KeePass vs LastPass

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
lightheir
Posts: 2302
Joined: Mon Oct 03, 2011 11:43 pm

Re: KeePass vs LastPass

Post by lightheir » Fri Apr 11, 2014 3:13 pm

bertilak wrote:
Epsilon Delta wrote:
LadyGeek wrote:Like TrueCrypt, KeePass can use a keyfile: Key Files

Instead of remembering a super secure password, let your data take care of the details. All you have to remember is that you've used Grandma's vacation picture. And don't lose the picture.

Or, any one of the thousands of files on your PC. Just be sure to have a backup somewhere.
Thousands of files means 10 to 20 bits of entropy. May as well just keep a strong password in a word document named after your third pet. If the attacker does not have access to your PC either one is safe, if they do have access either one is easily broken.
I've been using a password with KeePass and this discussion got me to try using a key file just to see how well it worked. I ran into what looks like problem ...

When I open the locked file the unlock dialog has "key file" checked and the name and location of the file pre-filled! Even If I keep the file on external media (e.g. USB drive) giving away all the following seems pretty compromising:
  • the fact that it is a key file and not a password that is in use
  • the name of the file
  • the path to the file tells what kind of media it is on
I don't think using a key file alone is secure.

A key file + password - now that's like double authentication and much more secure than a password. I think the keyfile is really to prevent remote hacks like someone brute-forcing passwords against thousands of websites remotely - if your keyfile is local only, that usually adds a much higher level of protection than password only.

jayjayc
Posts: 206
Joined: Tue Jun 25, 2013 11:38 pm

Re: KeePass vs LastPass

Post by jayjayc » Fri Apr 11, 2014 4:56 pm

I don't quite understand the KeePass users who believe that using Dropbox/Google Drive is as secure as LastPass' servers. Dropbox's servers don't use the same level of encryption as Lastpass' servers esp when it comes to Dropbox's free accounts. I do understand those Keepass users who are suspicious of all cloud storage and only keep their passwords locally.

One of the main reasons why I use Lastpass is that my company's security team did a thorough review on Lastpass and deemed it ok for employees to use w/ company logins.

User avatar
bertilak
Posts: 6126
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: KeePass vs LastPass

Post by bertilak » Fri Apr 11, 2014 5:00 pm

lightheir wrote:I don't think using a key file alone is secure.

A key file + password - now that's like double authentication and much more secure than a password. I think the keyfile is really to prevent remote hacks like someone brute-forcing passwords against thousands of websites remotely - if your keyfile is local only, that usually adds a much higher level of protection than password only.
Hmm. Thinking about that it seems that if both the password file and the key file are local then if one is compromised I think we need to assume that both of them are.

The safest thing would be to have the key file on a USB drive that you could keep with you but you might as well just keep the password file on the USB and forget the key file. I am not ready for that level of inconvenience. Next step is to keep it in a (combination) locked titanium briefcase chained to my wrist! Might impress the ladies but I'll rely on my charm for that!

I think I will stick with things as they are -- a password I have used for years that is not written down anywhere. It's a ghost from the past I can't forget! And you can't guess since it has not a single word in it -- just letters and numbers, none of the related to any personal information.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker, the Cowboy Poet

lightheir
Posts: 2302
Joined: Mon Oct 03, 2011 11:43 pm

Re: KeePass vs LastPass

Post by lightheir » Fri Apr 11, 2014 5:35 pm

bertilak wrote:
lightheir wrote:I don't think using a key file alone is secure.

A key file + password - now that's like double authentication and much more secure than a password. I think the keyfile is really to prevent remote hacks like someone brute-forcing passwords against thousands of websites remotely - if your keyfile is local only, that usually adds a much higher level of protection than password only.
Hmm. Thinking about that it seems that if both the password file and the key file are local then if one is compromised I think we need to assume that both of them are.

The safest thing would be to have the key file on a USB drive that you could keep with you but you might as well just keep the password file on the USB and forget the key file. I am not ready for that level of inconvenience. Next step is to keep it in a (combination) locked titanium briefcase chained to my wrist! Might impress the ladies but I'll rely on my charm for that!

I think I will stick with things as they are -- a password I have used for years that is not written down anywhere. It's a ghost from the past I can't forget! And you can't guess since it has not a single word in it -- just letters and numbers, none of the related to any personal information.
Yes that is true. If both are local and both are compromised, then the keyfile does not give you any added protection. Contrary to what you think password + keyfile (local) is much more secure (assuming equal strength password.)

Again, you do NOT need to have some inconvenient USB drive or USB drive in a titanium case for the keyfile, as it is just an added level of protection. Having a local file stored only on your laptop is plenty fine. Again, the point is to provide robust defense agains REMOTE hacks. For absolutely zero added inconvenience, you add much more robustness to protection from remote hacks.

If you really are needing of protection from local hacks too, the keyfile still gives you that option if you decouple it from your archive or computer, as you said, like on a USB drive. But you should probably know if you actually need that level of defense, or if you're just being paranoid.
Last edited by lightheir on Fri Apr 11, 2014 7:48 pm, edited 1 time in total.

ddoubleu
Posts: 27
Joined: Sun Mar 02, 2014 6:17 pm

Re: KeePass vs LastPass

Post by ddoubleu » Fri Apr 11, 2014 7:16 pm

I use KeePass. I will never trust a third-party to store my passwords.

ddoubleu
Posts: 27
Joined: Sun Mar 02, 2014 6:17 pm

Re: KeePass vs LastPass

Post by ddoubleu » Fri Apr 11, 2014 7:21 pm

jayjayc wrote:I don't quite understand the KeePass users who believe that using Dropbox/Google Drive is as secure as LastPass' servers. Dropbox's servers don't use the same level of encryption as Lastpass' servers esp when it comes to Dropbox's free accounts. I do understand those Keepass users who are suspicious of all cloud storage and only keep their passwords locally.

