KeePass or LasPass?

Sure, possibility to view the source is an advantage if one happens to have the ability and time and motivation to carefully inspect the code. And the possibility to improve it as well (have patches approved).

However, LastPass' addons are under heavy scrutiny by possible attackers and are reviewed by paid programmers employed by LastPass who have access to the source code. And you can independently verify a lot of what happens when one uses LastPass - as stated here.

I'm making an educated guess. The service is very popular and thanks to this it probably is under heavy scrutiny from interested parties - unlike KeePass.

 

I haven't used KeePass, but I have used LastPass for a number of years. A strong feature of LastPass is dual authentication. I currently use Google Authenticator on my phone to login to LastPass. With dual authentication even if the LastPass master password is stolen the account cannot be accessed. Interesting point that specific site passwords may in fact be more vulnerable in the site databases than they are in LastPass. Again, dual factor authentication is a solution for this. My bank combines standard password entry with a unique SMS text code for each session.

Yes! Another reason I started using LastPass was to take advantage of its' password generator. With LastPass it's possible to use a unique password for every site. They can also be long strings of gibberish that can't be (easily) remembered or typed.

 

I've been using LastPass for a few years now. It makes it easy to manage passwords across multiple computers and I can also access it from someone else' computer if necessary. I feel this is sufficiently safe using Google Authenticator for dual authentication. The main reason some people prefer KeePass is they don't trust having their passwords stored online. I feel the danger is sufficiently mitigated by the fact the database is encrypted locally before uploading it. Keeping your password database local may seem safer, but is it? If you have multiple computers you have to keep the databases in sync. Do you do that by moving the database on a flashdrive? Do you have copies laying around on flashdrives? OTOH, if you only use KeePass on one computer are you backing up the database (and keeping the backups current) in case you lose the hard drive? Do you have a hard copy of all of your passwords? How do you keep it safe, and current? LastPass gives me peace of mind in this regard since the database is stored on their servers as well as my multiple local computers. Losing my passwords would be a very serious inconvenience.

My point is you have to look at every aspect of the password management process, see the potential problems and then consider the best over all solution.

 

I was referencing an instance in which data was stolen from LastPass, and I provided a link.
You linked the LastPass response to a different LastPass vulnerability.
Here's the blog post they are responding to.
It's important to note that the blog post states,

So even after the fix, Mike Cardwell says there is still a problem with the LastPass architecture. Would you say that this is an example of "multiple security researchers and crackers" investigating LastPass? I would.

In looking closely at LastPass's response, one could possibly feel less than inspired. In particular, this statement sounds a tad shaky...

That's "help" and "reduce". They don't say they have eliminated the chance of recurrence. They say they have helped to reduce the chance. Doesn't sound too airtight to me, guest.

LastPass also advises users to "avoid keeping yourself logged into LastPass" when visiting dodgy sites. Again, not exactly inspiring language, the way I see it.

 

If I may jump in, when the LastPass folks say "help" and "reduce" what I hear is an admission that no security system is 100% safe and so they can't guarantee that new vulnerabilities will not be discovered in the future. If they had said the vulnerability had been fixed and there would never again be any kind of breach that would be cause for concern.

The same thing applies to visiting "dodgy sites". This implies that the user is intentionally putting the system at greater risk and should take precautions. It's the same with antivirus/antimalware programs. Users simplistically think if they have these installed they can go anywhere and do anything with impunity.

 

Hello Victek123,
You make good points, for sure.
I think that to some extent, the LastPass people were humbled by the vulnerability, and that might explain the soft language. Still, I am surprised to see it, especially when we are so used to seeing press release-type language that embellishes the merits of the software. And in all honesty, I still don't think "help" and "reduce" are very convincing words, because they did have the vulnerability revealed to them, and they can't say it was fixed. Maybe we agree to disagree.
**By the way, the help-reduce language was in reference to a specific vulnerability, not to new ones that might happen.

 

No tool is 100% safe from vulnerabilites or hacks. Even KeePass had its problems in the past : KeePass Password Safe Insecure Library Loading Vulnerability What it is important that these gets fixed. If you beleive that more exposure/more users is linked to more solid tools (security wise) then I would opt for LastPass.

 

Where are people getting their comparison figures for usage/popularity?

 

You find many references into the internet, just google it... LastPass is one of the most recent players in password managers but gained huge popularity very quickly... just one very recent random quote:

http://news.yahoo.com/top-5-online-password-managers-163400927.html

Sorry no precise numbers but I am sure with more time you can find more detailed quotes about it

 

Page42,

I don't know why you are confusing things replying yet again to the same quote of my post that you replied before. And stop lying, you provided a link after I provided a link. My post with that link is the number 6 of this thread. Your post with a link is the number 7. And I have no desire in continuing this discussion as you don't seem to be fully able to interpret texts.

 

I would say popularity does not reliably communicate something about quality because nearly all consumers/users are severely limited in their ability to independently assess quality and they make their decisions on factors other than quality.

