KeePass or LasPass?

Discussion in 'other software & services' started by Montmorency, Jun 21, 2012.

Thread Status:
Not open for further replies.
  1. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    Hello.

    I've been using LastPass for the last 18 months and was happy with it.
    The last update, though (both to the program and the site) is putting me off a bit.
    I've installed KeeFox/KeePass and so far I'm having basically the same (positive) user experience; so I'm considering a change.

    Could some of you share your views?

    Thanks.
     
  2. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    75
    Personally, I love KeePass. I switched from LastPass about a year ago and couldn't be happier. It just feels a lot more secure having my passwords stored locally versus in the cloud, and that, as I've learned, is 1000000x better than a bit of convenience. As a note, I don't use KeeFox for integration.

    Yes, it's more hassle if you use multiple PCs (keeping the databases in sync), but I suppose that could easily be accomplished with SpiderOak or a similar cloud storage + sync service if you're into that.

    Then again, this is coming from someone who was burned by the cloud once and has taken a great effort to try and prevent it from happening again. :p
     
  3. guest

    guest Guest

    LastPass is better and more convenient. People saying that LastPass is somewhat less safe because it's "cloud based" don't have a clue what they are saying and how LastPass actually works.
     
  4. DBone

    DBone Registered Member

    Joined:
    Nov 24, 2010
    Posts:
    1,041
    Location:
    SoCal USA
    LastPass here too. Not even close.
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    KeePass is what I use, and I couldn't be happier.
    I too like that KeePass stores passwords locally.
    Despite what some posters say about not having a clue, I'm not too keen about having my passwords stored in the cloud.
    As a browser extension, I am aware that LastPass has been exploited.
    I can't compare ease of operation, because I have not used LastPass, but I can say for sure that KeePass is terrific to use, easy to enter and edit data, and I like that it is open source.
     
  6. guest

    guest Guest

  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Cracking Open Chrome OS
     
  8. guest

    guest Guest

    So that's not a vulnerability in LastPass' extension. From the quote, researchers installed a different malicious extension to do the work.
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Data was stolen from LastPass. End of story as far as I'm concerned. You can try to reword it any way you like.
     
  10. guest

    guest Guest

    Any data "readable" in any webpage or program or whatever can be stolen when the PC is already compromised.

    It's like X taking screenshots from the lastpass page that Y forgot opened, and Z calling it "data stolen from lastpass". rofl
     
  11. guest

    guest Guest

    If you leave your KeePass key files opened and one takes screenshots of their data, would you call it "data stolen from KeePass" or "KeePass was compromised"? It's ridiculous, lol
     
  12. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Keepass for my banking passwords, Lastpass for general website passwords. I simply don't trust Lastpass enough for them to have any information, encrypted, salted, hashed or whatever. You can never know for certain that Lastpass actually do what they claim to do 100% of the time and that there aren't any weaknesses in their implementation.
     
  13. STONEMAN

    STONEMAN Registered Member

    Joined:
    Jan 17, 2009
    Posts:
    98
    Location:
    London,South Of The River
    Keypass for me,Prefer having my passwords stored locally.
    I dont really trust having my passwords in the cloud,just my opinion though ;)
     
  14. guest

    guest Guest

    Did you verify KeePass' implementation? LastPass' implementation was already verified by multiple security researchers and crackers, as it is a very popular service.

    Oh my, your passwords don't get directly stored in the LastPass' cloud, what gets stored there are encrypted data and a login hash (useless to decrypt).

    See:
    http://lastpass.com/whylastpass_technology.php
    http://helpdesk.lastpass.com/introd...safe/#All sensitive data is encrypted locally
    http://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Maybe you could elaborate a bit on this? :)
     
  16. STONEMAN

    STONEMAN Registered Member

    Joined:
    Jan 17, 2009
    Posts:
    98
    Location:
    London,South Of The River
    Thanks for the links,interesting insight but will stick with Keypass for now as it works fine for my needs. :)
     
  17. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    With respect, you're not seeing the bigger picture here. Security is not just about encryption algoirthms, it's a process that starts with employee recruitment screening and extends through to building and LAN security, code audits, quality standards and numerous other things.