One of the main reasons why I use Lastpass is that my company's security team did a thorough review on Lastpass and deemed it ok for employees to use w/ company logins.
I use KeePass and I would never store the file on Dropbox or Google Drive. I'm against using any third-party to store my passwords, but if I had to choose, I'd pick LastPass over storing my password file on Dropbox/Google Drive.

If the only hang up with KeePass is mobility, then store the file on a USB flash drive with hardware encryption like IronKey. KeePass has a portable version that lets you run the program from the flash drive without having to install software on the computer so it can be used anywhere you can plug the flash drive into.

lightheir
Posts: 2302
Joined: Mon Oct 03, 2011 11:43 pm

Re: KeePass vs LastPass

Post by lightheir » Fri Apr 11, 2014 7:51 pm

ddoubleu wrote:
jayjayc wrote:I don't quite understand the KeePass users who believe that using Dropbox/Google Drive is as secure as LastPass' servers. Dropbox's servers don't use the same level of encryption as Lastpass' servers esp when it comes to Dropbox's free accounts. I do understand those Keepass users who are suspicious of all cloud storage and only keep their passwords locally.

One of the main reasons why I use Lastpass is that my company's security team did a thorough review on Lastpass and deemed it ok for employees to use w/ company logins.
I use KeePass and I would never store the file on Dropbox or Google Drive. I'm against using any third-party to store my passwords, but if I had to choose, I'd pick LastPass over storing my password file on Dropbox/Google Drive.

If the only hang up with KeePass is mobility, then store the file on a USB flash drive with hardware encryption like IronKey. KeePass has a portable version that lets you run the program from the flash drive without having to install software on the computer so it can be used anywhere you can plug the flash drive into.
Actually, I don't see the issue with storing your database on Gdrive, etc.

Someone would have to hack into your Gdrive first, then hack into your keepass file again to get your data. Two breaches required, which is a pretty good level of security. Your Keepass file should be inherently setup securely enough with a good password (and keyfile if applicable) that even if it was outright copied and distributed, it should be super safe.

I believe Lastpass is safe too, but I don't know if any third party has after investigated their IT and security structure, as one can do (and has done) with Keepass due to its open source nature.

pyld76
Posts: 149
Joined: Thu Feb 09, 2012 4:15 pm

Re: KeePass vs LastPass

Post by pyld76 » Fri Apr 11, 2014 8:49 pm

jayjayc wrote:I don't quite understand the KeePass users who believe that using Dropbox/Google Drive is as secure as LastPass' servers. Dropbox's servers don't use the same level of encryption as Lastpass' servers esp when it comes to Dropbox's free accounts. I do understand those Keepass users who are suspicious of all cloud storage and only keep their passwords locally.

One of the main reasons why I use Lastpass is that my company's security team did a thorough review on Lastpass and deemed it ok for employees to use w/ company logins.
I think you misunderstand what LastPass is doing: they are essentially using your master password to encrypt a file that they they synchronize to all your devices/browsers. Their "server security" is no better nor worse than anyone else who uses a base level of AES encryption. They don't have the key to the encrypted bits on their drives, and thus cannot read your passwords. They encrypt your already encrypted data in transit (and they were bitten by the Heartbleed thing).

If I take a Passwordsafe or KeePass file and sit on on Dropbox, dropbox encrypts it again with their own drive key. Even if they give that key up to someone or it's compromised, the attacker is left with an encrypted file full of passwords. That's the same encrypted file full of passwords that Lastpass would give up if successfully attacked in the same manner.

There is zero architectural security difference between a keepass file sitting on Dropbox and Lastpass.

You can argue that LastPass has much better integration and is arguably an easier process to use--which will increase security somewhat just because it will actually get used. However, as I allude to above--LastPass does not open source their code. Keepass does. That's a tangible (IMHO) advantage.
ddoubleu wrote:I use KeePass. I will never trust a third-party to store my passwords.
Given a sufficiently long and complex master passphrase, you are far more likely to be bitten by an encryption bug (such as Heartbleed) that give up any real security by exposing a properly encrypted password file on a cloud provider.

ddoubleu
Posts: 27
Joined: Sun Mar 02, 2014 6:17 pm

Re: KeePass vs LastPass

Post by ddoubleu » Fri Apr 11, 2014 8:55 pm

lightheir wrote:Actually, I don't see the issue with storing your database on Gdrive, etc.

Someone would have to hack into your Gdrive first, then hack into your keepass file again to get your data. Two breaches required, which is a pretty good level of security. Your Keepass file should be inherently setup securely enough with a good password (and keyfile if applicable) that even if it was outright copied and distributed, it should be super safe.

I believe Lastpass is safe too, but I don't know if any third party has after investigated their IT and security structure, as one can do (and has done) with Keepass due to its open source nature.
I see your point, but I look at it this way: you have a top-of-the-line safe with combination in your house that contains your passwords on paper. Your house gets broken into and the thieves take that safe. Would you still not feel nervous despite the safe having a combination? It's the physical possession that's enough to make me paranoid unless I'm using hardware encryption like an IronKey drive that will self-destruct after 10 consecutive invalid logins.

There's a saying in information security: "It's not a matter if you'll get hacked, it's a matter of when." It's this reason why I wouldn't rely on a third-party to store my passwords when I can easily do it myself.

lightheir
Posts: 2302
Joined: Mon Oct 03, 2011 11:43 pm

Re: KeePass vs LastPass

Post by lightheir » Fri Apr 11, 2014 9:13 pm

I don't see why one would trust last pass more than other data providers online. Unlikekeepass, nobody can examine the security architecture.

