KeePass or LasPass?

Yeah I wasn't clear.

You don't have to worry about a ChromeIPass vulnerability. You do still have to worry about other compromised extensions and if they're compromised you're in the exact same situation as with what you linked to.

If an extension like Adblock Plus is exploited you are screwed either way. The only difference is that if you remove the keepass extension you remove a chunk of code that could be exploited, but that's not super reassuring to me and I'm fine with LastPass.

 

lastpass hands down!

 

Circular argument, the same applies ti LastPass!

 

That's my point.

 

Does the exploitation of extension vulnerabilities always allow broader access to the system or does it sometimes only allow one access to the browser context? I ask because here I think we're comparing one password manager that resides on your system in the form of a browser extension and one password manager that resides on your system in the form of a stand-alone program. Assuming one is just using KeePass proper and no addons, I think there is no way to pull information from the KeePass database from within a normal browsing context. However, LastPass seems designed to allow for exactly that. Put another way, I'm inclined to suspect that malware with access only to the browser context could do more damage in the LastPass scenario than the KeePass scenario. In both cases it could steal what the user caused to be entered into forms, but in the LastPass scenario could it gain access to stored information for additional sites?

It has been a while since I read about LastPass. IIRC, the last time I walked away with the impression that it's developers designed things so that they couldn't (assuming they are truthful and never for any reason distribute a different design) determine what the actual usernames and passwords are. However, I don't recall what if anything I read about in terms of their ability to learn which sites you had stored login information for and/or were visiting in an effort to login. Can any LastPass users share information on the later?

 

The damage done is entirely the same if a separate extension is compromised. Either way as soon as you input the password it's stolen. The extension can't access LastPass's database in any way regardless of its rights. What it can access is the webpage and the data filled into that page either by a user using keypass or by a user using lastpass.

All you avoid in terms of security when using KeePass is vulnerabilities in the KeyPass extension. THat's an advantage, of course, but if you use multiple computers I don't see it as a big issue compared to the convenience of lastpass.

 

When you're logged into LastPass and have the password vault open the names of websites display, but not the user names and passwords. It is necessary to drill down into the specific credential to see the user name, and even then the password is hidden unless you specifically click to display it - the information is relatively immune to screen grabbing. I don't know exactly how the information is stored though and if a POC exists showing it could be grabbed in some other way.

My understanding is all the personal information is encrypted locally. The LastPass folks go out of their way to tell users that they cannot retrieve user master passwords because they don't have them. I've never heard of LastPass "tracking" user web surfing, but there is something in their privacy statement about storing login history if the user enables that option. See here:

https://lastpass.com/aboutus_privacy.php

 

[This was meant for HungryMan but I didn't quote him and a new reply came in which I'm just now about to read...]

You seem to be saying that there are and can be no vulnerabilities that would allow malware to slip into a browser context and read/forward any LastPass information even that which is stored encrypted on the user's machine. I can't challenge that because it isn't something I've attempted to research, but it makes me go hmmmm. Moving beyond that though, doesn't LastPass support autofill and autologin? Though optional (IIRC), that could theoretically be exploited by simply navigating the browser to the target site. Do you consider that too an impossible vector with LastPass?

 

Like I said, by not using an extension you avoid vulnerabilites in the extension. But Chrome extensions are pretty secure.

 

Though not because of any vetting process that we are aware of at this time.

 

I made a post earlier in another topic about only being able to install from the Chrome web store. They're vetting.

 

I think "better" is subjective, based on personal preference. I never said KeePass *is* more secure than LastPass, I just *feel* more secure using it. Like I said, I'm biased because of a cloud-related disaster involving LP. Admittedly, it was my own fault, but even before that happened, I didn't trust LP with banking credentials and other sensitive passwords. I understood the encryption process and how they stored "blocks" of encrypted data on their servers, but something set me off from storing *everything* in the cloud, and I'm glad I didn't.

I used LastPass for over two years before switching to KeePass and I was pretty happy with the service. It actually got me to make all of my online passwords stronger and unique. I guess I'm just paranoid.

 

Uuuuhm you are mixing apples and pears. You should find about users of the software as you did for LastPass, not number of downloads. KeePass is older than LastPass, for sure with many more downloads during the years...

 

Would you use a password like this?

Fish1!kkk

Easy to remember. But is it safe?