 

I'm trying to find usage stats to support the above claims. LastPass isn't turning out to be the "more exposure/more users" leader. Maybe those making the claim can help out with some supporting data.

Here is what I have been able to locate...
I found a link from a year and a half ago wherein LastPass congratulates themselves for having 1,000,000 users.

And I found a link where sourceforge shows 4.5 million KeePass downloads year-to-date.

I also see here 25 million KeePass downloads over the 9 year period prior to 2012. So that's almost 30 million KeePass downloads.

 

Good God, man. I'm not lying. My point isn't who posted what link first. If I erred by a few minutes as to who posted what link, then roll with it, and don't try to make it out to be something that it isn't. Let's just have a civil, educated discussion without you calling me a liar... or not.
Edit in: By the way, for the record, even though I said above that I might have erred, I just reread my post and there was no error. I never commented about who posted what link first. So guest's admonishment about not being fully able to interpret texts might just as well be directed at himself. And the name-calling (now I'm a liar along with Scoobs72, according to SPP), is out of line. We are simply discussing a couple of password managers. I'd like to see SPP back up his statements about how much more popular LastPass is then KeePass. And keep the insults to himself.

 

Hi Montmorency,
Good observations.
You said that you were considering a change. I say go with it, and try KeePass. As is always the case here, there are plenty of people ready to provide positive input should you need it. Oftentimes there are more things to consider beyond security, which so far this thread seems to be focused on.

 

Well, risk assessment is difficult and I wouldn't expect broad agreement. I appreciate that many people are putting a lot of thought into password management and although I'm invested in LastPass I try to keep an open mind - sooner or later I may change it

Thanks for the correction regarding that specific vulnerability Vs possible future ones. I need to look at that more closely.

 

Just to chime in... the LastPass vulnerability you linked to Page42 could have happened to KeyPass as well.

The issue isn't with the extension so much as it's with a fundamental 'issue' with encryption ie: it's decrypted at some point. If an attacker has compromised your browser/ an extension with enough rights both of those would be vulnerable in the same way.

I use LastPass because I use multiple computers/ I like having an online interface. I don't see why anyone would use something like DropBox with KeyPass, which is kinda just trying to get LastPass but with an unsupported configuration.

edit: And what isn't open about LastPass is their server configuration. The extension is and you can verify that encryption happens locally. So even if they aren't keeping their word about security measures on their end it doesn't really matter.

In terms of hacking LastPass there's just no issue. You can't get into the information even if they aren't encrypting it on their side. If you use any kind of decent master password there's just no way.

The issue is with the extension itself having vulnerabilities and in that case there's no difference at all compared to KeePass.

 

And I feel as you do, only about KeePass... although I'm currently using KeePass, I try to keep an open mind - sooner or later I may change it!

 

Hi HM,
But what about KeePass standalone without something like ChromeIPass (extension to allow Chrome to form-fill passwords stored in KeePass). When I search Chrome Web Store, there is no KeePass extension. So is KeePass as tightly intgrated with the browser as is LastPass?

 

ChromeIPass:

http://keepass.info/plugins.html#chromeipass

KeeFox:

http://keepass.info/plugins.html#keefox

KPFloatingPanel: The Best

http://keepass.info/plugins.html#kpfloatingpanel

Kind regards,

 

The best option is the one that works for you and stops you from using the same password at every site you go to. I've had to have credit/debit cards reissued 4 times in the last year. None of them had anything to do with a password manager. The sites I shopped at got hacked, and in 1 case it was a local eatery that had their system hacked. I didn't even know that place had their payment system online. I don't fear LastPass and have used them for several months now. I was a bit hung up on the online thing myself, but as I have discovered, their security is much better than the sites whose passwords they protect. If you are happy with either product I call it good. 2 of the first rules of computing I impose on everyone I know is:

1. Don't reuse passwords.
2. Always backup your system.

If you fail to do these things, don't call me for help as I will only laugh.

 

Should I drop to your level and return insults? No. However if you do feel capable of posting some actual facts about the overall security lifecycle of Lastpass, and potential vulnerabilities versus Keepass then that might be a bit more interesting.

 

If you're not using the extension for KeePass (ChromeIPass is the KeePass extension) then you don't have to worry about an extension vulnerability in ChromeIPass.

But in the case of LastPass we're assuming a compromised extension is involved that can read form fill data. In the case of LastPass this data used to be entered automatically (it still can be) but that doesn't matter, the point is that as soon as the data is entered by anyone the extension can tell.

LastPass really only automated the process.

 

Yes there are many KeePass plugins available, but my question is, is KeePass itself an extension?
All of these plugins may compromise the security of KeePass, because they are not created by KeePass. But what about running KeePass standalone?

 

And there it is.
I don't use any KeePass extensions or plugins, of which there are many.

 

To be clear, you did later post...