User avatar
TimeRunner
Posts: 1418
Joined: Sat Dec 29, 2012 9:23 pm

Re: KeePass vs LastPass

Post by TimeRunner » Fri Apr 11, 2014 9:15 pm

This thread has really thrashed around. I don't think it really matters which one you use, the fact that you ARE using either KeePass or LastPass puts you way ahead of many folks who don't use a password manager at all.

Now stop worrying and enjoy your weekend! :beer
"What'd ya expect in an opera, a happy ending?" -Bugs Bunny. "You gotta fight for your right to party!" -Beastie Boys

User avatar
BlueEars
Posts: 3634
Joined: Sat Mar 10, 2007 12:15 am
Location: West Coast

Re: KeePass vs LastPass

Post by BlueEars » Fri Apr 11, 2014 10:46 pm

I've just started using LastPass on my PC and like it. It occurs to me that it opens up my financial sites too easily. Suppose I walk away from my computer and leave the browser up. Anyone could get into any financial accounts in that case. So I'm not including financial accounts in my LastPass vault for that reason. Does this reasoning sound right?

A question for LastPass users. If one uses LastPass on an Android tablet using Chrome, can it be easily disabled by logging out of LastPass until the next time you need it? What about all those permissions one has to give to apps from the Google store? Could any of these be used to get at the master password if one activates LastPass on a tablet using Chrome? Or is it just better to use an old fashioned write-it-down system for tablets? I'm thinking of vacation usage needs like reading email, ordering a Kindle book, etc.

User avatar
Ice-9
Posts: 1326
Joined: Wed Oct 15, 2008 12:40 pm
Location: Rockville, MD

Re: KeePass vs LastPass

Post by Ice-9 » Fri Apr 11, 2014 10:59 pm

BlueEars wrote:I've just started using LastPass on my PC and like it. It occurs to me that it opens up my financial sites too easily. Suppose I walk away from my computer and leave the browser up. Anyone could get into any financial accounts in that case. So I'm not including financial accounts in my LastPass vault for that reason. Does this reasoning sound right?.
In the Lastpass preferences, there are two options that address this.
* Automatically logoff when all browsers are closed for (mins) - default is 0
* Automatically logoff when idle (mins)

While I always make a point to logoff after using Lastpass, I feel more comfortable that I won't accidentally leave it open for others to access with these two boxes checked.

I actually take the reverse opinion. I use unique memorable passwords for the social accounts, but only use Lastpass and its randomly generated passwords to access my financial accounts. And I only use Lastpass from a computer with other precautions taken. (Usually a Linux vm from my home computer.)
Last edited by Ice-9 on Sat Apr 12, 2014 10:24 am, edited 1 time in total.

User avatar
Fletch
Posts: 681
Joined: Thu Jun 04, 2009 1:25 pm
Location: USA

Re: KeePass vs LastPass

Post by Fletch » Sat Apr 12, 2014 6:39 am

Mac users might have interest in 1Password. It is on sale this weekend, 50% off, in the App store. I have been using it for several months on my MacBook, iPhone and iPad. It is an excellent password (and all sorts of other information one would want to keep secure) App in my opinion; read the various reviews. I am a former LastPass and RoboForm user.

... Mountaineer
“Meaningless! Meaningless!” says the Teacher. Whoever loves money never has enough; whoever loves wealth is never satisfied with their income. This too is meaningless.

User avatar
LadyGeek
Site Admin
Posts: 48630
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: KeePass vs LastPass

Post by LadyGeek » Sat Apr 12, 2014 9:05 am

You should never use the same password across multiple accounts, which is the major reason for using a password manager.

For those who want to discuss passwords in more detail (instead of KeePass vs. LastPass), use this thread: Another reason why you should never reuse passwords... (I bumped the thread here)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
SnapShots
Posts: 915
Joined: Wed May 09, 2012 12:39 pm

Re: KeePass vs LastPass

Post by SnapShots » Sat Apr 12, 2014 12:11 pm

Kevin M wrote:Started experimenting with LastPass on Chromebook yesterday (browser plug-in only, no binary supported on CB). First two logins I tried to set up were Vanguard and Ally Bank, both requiring two screens. Followed the LastPass instructions for two-screen logins, but it did not work well or consistently. Now I'm thinking I should just save the password (second screen), not the login (first screen).

What do you LastPass users do for two-screen logins, specifically Vanguard? Maybe it works better on a Windows or Mac, but since I'm 95% on Chromebook, that doesn't help me much.

What's the best password manager for Chromebook?

I do not find the LastPass interface at all intuitive, and the online user guide is not very helpful. The annoying menu pop-up (do you want to save this site?) comes up even after I've saved the site. Thinking I should turn this off.

I downloaded Dashlane onto one of my PCs, but then saw on their website they don't support Chromebook, so that's out.

Kevin
Why are you using Chrome? I've tried that browser and have found it does not play well with many websites.
the best decision many times is the hardest to do

User avatar
Kevin M
Posts: 10198
Joined: Mon Jun 29, 2009 3:24 pm
Contact:

Re: KeePass vs LastPass

Post by Kevin M » Sat Apr 12, 2014 4:15 pm

SnapShots wrote: Why are you using Chrome? I've tried that browser and have found it does not play well with many websites.
Chrome is integral to Chromebook, and Chrome works fine with every website I've used. This was not the case in the past when Chrome was just getting going, but now it is a well established browser; it is the most widely used browser according to Usage share of web browsers - Wikipedia, the free encyclopedia.

The reason I specified Chromebook and not just Chrome is that LastPass on a Chromebook is different than LastPass using Chrome on a Windows PC. On the latter a binary is installed in addition to the browser plug-in (as I understand it).