    Lastpass is not going to be broken via the encryption algorithms or hashes it using, it'll be broken by somebody, perhaps a rogue employee, injecting malicious code into an update of the client software, bypassing existing code audits. Or maybe a man-in-the-middle attack on new enrollments into the service. Or maybe etc etc

    Show me Lastpass' annual security audit certificates, certificates of compliance to FIPS standards, and a detailed security analysis of their client update process and then my confidence in them will be improved. Although I still wouldn't trust the service with my banking passwords. :)
     
  18. guest

    guest Guest

    That's a possibility I've read about. You have to be very paranoid to worry about it as any software that gets updates is probably "vulnerable" to it. It's a very remote possibility and KeePass is just as vulnerable to it as LastPass - a malicious update to KeePass, which is open source, could pass hidden in some code improvement that doesn't get enough review by their unpaid programmers. Or unpaid KeePass' leader programmer(s) could turn to the dark side and make the same thing ..

    Also, LastPass addons don't auto-update from what I know - which gives you time to review any update.

    BTW I'm immune to this remote possibility. I don't use the LastPass addons, I use the javascript bookmarklets which never get updated.

     
    Last edited by a moderator: Jun 22, 2012
  19. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    They redesigned the site (not the main page but the users vault) and the result is buggy: there are new look pages and old look ones; some icons don't show the description when the pointer hovers over; at least one link won't work... this little things make me nervous coming from a security related company.
    Also you have lots of complaints in their forums about the program upgrade.
    Both upgrades were done simultaneously and both look hastly released.
     
    Last edited: Jun 22, 2012
  20. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I'm a happy KeePass user (without Firefox integration). Main idea here is that I trust my computer more than I trust the cloud :) So, while I can say that KeePass is working very well, I can't really give you advice on LastPass, because I didn't use it.
     
  21. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    The fact that Keepass is opensource versus lastpass being closed source is a big difference. The auto-update of the lastpass client/plugin is also a big difference.

    Personally, I'll stick with Keepass for my sensitive passwords. It's open source, it doesn't auto-update, I can control exactly what it does (e.g. Keepass doesn't have outbound firewall permission) and I don't have to update it unless I want to. Lastpass I really like and use all the time, but would I trust it with my banking passwords? No way.
     
  22. guest

    guest Guest

    Not necessarily relevant as you can't realistically estimate how many and how qualified and how motivated are those who review KeePass' source code (my bet is that the numbers are incredibly low - KeePass has less users than LastPass and RoboForm, for example) and have their suggestions actually approved by the dev leaders.

    The source code of LastPass' plugins is reviewed by several teams of paid programmers and reverse engineered by several security experts and crackers around the world because of the popularity of LastPass.

    LastPass' plugins don't auto-update. I confirmed this searching in their official forum.

    You're free to do whatever you want including spreading nonsense about LastPass and lies about "advantages" of KeePass.
     
    Last edited by a moderator: Jun 22, 2012
  23. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    I like KeePass, I've never tried LastPass. Perhaps someday I will. Right now KeePass service my needs.
     
  24. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    I've used both and have switched to LastPass. It is the more polished and convenient product. As far as security, your passwords are only as secure as the site they belong to. With all of the password theft from some major sites recently I do not expect LastPass to be the place they will be stolen from. Companies like Sony, LinkedIn, etc. are much easier to get into. The greatest danger is in reusing passwords.
     
  25. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    For a security product, being open source is very relevant to me. I'm not saying that closed source products are necessarily bad, but I tend to have more trust in a product which has open source code that I can inspect with my own eyes (not to mention other users).

    Is there any public information about the "security experts and crackers" that reverse engineered LastPass? (a link or something to this kind of info would be greatly apreciated, thanks)
     
Thread Status:
Not open for further replies.