Password Manager Discussion.

I've been using RoboForm Desktop on my Windows computers since 2008 without problems, 3 lifetime licenses. Just recently I bought 2 lifetime licenses of RoboForm Desktop for Mac. One I'm using on my Big Mac and the other will go on my wife's future Mac. There are some features of RoboForm that cannot be done on the Mac. One is double login on a website.

 

Lastpass pocket will let you choose...

 

Oh, ok ... not an open source issue, not an offline problem, but a "logmein" issue. It would have been faster to say I don't like lastpass for whatever emotional/personal issue, its all fine. Anyone can choose whatever software he/she wants. LOL

 

This, below, is my original post.

I never once anywhere stated that it was superior to LastPass but someone's preferred interpretation of what they wanted to respond to dragged this out.

It's too bad you found it too difficult to read the entire back and forth before responding out of context though you appear to be pretty practiced in those types of posts.

 

[offtopic ON] Its fine, your original post was mostly clear. I think other users were interested about your "to make sure it was worth switching". Then there was some incorrect statement about lastpass (open source, offline) and finally we understood the main reason for switching (LogMeIn aversion). Took a bit of time [offtopic OFF].

Cheers!
Fax

 

Yeah, taken out of context those things must have really upset you.

Cheers.

 

Link: https://twitter.com/taviso/status/769378052254015488

Link: https://twitter.com/taviso/status/769515425117777920

Link: https://twitter.com/taviso/status/769391927892598784

 

Link: https://twitter.com/taviso/status/773218040758448128

 

Has anyone tried Wladimir Palant's Easy Passwords available for Firefox, Chrome and Opera? He introduced it in two blog posts in April. According to his newest blog post he's planning to make it a full Lastpass alternative. A sync functionality - among other things - is still missing, though.

 

What do you guys think about this one, is it a good replacement for KeePass? Of course I wouldn't use the cloud feature.

 

This LastPass vulnerability (still unfixed) is really frightening. I am moving away of LP because of this.

https://www.seancassidy.me/lostpass.html

 

Do you know if this is just a "proof of concept" or has it actually appeared in the wild? Also note that the attack begins with "Get the victim to go to a malicious website that looks benign". It is not explained how that is accomplished and apparently that's separate from the LostPass attack. It seems to me that there are a lot of moving parts to this and a lot of work which would make it unattractive to the bad guys.

 

If you generate a password for a website, it's always the same password -- But only if the username, parameters (length, allowed characters) and the master password are the same.
Basically you can "generate" your passwords again (if all parameters are the same), if you have to start from the beginning.
If you only change one parameter, you'll generate different passwords. And if you don't want the same password generated for a specific username you can create different "revisions" of the password (same username = different password)

After exporting the password-list to a file, i see that "Legacy" passwords are stored encrypted in the file (and they are stored encrypted in the extension)
"Generated" passwords are not stored in the file, only some parameters - allowed characters, length.

 

That's is simply a phishing attack, nothing to do with lastpass security. In fact the user is re-directed to a fake website "chrome-extension.pw/..." which display the fake lastpass notice. From there you can get whatever. As always mind to always check where you are

 

LastPass is now free! Sort of...

Here is a link to the blog / press release. https://blog.lastpass.com/2016/11/get-lastpass-everywhere-multi-device-access-is-now-free.html/

Note that the free version will now have some type of ads.

 

I'm not seeing any mention of ads. Can you link to that? The main change I'm seeing is they're allowing the free version on mobile + sync across all devices.

 

It seems not really based on ads. Simply less features than the Premium. Premium features, IMO, seems not essential. i.e. family sharing, Yubikey and Sesame 2FA, priority tech support, lastpass for applications, desktop finger authentication, 1GB encrypted file storage.

 

There was a link to FAQs at the bottom of the blog. It's in the first question/answer.

 

I'll continue to pay for the premium version. It's not that much and worth what it costs. I hope that by putting in ads at all that they don't open a hole for exploits.

 

Interesting, thanks. Weird that in the front page that last item is not at all mentioned. Possibly they are not yet ready but it will come.

 

Agreed, for $1/month it is more than worth it, especially now that they are apparently going to incorporate ads in the free version. I also wonder how they will be able to feed ads without creating vulnerabilities.

 

At the moment they only display a simple ad for their own product on the right side of the vault.
No flash content , only a picture and a simple hyperlink.

 

I think I have to withdraw my past comments.
I will never use LastPass again and don't recommend it to others anymore. This is not because they're hacked, but because I finally reached conclusion that any browser-server based pwdmgr is fundamentaly not secure, although LP made many mistakes (look for Tavis Ormandy's article and another older vuln) in implementation, and they are too ambiguous about their crypt (definitely close to the worst), I now understand those addon-based approach w/ server-stored credentials inherit most badnesses from browser-based cryptography which has been known to be weak, so not secure by design. Talking about these weaknesses will be amount to a whole blog article, just search by yourself.

I now use KeePass and use different databeses for each platform, and each of them only include minimal set of credentials needed for the platform. I apply Mayahana's salt method so even if they are compromised still attacker can't obtain full account name and password. I also love its function to show password entropy. I was glad to find my old password generation algorithm earned good entoropy, but w/ this help I improved my algorithm. As I use it, actually pwdmgr is not necessary but is convenient to manage all accounts and to help typing password.

 

No, that can't be alternative to KeePass for those security carings. KeePass is one of the 2 open source, well-reviewed, and off-line pwdmgr but more user-friendly than the other, PasswordSafe. Being open source does not guarantee security, but KeePass earned better score in past scrutiny and will be audited, too. I know some other pwdmgr have 'audit', but most of them are about server/cloud security which is no relevant when you use off-line pwdmgr, it doesn't have those vuln by design. Not only that, the above link does not explain any crypt details. For any closed source crypt software, transparenthy is one of the most important thing. They need to explain at least followings.

-How they derive key from user input (what KDF is used, how much iteration, if derived key is used to encrypt or it's just key-encrypting key)
-If derived key is key-encrypting key, how they generate encryption key, especailly what RNG is used and how they earn entropy.
-What cipher mode is used and if IV or nonse is properly used (randmised, no reuse), and if non-authentication mode is used then how they verify integrity to prevent potential CPA or CCA.
-How they protect sensitive info on memory, is it encrypted, does dev take care of timing attack. etc.
-How they treat temporary files which may contain sensitive info or even just metadata.

Unfortunately most crypt service only say "We use AES256" or "Military grade encryption...bra bra bra" which tells nothing.

 

This is not limited to Lastpass but most browser-server based password and Tavis found issues in most of them (1password, dashlane, etc.). If you don't like server based password managers you can use lastpass offline (lastpass portable or lastpass pocket). Finally if you are really paranoid on auditing then the only way to be sure is to inspect the code yourself. Otherwise you will always need to rely on a third party organisations. No password managers is 100% proof but I really don't understand this race to kill lastpass, lol. Btw, if you want to look into lastpass, then have a look here: https://github.com/LastPass/lastpass-cli

Btw, experts look into the hashing of lastpass and judged it as one of the best out there.

http://arstechnica.com/security/201...-lastpass-exposes-encrypted-master-passwords/