Back to the thread, I'm starting to get the hang of LastPass (on Chromebook), and starting to like it. There's just a bit of a learning curve, especially in using it with two-screen logins.

Kevin
Wiki ||.......|| Suggested format for Asking Portfolio Questions (edit original post)

User avatar
Average Investor
Posts: 162
Joined: Fri Jul 13, 2012 11:27 am

Re: KeePass vs LastPass

Post by Average Investor » Sat Apr 12, 2014 4:40 pm

Thanks to all who contributed this thread, it really helped to get me motivated to address my password situation.

I ended up going with 1Password for Mac after looking at some other options. It is great and currently 1/2 off at the MacAppStore ($25), http://itunes.apple.com/us/app/1passwor ... 7910?mt=12

The iOS version is also 1/2 off ($9) http://itunes.apple.com/us/app/1passwor ... 03335?mt=8
Tomorrow never knows.

oakfan52
Posts: 32
Joined: Sun Jun 02, 2013 11:55 am

Re: KeePass vs LastPass

Post by oakfan52 » Sat Apr 12, 2014 7:55 pm

I love lastpass. I think the convenience of the browser plug in outweighs my fear of the cloud storage. I now never reuse passwords and don't even have to think about it. I use 2-factor authentication with it was well. On top of that they have been keeping me up to date on what passwords I should reset due to heardbleed. The cost is very reasonable for mobile use as well.

User avatar
Blues
Posts: 1678
Joined: Wed Dec 10, 2008 11:58 am
Location: Blue Ridge Mtns

Re: KeePass vs LastPass

Post by Blues » Sat Apr 12, 2014 8:16 pm

oakfan52 wrote:I love lastpass. I think the convenience of the browser plug in outweighs my fear of the cloud storage. I now never reuse passwords and don't even have to think about it. I use 2-factor authentication with it was well. On top of that they have been keeping me up to date on what passwords I should reset due to heardbleed. The cost is very reasonable for mobile use as well.
Do you (and any others using LastPass) mind sharing your preference for method of authentication? I wish they just had a simple SMS option...which seems as though it may be on their "to do" list.
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson

User avatar
TimeRunner
Posts: 1418
Joined: Sat Dec 29, 2012 9:23 pm

Re: KeePass vs LastPass

Post by TimeRunner » Sat Apr 12, 2014 8:27 pm

Blues wrote:
oakfan52 wrote:I love lastpass. I think the convenience of the browser plug in outweighs my fear of the cloud storage. I now never reuse passwords and don't even have to think about it. I use 2-factor authentication with it was well. On top of that they have been keeping me up to date on what passwords I should reset due to heardbleed. The cost is very reasonable for mobile use as well.
Do you (and any others using LastPass) mind sharing your preference for method of authentication? I wish they just had a simple SMS option...which seems as though it may be on their "to do" list.
I use the Google Authenticator option - a small app on my iPhone that generates a code every IDK 15-20 seconds maybe, that one enters at the LP authentication code prompt while logging in. It's free and can also be used for Gmail and Google apps logon too (generating a different code in parallel with the LP one for Google). Easy peasy.
"What'd ya expect in an opera, a happy ending?" -Bugs Bunny. "You gotta fight for your right to party!" -Beastie Boys

User avatar
Blues
Posts: 1678
Joined: Wed Dec 10, 2008 11:58 am
Location: Blue Ridge Mtns

Re: KeePass vs LastPass

Post by Blues » Sat Apr 12, 2014 8:37 pm

Thanks, TimeRunner. I was reading about it (and some of the issues folks have had) but it didn't seem quite "intuitive" to set up.
(I have an iPhone as well.)
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson

Pacific
Posts: 1235
Joined: Tue Mar 06, 2007 8:19 pm
Location: Lost in the middle of the Pacific

Re: KeePass vs LastPass

Post by Pacific » Sat Apr 12, 2014 8:40 pm

Blues wrote:
oakfan52 wrote:I love lastpass. I think the convenience of the browser plug in outweighs my fear of the cloud storage. I now never reuse passwords and don't even have to think about it. I use 2-factor authentication with it was well. On top of that they have been keeping me up to date on what passwords I should reset due to heardbleed. The cost is very reasonable for mobile use as well.
Do you (and any others using LastPass) mind sharing your preference for method of authentication? I wish they just had a simple SMS option...which seems as though it may be on their "to do" list.
What does someone who lives in an area where they cannot receive text messages do about authentication?

coolguy954
Posts: 120
Joined: Fri Mar 08, 2013 6:47 am

Re: KeePass vs LastPass

Post by coolguy954 » Sat Apr 12, 2014 10:46 pm

TimeRunner wrote:
Blues wrote:
oakfan52 wrote:I love lastpass. I think the convenience of the browser plug in outweighs my fear of the cloud storage. I now never reuse passwords and don't even have to think about it. I use 2-factor authentication with it was well. On top of that they have been keeping me up to date on what passwords I should reset due to heardbleed. The cost is very reasonable for mobile use as well.
Do you (and any others using LastPass) mind sharing your preference for method of authentication? I wish they just had a simple SMS option...which seems as though it may be on their "to do" list.
I use the Google Authenticator option - a small app on my iPhone that generates a code every IDK 15-20 seconds maybe, that one enters at the LP authentication code prompt while logging in. It's free and can also be used for Gmail and Google apps logon too (generating a different code in parallel with the LP one for Google). Easy peasy.
I have this also..its very easy..download the app and scan the bar code on your computer

User avatar
Blues
Posts: 1678
Joined: Wed Dec 10, 2008 11:58 am
Location: Blue Ridge Mtns

Re: KeePass vs LastPass

Post by Blues » Sun Apr 13, 2014 7:08 am

Thanks. For those using Google Authenticator with LastPass, does it have to be set up on each Google account (email address) for use with LastPass...and can it be set up just to be used with LastPass or does it have to be activated for the Google (and/or other) accounts as well?

