KeePass or LasPass?

[Montmorency]

Hello.

I've been using LastPass for the last 18 months and was happy with it.
The last update, though (both to the program and the site) is putting me off a bit.
I've installed KeeFox/KeePass and so far I'm having basically the same (positive) user experience; so I'm considering a change.

Could some of you share your views?

Thanks.

[java dude]

Personally, I love KeePass. I switched from LastPass about a year ago and couldn't be happier. It just feels a lot more secure having my passwords stored locally versus in the cloud, and that, as I've learned, is 1000000x better than a bit of convenience. As a note, I don't use KeeFox for integration.

Yes, it's more hassle if you use multiple PCs (keeping the databases in sync), but I suppose that could easily be accomplished with SpiderOak or a similar cloud storage + sync service if you're into that.

Then again, this is coming from someone who was burned by the cloud once and has taken a great effort to try and prevent it from happening again.

LastPass is better and more convenient. People saying that LastPass is somewhat less safe because it's "cloud based" don't have a clue what they are saying and how LastPass actually works.

[DBone]

LastPass here too. Not even close.

[Page42]

KeePass is what I use, and I couldn't be happier.
I too like that KeePass stores passwords locally.
Despite what some posters say about not having a clue, I'm not too keen about having my passwords stored in the cloud.
As a browser extension, I am aware that LastPass has been exploited.
I can't compare ease of operation, because I have not used LastPass, but I can say for sure that KeePass is terrific to use, easy to enter and edit data, and I like that it is open source.

Tell us more about how exactly it was "exploited".

Because what actually happened was this: http://blog.lastpass.com/2011/02/cro...erability.html

[Page42]

Quote:

The researchers were also able to steal data from LastPass, a password management system, by taking over a different extension and using it to open new tabs. This allowed them to see the password information that LastPass inserted. Though LastPass changed its system so that user information is no longer automatically entered, this still wouldn't protect a user from a hacker who got in through a malicious extension, the researchers say. A hacker would just have to wait until the user opened a new tab.

Cracking Open Chrome OS

So that's not a vulnerability in LastPass' extension. From the quote, researchers installed a different malicious extension to do the work.

[Page42]

Data was stolen from LastPass. End of story as far as I'm concerned. You can try to reword it any way you like.

Any data "readable" in any webpage or program or whatever can be stolen when the PC is already compromised.

It's like X taking screenshots from the lastpass page that Y forgot opened, and Z calling it "data stolen from lastpass". rofl

If you leave your KeePass key files opened and one takes screenshots of their data, would you call it "data stolen from KeePass" or "KeePass was compromised"? It's ridiculous, lol

[Scoobs72]

Keepass for my banking passwords, Lastpass for general website passwords. I simply don't trust Lastpass enough for them to have any information, encrypted, salted, hashed or whatever. You can never know for certain that Lastpass actually do what they claim to do 100% of the time and that there aren't any weaknesses in their implementation.

[STONEMAN]

Keypass for me,Prefer having my passwords stored locally.
I dont really trust having my passwords in the cloud,just my opinion though

Quote:

Originally Posted by Scoobs72

Keepass for my banking passwords, Lastpass for general website passwords. I simply don't trust Lastpass enough for them to have any information, encrypted, salted, hashed or whatever. You can never know for certain that Lastpass actually do what they claim to do 100% of the time and that there aren't any weaknesses in their implementation.

Did you verify KeePass' implementation? LastPass' implementation was already verified by multiple security researchers and crackers, as it is a very popular service.

Quote:

Originally Posted by STONEMAN

Keypass for me,Prefer having my passwords stored locally.
I dont really trust having my passwords in the cloud,just my opinion though

Oh my, your passwords don't get directly stored in the LastPass' cloud, what gets stored there are encrypted data and a login hash (useless to decrypt).

See:
http://lastpass.com/whylastpass_technology.php
http://helpdesk.lastpass.com/introdu...rypted+locally
http://helpdesk.lastpass.com/securit...ations-pbkdf2/

[Page42]

Quote:

Originally Posted by Montmorency

The last update, though (both to the program and the site) is putting me off a bit.

Maybe you could elaborate a bit on this?

[STONEMAN]

Quote:

Originally Posted by guest

Did you verify KeePass' implementation? LastPass' implementation was already verified by multiple security researchers and crackers, as it is a very popular service.



Oh my, your passwords don't get directly stored in the LastPass' cloud, what gets stored there are encrypted data and a login hash (useless to decrypt).

See:
http://lastpass.com/whylastpass_technology.php
http://helpdesk.lastpass.com/introdu...rypted+locally
http://helpdesk.lastpass.com/securit...ations-pbkdf2/

Thanks for the links,interesting insight but will stick with Keypass for now as it works fine for my needs.

[Scoobs72]

Quote:

Originally Posted by guest

Did you verify KeePass' implementation? LastPass' implementation was already verified by multiple security researchers and crackers, as it is a very popular service.

With respect, you're not seeing the bigger picture here. Security is not just about encryption algoirthms, it's a process that starts with employee recruitment screening and extends through to building and LAN security, code audits, quality standards and numerous other things.