 

Are you sure you're just not defending an earlier position, fax?
I mean, you stated that LastPass has more exposure/more users, but you've offered no supporting figures.
Then I produce sourceforge downloads stats showing 11 million downloads last year and 4.5 million so far this year, and the best you can do is say that downloads aren't users?
Okay, I can see that (I could see it when I posted too), but what else can we go on?
Do you think (and be honest here), that over 15 million people downloaded KeePass just since last year, but that most of them aren't using it?
How does MBAM or SAS quote usage? By downloads, I believe.

And what is this LastPass 1,000,000 user announcement? How do they know they had that many users?

I asked KeePass developer Dominik Reichl how many users he had, and he told me he does't know the number of users... KeePass doesn't need to be registered or activated... and he doesn't track users in any way. He directed me to the sourceforge site I linked.

So how did LastPass establish their 1,000,000 users? How do they track users, if they aren't referring to downloads?

I'm feeling pretty confident that KeePass has just as many and probably many more times the users as LastPass... which I never thought about nor cared about until you guys started talking about LastPass being more popular than KeePass.

 

1,000,000 accounts made, I assume.

 

I wouldn't - all of my passwords are 16+ characters long, and a combination of uppercase/lowercase/numbers/special characters.

 

Sounds like FUD. Interchange the word Lastpass with something else.

And that's why you shouldn't use an operating system on your computer. The os is not going to be broken via the encryption algorithms or hashes it's using, it'll be broken by somebody, perhaps a rogue employee, injecting malicious code into an update of the client software, bypassing existing code audits. Or maybe a man-in-the-middle attack on new enrollments into the service. Or maybe etc etc

 

It is indeed 'FUD' and it doesn't really make sense. LastPass is designed to protect you even from someone in control of their service.

There's pretty much encryption throughout the entire process. They would need to control the lastpass extension or exploit another extension. At this point *any* process of inputting a password, including a user typing it after opening up keepass, will be compromised.

 

Your passwords are safe but the one I posted would take 20 million years to be cracked via an Online Attack Scenario.

 

And if one uses javascript bookmarklets for LastPass, he is immune to remotely possible issues with the LastPass' addons as well (if he doesn't install them and/or doesn't auto-update them).

 

Sometimes a Google search can be enlightening...

roboform - About 4,100,000 results

lastpass - About 1,890,000 results

keepass - About 434,000 results

And results from Bing:

roboform - 6,790,000 results

lastpass - 1,630,000 results

keepass - 1,180,000 results

And from CNet...

RoboForm Total downloads: 19,154,521

LastPass Total downloads: 89,789

KeePass Total downloads: 31,896

And from Facebook...

http://www.facebook.com/LastPass - 71,762 likes / 607 talking about this

http://www.facebook.com/RoboForm - 49.686 likes / 237 talking about this

http://www.facebook.com/pages/KeePass/262143223820786 - 784 likes / 7 talking about this

 

Hasn't Webroot licensed LastPass for their Webroot SecureAnywhere Complete application? What about Symantec? Aren't they using their own password software called Norton Identity Safe that uses the same methods, or is it all local? What about Roboform Everywhere and the methods it uses?

 

It's not FUD, and you're missing a key point imo. Lastpass represents a central storage of very valuable data, albeit encrypted. All in one place. History has shown that where there is a large amount of valuable data stored in one place hackers go after it. Repeatedly. Until they get it. Witness the breaches of major payment processors, where in some cases hackers infiltrated them for over a year, gathering information on how to fully breach their systems. Witness also the evidence that Lastpass has been breached once already, saved by their encryption that time.

Will hackers give up on Lastpass and not try again? Or will they try to find a way round the encryption to the millions of passwords? Well I'm not betting my security on that. We have differing opinions on this, and different feelings towards the level of risk associated with these two solutions, so let's agree to disagree.

 

LastPass uses PBKDF2 with SHA 256. SHA 256 is cryptographically secure. SHA 1 hasn't even been broken yet (well sorta, it has technically) and the weaknesses proven for it don't apply to SHA 2 algorithms (sha 256, 512.)

SHA 256 is FIPS approved and it's undergone its fair share of scrutiny.

They aren't going to break into SHA256. The chances are that by the time any cryptanalysis has allowed for attacks to be shown in SHA2 we'll have moved onto SHA3.

The amount of effort it would take to break SHA2 is far less than the amount of effort it would take to simply hack your computer and rootkit it and steal your passwords that way.

Bruteforcing isn't really worth discussion. It's simply not possible if you have any kind of decent password and / or mess with your settings. It's just not happening.

And there's the fact that breaking into LastPass likely isn't super easy and since their breach they've apparently taken further measures.

Agreeing to disagree is fine by me. But I would post my encrypted information right now and be entirely confident that no one anywhere is getting into it. It would likely take more computing power than the world's got.