I've been very happy with LastPass too. I use it on my desktop and pay for the mobile app. But what I don't get is why we still need to use a password manager extension/app. Why isn't it built into the browser yet?
Google already has all of my passwords saved, and synchronized online across devices for whenever I use chrome (well, the passwords I used before switching to LastPass). Why can't it automatically generate secure passwords for me just like LastPass does?
Because that would mean you could only log in with computers storing your cert. Passwords might have lots of drawbacks, but it allows you to log in from anywhere on any computer without any other requirements beside remembering it. I don't see this property in any of the proposed solutions to replace passwords thus far.
And where is stored this master password then? If it's on your browser/computer, it's not portable. If it's online, it's possibly less secure (especially if you're not the one hosting it). A physical token might work, but it's usually too specific and not scalable.
Nothing beats plain old password as convenience, that's why they are still so wildly used despite lousy security properties.
This. Servers are moving to SSL everywhere. Why not have client ssl certs generated when you first install a browser? No cookies, like you said, AND the servers get client authentication built in.
Personally I like that the password manager is independent from the browser. If you switch browsers it's handy to be able to take your passwords with you.
I don't know for other browsers but Safari is suggesting randomly generated password when it detects a registration forms. And it can sync everything through iCloud Keychain.
I'm actually trying to unlock myself from Chrome... although it's still my goto browser, I realized I'd fallen in heavily with Chrome, and my passwords are something I can't really share with, say my Firefox, Safari, or IE instances.
No, you're right. We have password managers built into browsers. That just doesn't work the way we'd like it to. Because of this we have the extra kludge of requiring extensions like LassPass to keep passwords safe and sync'd between browsers/devices. We know that isn't an optimal solution (but it does work...)
Instead, what we really need is some kind of identity management built into the browser. We already have something similar to this in terms of private client certificates. You could setup your browser to authenticate you to supporting websites via a client certificate. The problem is, no one is going to do that... it just isn't practical from a workflow perspective.
Instead, what I'd like to see is some kind of portable identity solution (similar to a certificate) where you could authenticate with your browser, then pass off public keys to websites. When you'd like to login, then the website queries the browser, and the browser either authenticates you by signing a message back to the server (with your private key). It could be quick and easy... hell, the major OS's now have KeyStores specifically available for just such a use-case. It just needs a spec for browsers and servers to be able to implement... if only.
It could also be a federated system setup outside of the browser, but those are also hard to get people to use (although Mozilla has done a good job in trying). My last two jobs (research universities) both had single-sign on options for web applications to use. It was wonderful. Now we just need something that the browser itself can manage.
This is a real chicken vs the egg problem, but if we could get a system like this, where we don't need passwords, life would be so much easier.
Maybe someone needs to re-invent Kerberos, or at least re-brand it :)
Google already has all of my passwords saved, and synchronized online across devices for whenever I use chrome (well, the passwords I used before switching to LastPass). Why can't it automatically generate secure passwords for me just like LastPass does?