Lastpass is not going to be broken via the encryption algorithms or hashes it using, it'll be broken by somebody, perhaps a rogue employee, injecting malicious code into an update of the client software, bypassing existing code audits. Or maybe a man-in-the-middle attack on new enrollments into the service. Or maybe etc etc

Show me Lastpass' annual security audit certificates, certificates of compliance to FIPS standards, and a detailed security analysis of their client update process and then my confidence in them will be improved. Although I still wouldn't trust the service with my banking passwords.

That's a possibility I've read about. You have to be very paranoid to worry about it as any software that gets updates is probably "vulnerable" to it. It's a very remote possibility and KeePass is just as vulnerable to it as LastPass - a malicious update to KeePass, which is open source, could pass hidden in some code improvement that doesn't get enough review by their unpaid programmers. Or unpaid KeePass' leader programmer(s) could turn to the dark side and make the same thing ..

Also, LastPass addons don't auto-update from what I know - which gives you time to review any update.

BTW I'm immune to this remote possibility. I don't use the LastPass addons, I use the javascript bookmarklets which never get updated.

Quote:

Originally Posted by Scoobs72

With respect, you're not seeing the bigger picture here. Security is not just about encryption algoirthms, it's a process that starts with employee recruitment screening and extends through to building and LAN security, code audits, quality standards and numerous other things.

Lastpass is not going to be broken via the encryption algorithms or hashes it using, it'll be broken by somebody, perhaps a rogue employee, injecting malicious code into an update of the client software, bypassing existing code audits. Or maybe a man-in-the-middle attack on new enrollments into the service. Or maybe etc etc

Show me Lastpass' annual security audit certificates, certificates of compliance to FIPS standards, and a detailed security analysis of their client update process and then my confidence in them will be improved. Although I still wouldn't trust the service with my banking passwords.

[Montmorency]

Quote:

Originally Posted by Page42

Maybe you could elaborate a bit on this?

They redesigned the site (not the main page but the users vault) and the result is buggy: there are new look pages and old look ones; some icons don't show the description when the pointer hovers over; at least one link won't work... this little things make me nervous coming from a security related company.
Also you have lots of complaints in their forums about the program upgrade.
Both upgrades were done simultaneously and both look hastly released.

[Nebulus]

I'm a happy KeePass user (without Firefox integration). Main idea here is that I trust my computer more than I trust the cloud So, while I can say that KeePass is working very well, I can't really give you advice on LastPass, because I didn't use it.

[Scoobs72]

Quote:

Originally Posted by guest

It's a very remote possibility and KeePass is just as vulnerable to it as LastPass - a malicious update to KeePass, which is open source, could pass hidden in some code improvement that doesn't get enough review by their unpaid programmers.

The fact that Keepass is opensource versus lastpass being closed source is a big difference. The auto-update of the lastpass client/plugin is also a big difference.

Personally, I'll stick with Keepass for my sensitive passwords. It's open source, it doesn't auto-update, I can control exactly what it does (e.g. Keepass doesn't have outbound firewall permission) and I don't have to update it unless I want to. Lastpass I really like and use all the time, but would I trust it with my banking passwords? No way.

Quote:

Originally Posted by Scoobs72

The fact that Keepass is opensource versus lastpass being closed source is a big difference.

Not necessarily relevant as you can't realistically estimate how many and how qualified and how motivated are those who review KeePass' source code (my bet is that the numbers are incredibly low - KeePass has less users than LastPass and RoboForm, for example) and have their suggestions actually approved by the dev leaders.

The source code of LastPass' plugins is reviewed by several teams of paid programmers and reverse engineered by several security experts and crackers around the world because of the popularity of LastPass.

Quote:

Originally Posted by Scoobs72

The auto-update of the lastpass client/plugin is also a big difference.

LastPass' plugins don't auto-update. I confirmed this searching in their official forum.

Quote:

Originally Posted by Scoobs72

Personally, I'll stick with Keepass for my sensitive passwords. It's open source, it doesn't auto-update, I can control exactly what it does (e.g. Keepass doesn't have outbound firewall permission) and I don't have to update it unless I want to. Lastpass I really like and use all the time, but would I trust it with my banking passwords? No way.

You're free to do whatever you want including spreading nonsense about LastPass and lies about "advantages" of KeePass.

[chrisretusn]

I like KeePass, I've never tried LastPass. Perhaps someday I will. Right now KeePass service my needs.

[xxJackxx]

I've used both and have switched to LastPass. It is the more polished and convenient product. As far as security, your passwords are only as secure as the site they belong to. With all of the password theft from some major sites recently I do not expect LastPass to be the place they will be stolen from. Companies like Sony, LinkedIn, etc. are much easier to get into. The greatest danger is in reusing passwords.

[Nebulus]

Quote:

Originally Posted by guest

Not necessarily relevant as you can't realistically estimate how many and how qualified and how motivated are those who review KeePass' source code (my bet is that the numbers are incredibly low - KeePass has less users than LastPass and RoboForm, for example) and have their suggestions actually approved by the dev leaders.

For a security product, being open source is very relevant to me. I'm not saying that closed source products are necessarily bad, but I tend to have more trust in a product which has open source code that I can inspect with my own eyes (not to mention other users).

Quote:

Originally Posted by guest

The source code of LastPass' plugins is reviewed by several teams of paid programmers and reverse engineered by several security experts and crackers around the world because of the popularity of LastPass.

Is there any public information about the "security experts and crackers" that reverse engineered LastPass? (a link or something to this kind of info would be greatly apreciated, thanks)