Thanks in advance.
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson

jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: KeePass vs LastPass

Post by jchef » Sun Apr 13, 2014 8:12 am

Blues wrote:Thanks. For those using Google Authenticator with LastPass, does it have to be set up on each Google account (email address) for use with LastPass...and can it be set up just to be used with LastPass or does it have to be activated for the Google (and/or other) accounts as well?
You can use Google Authenticator with just Lastpass if that is what you want. There is no requirement that you use it with your Google account.

I suggest you do use some form of two factor authentication with your Google accounts. And the Google Authenticator is quite handy for this. But there are other forms of two factor authentication available as well.

davebarnes
Posts: 542
Joined: Wed Jan 02, 2008 7:06 pm
Location: Berkeley, Denver, Colorado USA

I disagree

Post by davebarnes » Sun Apr 13, 2014 8:29 am

LadyGeek wrote:You should never use the same password across multiple accounts, which is the major reason for using a password manager.
I have a "standard" password that I use here and on other fora.
I really don't care how secure it is.
A nerd living in Denver

User avatar
Blues
Posts: 1678
Joined: Wed Dec 10, 2008 11:58 am
Location: Blue Ridge Mtns

Re: KeePass vs LastPass

Post by Blues » Sun Apr 13, 2014 9:49 am

jchef wrote:
Blues wrote:Thanks. For those using Google Authenticator with LastPass, does it have to be set up on each Google account (email address) for use with LastPass...and can it be set up just to be used with LastPass or does it have to be activated for the Google (and/or other) accounts as well?
You can use Google Authenticator with just Lastpass if that is what you want. There is no requirement that you use it with your Google account.

I suggest you do use some form of two factor authentication with your Google accounts. And the Google Authenticator is quite handy for this. But there are other forms of two factor authentication available as well.
Thanks. I may try to experiment with it today if time permits.
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson

User avatar
Blues
Posts: 1678
Joined: Wed Dec 10, 2008 11:58 am
Location: Blue Ridge Mtns

Re: KeePass vs LastPass

Post by Blues » Sun Apr 13, 2014 11:21 am

Thanks, guys, for the advice regarding the "authenticator". Set it up per the online instructions and all went swimmingly. :sharebeer
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson

User avatar
magellan
Posts: 3469
Joined: Fri Mar 09, 2007 4:12 pm

Re: I disagree

Post by magellan » Sun Apr 13, 2014 11:33 am

davebarnes wrote:I have a "standard" password that I use here and on other fora. I really don't care how secure it is.
Dave,

I'm sure you don't mean any harm, but IMO this is bad manners. Even if a breach doesn't worry you, it's a big headache for admins and members on all the non breached forums and email systems where you reused login credentials.

Whenever a breach occurs, the bad guys try all the stolen login credentials on as many other sites as they can. There are actually black-market programs to automate the process. The bad guys end up with a list of newly cracked accounts that they can use themselves or sell to spammers or hackers. Every place you reused credentials will have a new miscreant to deal with, sending unauthorized PMs and bulk phishing emails through your pre-validated account.

Jim
Last edited by magellan on Mon Apr 14, 2014 11:55 am, edited 2 times in total.

jackpullo997
Posts: 165
Joined: Thu Feb 13, 2014 4:53 pm

Re: KeePass vs LastPass

Post by jackpullo997 » Mon Apr 14, 2014 6:12 am

I tried LastPass and found it to be terrible.
It didn't even work right. Totally buggy.
Was prefilling the wrong passwords.

If you have 2 accounts on the same website, forgetabout it.
This thing chokes and confuses itself, and risks locking you out of both accounts.

It also was not able to log me on from the website,
so forget about using another person's computer, ever.

How to change your existing passwords was very poorly documented, as well.

All in all, borderline junk software,
and you get what you pay for,

Not knowing your own password to critical sites is a huge risk.
I will never use a program like this again.

I changed my passwords back and deleted the program from my PC.

User avatar
bertilak
Posts: 6126
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: KeePass vs LastPass

Post by bertilak » Mon Apr 14, 2014 7:32 am

I too decided to experiment with LastPass and for me it is not worth the complexity.

Much of that complexity seems to be in support of the feature that monitors what site/page you are on to recognize that there is an ID/PW pair for it to look up in its database. LastPass gets this right most of the time but it screws up enough that it can't be relied on.

Something like this needs to be nearly perfect to be worth the trouble. And trouble there is. in addition to all the above mentioned by jackpullo997:
  • Example 1: I ask LastPass to generate a random password and click on "use this password." Now I go change the password at the site. Next time I go to the site I learn that LastPass has NOT put the new password in its database. I need to go edit the entry for the site and put in the new password manually. Unfortunately I no longer know what that password is! I relied on LastPass to remember it. So I have to use the site's password recovery feature and do everything all over again.
  • Example 2: LastPass lists the same site multiple times in its database and then complains that I am reusing the password for multiple sites. It won't shut up about this! Sometimes the duplicates are listed under different names and sometimes it is the same name listed multiple times. Apparently LastPass is aware of this little problem because it gives you a way of defining equivalent domains. The two times I tried to use this feature it said it already knew about that matched pair! Yet it still complained about reuse of the password!
  • Example 3: Once you have one of those random passwords set you are hooked on using LastPass. This became obvious when I wanted to go to one of the sites from my smart phone. I screwed up the random password (1 vs l) three times and go locked out. Now I need to wait for the bank to open so they can re-activate my online access. When I make up my own passwords there is some logic behind them so I will never confuse letters for numbers, etc..
  • Example 4: LastPass has an Android app to run on the smart phone. It is a painful app to use since it works as a wrapper around your browser meaning everything has one extra layer of abstraction. You try to leave a site and LastPass pops up a dialog asking if you want to leave LastPass.
  • Example 5: The last straw. The android app is NOT FREE even though it is advertised as free. Only the 14 day trial is free. To be fair, many smart phone apps are like that, but by the time I stated messing with this I was in no mood for any BS.
All in all I found LastPass to be unreliable and painful to use.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker, the Cowboy Poet

