when needing to enter an e-mail address on a form.
Sample@gMail.com could then be Sample+LastPass2023-01@gMail.com

The custom e-mail address is what would be used for any interaction with Lastpass (the address listed on the LastPass account). Only LastPass and you (and any e-mail system between LastPass and You) should know the custom e-mail address. Any hacker would not likely know that specific address used for your LastPass account. gMail drops any message with a "Plus Address" into your "Sample@" e-mail account. You can, if you choose, use filters to direct messages with a custom address to a specific folder.

When I create account specific addresses I use the company or account name and the YYYY-MM format. This gives me easy identification of where the address is used and when it was put into effect. In normal use every e-mail arriving to me under a specific address should be FROM the entity with the name in the address. Should a message arrive, not sent by that FROM entity - I know the address was compromised and where I need to go to change/update the account with a new e-mail address. The new e-mail address will use the current YYYY-MM date format. That date format also tells me how long the address was in effect with no known compromise and gives a little bit of "random" to the address. The old address is deleted from my forwards list - or in the case of plus addressing, a rule/filter is created to send messages to that compromised address to the trash (once the account that used it is updated with a new address).

Bottom line, using custom addresses is a wonderful and not overly difficult way to manage spam (and give some extra security for login hackers). For those not able to create forwarder addresses on their mail server, PLUS ADDRESSING is an easy and effective alternative.

Addendum:
Much like Steve uses year specific addresses, I started doing the same 2022@; 2023@, one could do the same with Plus Addressing - Sample+2023@gMail.com and send any "one time use [raffle sign-up entry form, etc] " messages to the year specific address. Come February the next year, I discontinue the prior year custom address.
 
Last edited:
PLUS ADDRESSING is an easy and effective alternative.
Yes, this is a helpful trick, but there is a massive downside you need to know about. The plus sign has a very particular meaning in HTTP/URLs and it breaks A LOT of sites if the coders aren't quality enough to properly escape it. (And more get it wrong than get it right.) Accordingly, a lot of sites break, in potentially subtle ways, when you use it. (It's complicated to explain/understand, but in essence when a HTTP form POST is sent, the URL with spaces is encoded into plus signs. If the site doesn't properly encode the plus sign in the email, then all of a sudden your email address gets broken with a space and depending on how poorly the sign was designed, all sorts of "hilarity" can ensue.)

I've also had many sites refuse the plus sign as being invalid (because they don't know the rules, or because the don't want to deal with the issue I mentioned above.) Additionally, I've had sites allow the plus sign for sign up, but then disallow it for sign in. Or the site gets upgraded later, and you become unable to log in. I've lost a few accounts this way.

Something that works better is to know that GMail doesn't care about periods. So if your email is MrJohnSmith @... then you can use Mr.John.Smith or M.r.J.o.h.n.S.m.i.t.h @ or whatever you like. It's not as nice as being able to put whatever you want after the plus sign, BUT it's far less likely to break now or later. If you're judicious, you can use this technique with a secondary "throw away" Gmail account to get a pretty good mileage of "throw away" email accounts.
 
I've used email accounts with 'catchall' in boxes, so any email addressed to that domain is delivered to my inbox. I can then sort emails from there into folders, which I do in particular for email mailing lists, to keep my inbox less cluttered.

The downside? Domain alphabet attacks. Every tom, dick and harry hacker tends to send emails addressed to random names, like 'cmaeso' or others. I end up on an almost daily basis, using my email account provider's cpanel controls to blocklist the latest round of spam from gmail, in particular. It seems it's not the least bit difficult to generate some random Gmail account, and then spam merrily away.

I wish Gmail would just cease to exist. It would likely cut the spam by 90%.
 
Actually, it would be any free email service. Some forums I am an admin on has this StopForumSpam plugin installed, and lately 90% of the spam accounts that attempt to sign up on it (but SFS blocks by IP and/or email) tends to be mail.ru.
 
Wonder if my mail.ru is still active, I used to use it as the easy way to do stuff I do not care about, as there spam was easy to detect, if it was Cyrillic it was spam, 99.999% of the time. After all they allow anybody to make an account, no questions asked, so long as you agree to the FSB reading it possibly.