One of the things I have noticed lately is that LastPass is only using my password to login and not using my two-factor authentication. I asked them why this was happening and they sent me to the page below. I tested this out by logging out of LastPass and then disconnecting from my wireless network. I logged into LastPass with just my password and it logged in. Apparently all you need is a password in Offline Mode.
Why can I bypass 2 Factor Authentication to login to the current site my browser is on?
To validate your multifactor token, multifactor authentication requires that you have an Internet connection: if you do not pass LastPass a correct multifactor token, LastPass will never release your encrypted data. However, LastPass also has an ‘Offline Mode‘: it keeps a locally cached encrypted copy of your data on your local device so that you’ll still be able to access your data even in the event that you do not have Internet access. On some connections, when you log in to LastPass you are logged in offline to the locally cached copy of your data before it can authenticate online. As a result, you might experience cases where LastPass will fill in the credentials for the current page you are on before you provide us your LastPass multifactor token. If you want to prevent this behavior, do the following:
Clear your Local Cache after each browser session:
- Log into LastPass
- Click on the LastPass Icon > Tools > Advanced Tools > Clear local cache
- Logoff LastPass
or Disable Offline Mode
- Go to your account settings.
- Click on the Multifactor Tab
- Toggle ‘Permit Offline Access’ to ‘Disallow’
I was working on a friends computer and had to restore it from a previous image.
I setup Lastpass again on her computer, but when I went to Login, I got the message, “LastPass doesn’t recognize this device or you are at a new location.Please check your email to grant access to your new device or location.”
This is a Catch 22 situation – I use Lastpass to Login to Gmail, but I can’t
Login to LastPass – thus I can’t get my email! Luckily I had written the Gmail login in another location.
When I wrote LastPass about this their answer was, “This measure is in response to the announcement (https://blog.lastpass.com/2015/06/lastpass-security-notice.html/) … Please refer to this article to resolve this concern – https://lastpass.com/support.php?cmd=showfaq&id=9222 ”
The above link says – “Why am I being asked to verify on login?
As one of our security measures since the breach of LastPass, we require users to verify via their email addresses when logging on new computers/mobile devices or new IP addresses unless they have multifactor authentication enabled for their LastPass accounts.”
ALSO – Once verified, how can I avoid the need to verify my account in the future?
Tom – In summary – either setup multi-factor authentication or disable the verification requirement as shown below.
- Enable Multifactor Authentication. We highly recommend doing this as it increases your security. You can learn more about this and which methods LastPass supports here: https://helpdesk.lastpass.com/multifactor-authentication-options/
- You can disable the verification requirement completely by going to the LastPass Vault > Account Settings > Show Advanced Settings > check “Disable Email Verification”.
I’m helping a friend who had her computer infected with 1620 malware files.
I’m trying to figure a way to keep her computer safe in the future and thought I’d repeat Steve Gibson’s advice.
- Run as a Standard User. Keep a separate account as an administrator. Give it a long password.
- You can also uninstall Java and only allow Flash to run when you want it – that’s a setting in Chrome.
- Steve also runs NoScript in Firefox.
- Sandboxie.com is another tool you can install to Sandbox your browser. It deletes everything when you close your browser. There is a Free version and the paid version cost $49.95 for three lifetime licenses.
- Malwarebytes.org – this might block most malware from installing. It costs $24.95 for three home PCs.
Have a good drive image backup. On my friends computer we had an Acronis True Image WD edition backup which saved the day.
One of the features of Last Pass is that you can tell it how often you want to Log out and Login.
Ideally, you would login every time you start and use your browser, but that’s a bit of an aggravation. I use a long password + two-factor authentication – which means I need my phone handy.
At the same time, you don’t want LastPass to always be logged in. I’ve had friends who forgot their password because they never enter it.
I’d like an option to Login once a day, but stay logged in for the remainder of the day. The next day, I would have to login again.
The closest I can come to this are the Security settings to “Automatically Log out when all browsers are closed and Chrome has been closed for (mins) ……. I put in 420 minutes which would mean that if I close my browser and go to sleep, then the next day, I would have to login.
The other setting of “Automatically log out after idle (mins) 420 is basically the same thing.
This means I just can’t close my laptop and let it go to sleep, but have to close the browser just before I go to sleep.
I’m hoping that Last Pass takes my suggestion of allowing a “Login once a Day”setting.
BenSound.com is a nice site which offers Royalty Free Music. The only caveat is that you have to give credit to BenSound. Here’s what the site says.
“My music is licensed under a Creative Commons License:
You are free to use the music in your multimedia project (online videos(youtube,…), websites, animations, etc.) as long as you credit me, For example: “Music: www.bensound.com” or “Royalty Free Music from Bensound”
Here’s a sample below.
If you’re looking for an alternative to Adobe Premier, HitFilm 3 Express is Free and has loads of features. You can download it at this site.
It works on both Windows and Mac.
Videomaker has a nice review if you want to get into the details of the Pro version.
HitFilm has tutorials at: https://hitfilm.com/video-tutorials#/
I also noticed that Lynda.com has six hours of tutorials, but of course you have to subscribe.
If you want the Pro version, it costs $299 which is just about the price you’d pay to for one year of Adobe Premier. Amazon has it for a slightly cheaper price.
One of the tips which needs repeating is this. If you get a call from Microsoft or you get a popup on your computer which says you have a virus and need to call a certain phone number – Don’t Do It! It’s a scam!
They either want to get your credit card number or want to hijack your computer and install their malware/virus.
Here are my suggestions.
Computer – If you do see a popup, close your tab, close your browser or if you can’t get rid of the popup, then shut down your computer. Don’t click on it as it may install some malware.
In Chrome – go to settings and turn off pop-ups.
Phone Call – Don’t answer phone calls from people that you don’t know. If it’s a legit phone call, they will leave a message that you can return. Use Caller ID to screen your calls. Usually, the bad guys don’t leave messages. In any case, Microsoft is not going to ask you to call them.
Another recommendation is run as a Standard User, this may stop the virus if it is trying to install itself. If it asks for the Administrators password – don’t do it.