brianH
Posts: 174
Joined: Wed Aug 12, 2009 12:21 pm

Re: KeePass vs LastPass

Post by brianH » Mon Apr 14, 2014 8:38 am

A couple tips for the one-time-passwords (Google Authenticator.) there's actually an open source, free OTP generator for Android (IOS coming soon) that is far more customizable than the Google Auth one: https://play.google.com/store/apps/deta ... ed.freeotp In addition to the ability to reorder items, I sort of like not putting all my eggs in Google's basket and their closed source implementation.

For those that use KeePass but still need OTP codes for GMail or other services, there's a plugin that allows you to generate OTP codes directly from KeePass (http://keepass.info/plugins.html#keeotp) This gives me another form of backup for my codes, and is handy when I'm on the computer and I don't have my phone around to login to Gmail.

User avatar
Ice-9
Posts: 1326
Joined: Wed Oct 15, 2008 12:40 pm
Location: Rockville, MD

Re: KeePass vs LastPass

Post by Ice-9 » Mon Apr 14, 2014 9:54 am

jackpullo997 wrote:I tried LastPass and found it to be terrible.
It didn't even work right. Totally buggy.
Was prefilling the wrong passwords.

If you have 2 accounts on the same website, forgetabout it.
This thing chokes and confuses itself, and risks locking you out of both accounts.

It also was not able to log me on from the website,
so forget about using another person's computer, ever.

How to change your existing passwords was very poorly documented, as well.

All in all, borderline junk software,
and you get what you pay for,

Not knowing your own password to critical sites is a huge risk.
I will never use a program like this again.

I changed my passwords back and deleted the program from my PC.
Although it took a few logins to get used to, this has not been my experience with LastPass at all. I have several websites with multiple accounts that work fine with LastPass. I also login using the website with some frequency and don't have problems. I did experience a problem logging in one day last week, but it was the same day many accounts were difficult, I think due to responses to the Heartbleed bug. Other than that day, it's been fine.

What I do experience with LastPass that isn't as expected:

* TreasuryDirect and CapitalOne 360 (formerly ING) websites have on-screen keypads for logging in, and I don't think there's a way to get LastPass to work with them. So, I access those websites the old-fashioned way.

* LastPass does react differently to different websites that it does work with, but this doesn't bother me. For example, I can click on one account that LastPass will always do the entire login process for me automatically, while I'll click on another account and I'll have to click on the asterisk in the login box to get LastPass to log me in. No biggie.

* LastPass does often try filling in my password for a challenge question, which then fails, so I then type the challenge question answer and let lastPass do the password on the next screen. Again, no biggie.

* When you do have multiple accounts at the same website and you change a password of one account, you have to be very careful because LP puts up a screen where it's easy to accidentally change the password for the other accounts too. After I messed this up on one account and fixed it, it was easy enough to avoid the same mistake when changing the password on other accounts.

Overall, it's been a big help. I don't mind that it doesn't react the same across sixty or so websites that have different login procedures. It's easy enough to figure out once you've done it a few times.

User avatar
Blues
Posts: 1678
Joined: Wed Dec 10, 2008 11:58 am
Location: Blue Ridge Mtns

Re: KeePass vs LastPass

Post by Blues » Mon Apr 14, 2014 10:34 am

Ice-9, my experience with LastPass (thus far) has been very similar to your own. I have found it to be a supremely useful tool made all the better for the ease of utilizing, changing and maintaining important passwords as well as the ability to use multi-factor authentication for additional security.

The little "hiccups" due to the characteristics of individual sites have been minor at worst.
Last edited by Blues on Mon Apr 14, 2014 10:35 am, edited 1 time in total.
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson

jackpullo997
Posts: 165
Joined: Thu Feb 13, 2014 4:53 pm

Re: KeePass vs LastPass

Post by jackpullo997 » Mon Apr 14, 2014 10:35 am

Total headache that isn't worth the learning curve.
I have unique passwords for each financial site and my emails.
The rest can all use a junk shared password like forums.
If anyone wants to hack into BH and post as me, what do I care.
No one's ever gonna do that.

Lastpass is NOT worth the massive headache it creates.
And you open up a whole new nightmare of headache when it can't login using the crazy password it generated.

If you use this program, make sure to write down ON PAPER every single password it creates,
or you will probably be sorry one day.

User avatar
BlueEars
Posts: 3634
Joined: Sat Mar 10, 2007 12:15 am
Location: West Coast

Re: KeePass vs LastPass

Post by BlueEars » Mon Apr 14, 2014 10:58 am

jackpullo997 wrote:...(snip)...
If you use this program, make sure to write down ON PAPER every single password it creates,
or you will probably be sorry one day.
One can create a CSV file that contains the (now easy to read) passwords: Tools->Advanced Tools -> Export to -> LastPast CSV file

User avatar
Ice-9
Posts: 1326
Joined: Wed Oct 15, 2008 12:40 pm
Location: Rockville, MD

Re: KeePass vs LastPass

Post by Ice-9 » Mon Apr 14, 2014 11:02 am

jackpullo997 wrote:If you use this program, make sure to write down ON PAPER every single password it creates,
or you will probably be sorry one day.
I don't write passwords on paper. But as a safeguard, I do export a CSV of my passwords from LastPass, which I save in an encrypted TrueCrypt container with other sensitive files. I'd recommend this to other LP users as well.

