Yubikey with Lastpass

I’ve previously noted my experience requiring a Yubikey to open my VanGuard accounts.

I am pleased to learn my Yubikey to open Lastpass. Recent stories claim Lastpass “might” have been cracked. No proof yet.

I could post my Lastpass name & p/w, but nobody could not open without my Yubikey.

Everyone should use some variation of 2FA for all financials, and I think Yubikey is one of the best.

1 Like

The concern with the latest Lastpass hack is that a hacker was able to download actual user password vaults.

Yes, everyone should use 2FA and prefer an app like MS Authenticator for OTP over the more common solution of using SMS. The YubiKey is just a much stronger key for 2FA. The future of password is going to be Passkeys:

But…“While user password vaults are still protected by their master passwords, the hacker may try brute force, phishing, or social engineering attacks.”

In my case, that means somehow getting my 16 digit pw of numbers, symbols, upper/lower letters, AND THEN get my Yubikey for that code. Foolproof? Of course not, but I feel safe.

I use Lasspass and 2 factor authentication. After reading this post, I am reading about possible additional steps including Yubikey (hardware authentication) and app authentication. Trying to keep with security stuff is painful for me so I try to remember that “a stitch in time saves nine”

I dont think so…if they have already downloaded the vault, they only need to crack the Master password. The 2FA only protects access to the passwords while accessing them through Lastpass security.

True, but that’s why we must have long 12-16 complex digits, a mix of random upper/lower letters, numbers, symbols.

It’s painful and frustrating for everyone. And the hackers work 24/7/365 to find ways for accessing our private stuff.

It never ends.

With all the hacks I doubt I would ever trust anyone with my passwords especially a 3rd party for profit corp. They all seem to be getting hacked.

Agree, but at last count, I have +450. Yes, I could create my own file encryption, but having to de-crypt for every site would take a lot of time and energy.

1 Like

I have 2 credit cards, 1 bank, one investment account. The PWs for these are memorized and locked away. I use one desk computer to access only these accounts. I keep my phone as close as my wallet and store some PWs there embedded with data that is only obvious to myself. For non-important sites I just use a common memorable PW. This works well for me. When I croke, the people that will take care of my/our finances know where to look.