Browsers' password managers vs KeePass? (when auto-entering passwords)

[erim]

I've been using Firefox's and Opera's password managers, but I don't know how secure they are against keyloggers when inputing the username+password.

I'm not talking about entering the master password. That one is obviously more secure in KeePass, so let's not even waste time with that.
I want to know about the security when entering specific usernames+passwords on websites.

KeePass describes this in detail (for the two channel auto type feature).

But I don't have a lot of information about how browsers enter passwords.
What happens when you click on the "wand" key in Opera, for example? Something like clipboard copy+paste, perhaps?
There was a thread at Opera, but the developers/moderators didn't answer this specific question.

[Snowden]

I can't comment on how secure it is but I've never used a browser plugin w/ keepass.

I open it when needed, copy/paste and immediately lock the workspace. I don't even have it where it'll paste it automatically.

I don't know if it's safer that way or not but it's just my personal practice.

[AMIGA500]

I use lastpass for ease of use.Although i would think keepass is more secure because it is resident on the computer rather than using a server which lastpass does.

[Snowden]

Quote:

Originally Posted by Beethoven1770

I use lastpass for ease of use.Although i would think keepass is more secure because it is resident on the computer rather than using a server which lastpass does.

Never used lastpass...

one of the features about Keepass I like the most is being able to use a keyfile.

I keep a USB drive on my keychain and my keepass db in the cloud. Comes in hand.

[Hungry Man]

Comparing the Security and Privacy of Browser Syncing

http://gregoryszorc.com/blog/2012/04...owser-syncing/

It's a bit bias towards Firefox - I think both Firefox and LastPass are great.

[Carver]

I have Chrome Version 22.0.1229.94 I reported a issue between chrome and online Bank account, in setting the check box is marked for Chrome to ask if I want Chrome to remember a password..Chrome does,t remember. I also mentioned Chrome does not have password protect on the password manager but Opera does

[moontan]

i'm too paranoid to store my passwords in the cloud.

and i don't trust my browser to handle those either.

for me, i'd rather use something like Keepass or store my passwords in a encrypted text file.

[ComputerSaysNo]

I wouldn't trust a browser to keep my passwords, way too many things can go wrong.

[tlu]

Quote:

Originally Posted by moontan

i'm too paranoid to store my passwords in the cloud.

moon, I've been there, too However, I've changed my mind after looking more closely into Lastpass. I've summarized my opinion in the Noscript forum here and here.

[LockBox]

I was very skeptical of Lastpass for quite some time. They continued to release security bulletins geared to the security community that were extremely impressive. At this point, I have fewer and fewer reasons not to feel at ease with Lastpass. They've done a splendid job at separating risk factors which makes an attack on any individual user (or groups of users) almost so negligible that a legitimate attack is barely theoretical on paper. I think Lastpass might be one of the most impressive SaS applications ever developed - for security use or otherwise.

Lastpass has a short but very solid overview of their technology deep in their website here. They also have an abbreviated user manual that is used by most, but there is also this "complete" manual that goes into great detail.

edited to add full manual link.

[arsenaloyal]

i use last pass,its excellent and if you want to use it on other devices than a pc then $1 a month.

[AMIGA500]

yes lastpass is just too damn convenient to be without.I browse to a site that requires a password and im in within seconds and no typing or anything its marvellous.

Although i dont understand this paranoia concerning using it.
It depends what you have on your computer and what the passwords are for.
Obviously if financial data is involved then yes it would be a worry but i never have confidential data on my computer anyway.

[luciddream]

I tried a PWM once. But it's pointless. I have a good memory, have no trouble with that, and can type fast. So I don't have to trust any product with my passwords.

Even if I had a shiite memory, I don't think I'd do that. Pen & paper, tucked inside a random book on the shelf. And you just remember that book, and 1 number (the page number).

[HAN]

Browsers are hammered at all the time. Even if they are safe today, you can't be sure they would be that way tomorrow. I feel better using something solely designed for the encryption and storage of passwords. I used KeePass for a long time and then switched to LastPass. I like both and can recommend either of them heartily.

[PaulyDefran]

Combine them:

Portable browser run out of a TrueCrypt container. Container has a 64 character password, split into: 32 in memory, 32 on a Yubikey...and a Key File. KeePass Portable is also in the container, opened with a Key File and the memory/Yubikey combo. LastPass "Master" is a 256bit "monster" only known to KeePass. No, I don't *need* to do it this way, but I can, and it's fun!

PD

[erim]

Update:
I did a test with two keylogger simulators. Here are the findings:

1. they detect entering the master password in Firefox and Opera
2. they don't detect the saved usernames+passwords in Firefox and Opera when they're automatically entered by the browser
3. they don't detect entering the master password in KeePass (using Secure Desktop)
4. one of them detected a good part of the username+pass entered by KeePass (using Two-Channel Auto-Type Obfuscation)

Bottom line, to beat keyloggers: the best solution would be to have the master password protection of KeePass (Secure Desktop) and the saved password protection from browsers.
You can add your vote for the secure desktop feature in Firefox and Opera.

Of course, this is just one specific scenario. Maybe different keyloggers or whatever malware could also detect the browser entering password or the secure desktop password.

[happyyarou666]

if its keyloggers and the like your worried about go and get zemana al antilogger, then retry your tests , and never use a tampered pc no matter what

[Amit]

I use lastpass.

[happyyarou666]

i sure as hell wouldnt , and i sure as hell wouldnt trust any cloud based or any online based service for that matter with storing my passwords period

[Carver]

I use keepass, it is password protected with a 30 char password protected in a file encrypted with axcrypt, I am not about to put my credit card info in somebody Else's database and then the server gets hacked.

[happyyarou666]

this, thank you for stating the obvious , that some people might not have realised , tbh i didnt think id have to elaborate on this as its a real no brainer

[erim]

Yeah, guys I don't want to complain too much, but most of the posts here are offtopic.
If you want to make general recommendations or tell your "cool stories" please post in another thread.

Here, I just want to discuss the functioning of password managers against keyloggers. A technical discussion more than anything else.

[happyyarou666]

as said zemana al and retry, , not much to explain ive already explained the most in my first post anyhow , but please continue

[TOMxEU]

LastPass database has been hacked at least 3 times and accounts stolen. Storing passwords in the browser, which is the most vulnerable application, is very brave indeed.

[HAN]

Quote:

Originally Posted by TOMxEU

LastPass database has been hacked at least 3 times and accounts stolen. Storing passwords in the browser, which is the most vulnerable application, is very brave indeed.

3 times?? Can you give some links to this? The only time I remember talk about an intrusion was a year or so ago and they never verified any information was stolen.