Edit to add: Blue Ears beat me to it.

surfstar
Posts: 1494
Joined: Fri Sep 13, 2013 12:17 pm
Location: Santa Barbara, CA

Re: KeePass vs LastPass

Post by surfstar » Mon Apr 14, 2014 11:06 am

Thank you all for the varying responses. I was set on starting to use an app like these, but think I will just update my more important passwords myself and skip the third party integration.

User avatar
SnapShots
Posts: 915
Joined: Wed May 09, 2012 12:39 pm

Re: KeePass vs LastPass

Post by SnapShots » Mon Apr 14, 2014 12:50 pm

Fletch wrote:Mac users might have interest in 1Password. It is on sale this weekend, 50% off, in the App store. I have been using it for several months on my MacBook, iPhone and iPad. It is an excellent password (and all sorts of other information one would want to keep secure) App in my opinion; read the various reviews. I am a former LastPass and RoboForm user.

... Mountaineer
For the past two days, I have been playing around with 1Password and bought the Family Bundle that licenses 5 users for Macs and Windows for $49.

DH has the same user name and password on most everything and has Windows 8. :| As soon as, I get up to full speed I'll be setting him up.

DD is has a Mac and although, she's a professional IT geek, I think she'll want it.

I have five+ pages of passwords and other information in Excel, plus lots of note scribbles. I gave up trying to remember or or typing in long complicated passwords; resorting to copying and pasting.

After reading recommendations on this thread for 1Password and looking a reviews; 1Password is the best option for me considering I'm a Mac user and DH has Windows, in addition, to using iPhones and iPads. Thanks! :beer
the best decision many times is the hardest to do

User avatar
Kevin M
Posts: 10198
Joined: Mon Jun 29, 2009 3:24 pm
Contact:

Re: KeePass vs LastPass

Post by Kevin M » Mon Apr 14, 2014 1:14 pm

As mentioned in my first post in this thread, I was disappointed with LastPass (LP) at first, running into some of the same issues recent posters have complained about. However, after working with it for a few hours, loading and changing passwords for many sites, I've been able to adapt to its idiosyncrasies pretty well. It does behave differently on different sites, but no big deal now that I've accepted that's the way it is. I've set up a number of two-screen logins (most work OK with a single LP vault entry), and several sites with multiple logins that seem to work fine.

I've used it to generate new passwords on a number of sites. It works perfectly on some sites--e.g., also filling the "confirm password" field with the new password--and not so well on others, so you do have to be careful with this. I always copy the new password (ctrl-c) after it's generated, just in case. Also a good idea to check to make sure it's stored the new password in your vault; I had one instance of it not doing that. I've also seen it not entering things in the correct field (e.g., new password in old password field, or vice versa), so again, just have to be careful with this.

A couple of ongoing, unresolved issues that I've reported to LP: 1) Export to CSV does not work sometimes; after entering LP password, nothing happens. My workaround is to use Print, and print or save output to a file (not CSV, but at least I get a copy of the passwords). 2) When visiting LP website, I'm informed that I'm using an old revision, 3.1.1, and to "click here" to upgrade. Clicking takes me to Chrome store, where the button is labeled "Added to Chrome", and clicking it does nothing. My Chrome extensions page indicates I have 3.1.9 installed, but LastPass "about" indicates 3.1.1 is installed.

Sticking with it so far. Will probably install the mobile version on my Nexus pad soon.

Kevin
Wiki ||.......|| Suggested format for Asking Portfolio Questions (edit original post)

jackpullo997
Posts: 165
Joined: Thu Feb 13, 2014 4:53 pm

Re: KeePass vs LastPass

Post by jackpullo997 » Mon Apr 14, 2014 1:23 pm

How do you access your websites from a PC that isn't yours.
The website redirect blatantly did not work for me, which was yet another deal breaker.

User avatar
Fletch
Posts: 681
Joined: Thu Jun 04, 2009 1:25 pm
Location: USA

Re: KeePass vs LastPass

Post by Fletch » Mon Apr 14, 2014 7:47 pm

SnapShots wrote:
Fletch wrote:Mac users might have interest in 1Password. It is on sale this weekend, 50% off, in the App store. I have been using it for several months on my MacBook, iPhone and iPad. It is an excellent password (and all sorts of other information one would want to keep secure) App in my opinion; read the various reviews. I am a former LastPass and RoboForm user.
For the past two days, I have been playing around with 1Password and bought the Family Bundle that licenses 5 users for Macs and Windows for $49.

DH has the same user name and password on most everything and has Windows 8. :| As soon as, I get up to full speed I'll be setting him up.

DD is has a Mac and although, she's a professional IT geek, I think she'll want it.

I have five+ pages of passwords and other information in Excel, plus lots of note scribbles. I gave up trying to remember or or typing in long complicated passwords; resorting to copying and pasting.

After reading recommendations on this thread for 1Password and looking a reviews; 1Password is the best option for me considering I'm a Mac user and DH has Windows, in addition, to using iPhones and iPads. Thanks! :beer
You are welcome. You might also like this ebook. It is available for iBook, Kindle and as a pdf. Just finished it. Lots of great tips.
http://blog.agilebits.com/2013/10/04/ta ... e-kissell/
“Meaningless! Meaningless!” says the Teacher. Whoever loves money never has enough; whoever loves wealth is never satisfied with their income. This too is meaningless.

Dougroseville
Posts: 121
Joined: Tue Aug 21, 2007 11:26 am

Re: KeePass vs LastPass

Post by Dougroseville » Mon Apr 14, 2014 8:54 pm

Leo Laporte posted an up-to-date 30 minute overview of Lastpass, on TWIT.tv today:

Home » Shows » TWiT Live Specials » Episode 199: An Introduction to LastPass

He covers: The first couple of minutes (about selecting a master password for LastPass) are a bit slow, but after that the overview is quite good ( if you want an overview how LastPass really works).

Password managers become more important as your number of devices and number of accounts increase.

User avatar
BlueEars
Posts: 3634
Joined: Sat Mar 10, 2007 12:15 am
Location: West Coast

Re: KeePass vs LastPass

Post by BlueEars » Wed Apr 16, 2014 11:01 am

When I ran the LastPass security check and read the report carefully, I found one nasty hole in my security. So I'd highly recommend doing this.

In setting up my Netgear router it has the default password (for the web login) as "password". I thought I had lost my assigned password and so could not change it. LastPass showed it as zero security and also allowed me to see the default "password" assignment.

User avatar
Ice-9
Posts: 1326
Joined: Wed Oct 15, 2008 12:40 pm
Location: Rockville, MD

Re: KeePass vs LastPass

Post by Ice-9 » Wed Apr 16, 2014 11:07 am

Blue Ears: My router password was ugly before using Last Pass as well. I have a feeling that's a nasty hole in a lot of people's security!

User avatar
magellan
Posts: 3469
Joined: Fri Mar 09, 2007 4:12 pm

Re: KeePass vs LastPass

Post by magellan » Wed Apr 16, 2014 11:24 am

Ice-9 wrote:Blue Ears: My router password was ugly before using Last Pass as well. I have a feeling that's a nasty hole in a lot of people's security!
It's good to fix this of course, but as long as we're talking about the router login and not the wifi password, it's probably not as bad as it sounds.

Most routers ship with remote management disabled and ignore any login attempts coming in from the WAN or Internet port. So an attacker would have to attempt the router login from inside your house or through your wifi to successfully login. That's still a security risk, but it's not as bad as having your router wide open to the world.

Even with a robust password configured, be sure not to accidentally check the 'allow remote management' or 'allow management over wan port' option as this makes your router much more vulnerable to attack.

Jim

User avatar
SnapShots
Posts: 915
Joined: Wed May 09, 2012 12:39 pm

Re: KeePass vs LastPass

Post by SnapShots » Wed Apr 16, 2014 3:52 pm

Fletch wrote:
SnapShots wrote:
Fletch wrote:Mac users might have interest in 1Password. It is on sale this weekend, 50% off, in the App store. I have been using it for several months on my MacBook, iPhone and iPad. It is an excellent password (and all sorts of other information one would want to keep secure) App in my opinion; read the various reviews. I am a former LastPass and RoboForm user.
For the past two days, I have been playing around with 1Password and bought the Family Bundle that licenses 5 users for Macs and Windows for $49.

DH has the same user name and password on most everything and has Windows 8. :| As soon as, I get up to full speed I'll be setting him up.

DD is has a Mac and although, she's a professional IT geek, I think she'll want it.

I have five+ pages of passwords and other information in Excel, plus lots of note scribbles. I gave up trying to remember or or typing in long complicated passwords; resorting to copying and pasting.

After reading recommendations on this thread for 1Password and looking a reviews; 1Password is the best option for me considering I'm a Mac user and DH has Windows, in addition, to using iPhones and iPads. Thanks! :beer
You are welcome. You might also like this ebook. It is available for iBook, Kindle and as a pdf. Just finished it. Lots of great tips.
Thanks!!! for the link and tip. Just bought the eBook.
the best decision many times is the hardest to do

Pacific
Posts: 1235
Joined: Tue Mar 06, 2007 8:19 pm
Location: Lost in the middle of the Pacific

Re: KeePass vs LastPass

Post by Pacific » Sat Apr 19, 2014 5:31 am

I now understand that keepass generates its own random passwords. However, does keepass know what the particular site requires in its passwords? For example, a site may limit passwords to 8 characters, or may require smallcase, caps, and numbers, but no other characters and no spaces. Does keepass know this when it generates the password? If not, how do you (I) comply with the web site's requirements?

Also, what if someone (hmmm, I wonder who???) already has the same username on many web sites? Can keepass generate random usernames or must I change my username on the sites? How easy is it to change usernames? How can I change my username on Vanguard?

Thanks.

User avatar
bertilak
Posts: 6126
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: KeePass vs LastPass

Post by bertilak » Sat Apr 19, 2014 5:58 am

Pacific wrote:I now understand that keepass generates its own random passwords. However, does keepass know what the particular site requires in its passwords? For example, a site may limit passwords to 8 characters, or may require smallcase, caps, and numbers, but no other characters and no spaces. Does keepass know this when it generates the password? If not, how do you (I) comply with the web site's requirements?

Also, what if someone (hmmm, I wonder who???) already has the same username on many web sites? Can keepass generate random usernames or must I change my username on the sites? How easy is it to change usernames? How can I change my username on Vanguard?

Thanks.
Keepass knows nothing about the sites involved. I also use it for things that are not on the internet nor accessed via a browser. Keepass does't know the difference. It does have a field for recording a URL and will open your default browser with that URL.

You use it with copy-and-paste. Often, I simply use it as a reminder and type IDs and passwords by hand. (NOTE: copy/paste should be used if you are worried about key loggers. See Keepass help for discussion.)

You comply with a sites password requirements in the same way you would if you never heard of Keepass. You can completely ignore any passwords it generates -- I always do.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker, the Cowboy Poet

Post Reply