KeePass or LasPass?

Discussion in 'other software & services' started by Montmorency, Jun 21, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah I wasn't clear.

    You don't have to worry about a ChromeIPass vulnerability. You do still have to worry about other compromised extensions and if they're compromised you're in the exact same situation as with what you linked to.

    If an extension like Adblock Plus is exploited you are screwed either way. The only difference is that if you remove the keepass extension you remove a chunk of code that could be exploited, but that's not super reassuring to me and I'm fine with LastPass.
     
  2. woomera

    woomera Registered Member

    Joined:
    May 21, 2004
    Posts:
    212
    lastpass hands down!
     
  3. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Circular argument, the same applies ti LastPass!
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That's my point.
     
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Does the exploitation of extension vulnerabilities always allow broader access to the system or does it sometimes only allow one access to the browser context? I ask because here I think we're comparing one password manager that resides on your system in the form of a browser extension and one password manager that resides on your system in the form of a stand-alone program. Assuming one is just using KeePass proper and no addons, I think there is no way to pull information from the KeePass database from within a normal browsing context. However, LastPass seems designed to allow for exactly that. Put another way, I'm inclined to suspect that malware with access only to the browser context could do more damage in the LastPass scenario than the KeePass scenario. In both cases it could steal what the user caused to be entered into forms, but in the LastPass scenario could it gain access to stored information for additional sites?

    It has been a while since I read about LastPass. IIRC, the last time I walked away with the impression that it's developers designed things so that they couldn't (assuming they are truthful and never for any reason distribute a different design) determine what the actual usernames and passwords are. However, I don't recall what if anything I read about in terms of their ability to learn which sites you had stored login information for and/or were visiting in an effort to login. Can any LastPass users share information on the later?
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The damage done is entirely the same if a separate extension is compromised. Either way as soon as you input the password it's stolen. The extension can't access LastPass's database in any way regardless of its rights. What it can access is the webpage and the data filled into that page either by a user using keypass or by a user using lastpass.

    All you avoid in terms of security when using KeePass is vulnerabilities in the KeyPass extension. THat's an advantage, of course, but if you use multiple computers I don't see it as a big issue compared to the convenience of lastpass.
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,076
    Location:
    USA
    When you're logged into LastPass and have the password vault open the names of websites display, but not the user names and passwords. It is necessary to drill down into the specific credential to see the user name, and even then the password is hidden unless you specifically click to display it - the information is relatively immune to screen grabbing. I don't know exactly how the information is stored though and if a POC exists showing it could be grabbed in some other way.

    My understanding is all the personal information is encrypted locally. The LastPass folks go out of their way to tell users that they cannot retrieve user master passwords because they don't have them. I've never heard of LastPass "tracking" user web surfing, but there is something in their privacy statement about storing login history if the user enables that option. See here:

    https://lastpass.com/aboutus_privacy.php
     
  8. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    [This was meant for HungryMan but I didn't quote him and a new reply came in which I'm just now about to read...]

    You seem to be saying that there are and can be no vulnerabilities that would allow malware to slip into a browser context and read/forward any LastPass information even that which is stored encrypted on the user's machine. I can't challenge that because it isn't something I've attempted to research, but it makes me go hmmmm. Moving beyond that though, doesn't LastPass support autofill and autologin? Though optional (IIRC), that could theoretically be exploited by simply navigating the browser to the target site. Do you consider that too an impossible vector with LastPass?
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Like I said, by not using an extension you avoid vulnerabilites in the extension. But Chrome extensions are pretty secure.
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,654
    Location:
    USA
    Though not because of any vetting process that we are aware of at this time. :cautious:
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I made a post earlier in another topic about only being able to install from the Chrome web store. They're vetting.
     
  12. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    76
    I think "better" is subjective, based on personal preference. I never said KeePass *is* more secure than LastPass, I just *feel* more secure using it. Like I said, I'm biased because of a cloud-related disaster involving LP. Admittedly, it was my own fault, but even before that happened, I didn't trust LP with banking credentials and other sensitive passwords. I understood the encryption process and how they stored "blocks" of encrypted data on their servers, but something set me off from storing *everything* in the cloud, and I'm glad I didn't.

    I used LastPass for over two years before switching to KeePass and I was pretty happy with the service. It actually got me to make all of my online passwords stronger and unique. I guess I'm just paranoid. :p
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Uuuuhm you are mixing apples and pears. You should find about users of the software as you did for LastPass, not number of downloads. KeePass is older than LastPass, for sure with many more downloads during the years...
     
    Last edited: Jun 22, 2012
  14. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    11,053
    Location:
    NSW, Australia
    Would you use a password like this?

    Fish1!kkk

    Easy to remember. But is it safe?
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,654
    Location:
    USA
    Are you sure you're just not defending an earlier position, fax?
    I mean, you stated that LastPass has more exposure/more users, but you've offered no supporting figures.
    Then I produce sourceforge downloads stats showing 11 million downloads last year and 4.5 million so far this year, and the best you can do is say that downloads aren't users?
    Okay, I can see that (I could see it when I posted too), but what else can we go on?
    Do you think (and be honest here), that over 15 million people downloaded KeePass just since last year, but that most of them aren't using it?
    How does MBAM or SAS quote usage? By downloads, I believe.

    And what is this LastPass 1,000,000 user announcement? How do they know they had that many users?

    I asked KeePass developer Dominik Reichl how many users he had, and he told me he does't know the number of users... KeePass doesn't need to be registered or activated... and he doesn't track users in any way. He directed me to the sourceforge site I linked.

    So how did LastPass establish their 1,000,000 users? How do they track users, if they aren't referring to downloads?

    I'm feeling pretty confident that KeePass has just as many and probably many more times the users as LastPass... which I never thought about nor cared about until you guys started talking about LastPass being more popular than KeePass.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    1,000,000 accounts made, I assume.
     
  17. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    76
    I wouldn't - all of my passwords are 16+ characters long, and a combination of uppercase/lowercase/numbers/special characters.
     
  18. Kirk Reynolds

    Kirk Reynolds Registered Member

    Joined:
    May 8, 2011
    Posts:
    260
    Sounds like FUD. Interchange the word Lastpass with something else.

    And that's why you shouldn't use an operating system on your computer. The os is not going to be broken via the encryption algorithms or hashes it's using, it'll be broken by somebody, perhaps a rogue employee, injecting malicious code into an update of the client software, bypassing existing code audits. Or maybe a man-in-the-middle attack on new enrollments into the service. Or maybe etc etc
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It is indeed 'FUD' and it doesn't really make sense. LastPass is designed to protect you even from someone in control of their service.

    There's pretty much encryption throughout the entire process. They would need to control the lastpass extension or exploit another extension. At this point *any* process of inputting a password, including a user typing it after opening up keepass, will be compromised.
     
  20. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    11,053
    Location:
    NSW, Australia
    Your passwords are safe but the one I posted would take 20 million years to be cracked via an Online Attack Scenario.
     
  21. guest

    guest Guest

    And if one uses javascript bookmarklets for LastPass, he is immune to remotely possible issues with the LastPass' addons as well (if he doesn't install them and/or doesn't auto-update them).
     
  22. guest

    guest Guest

    Sometimes a Google search can be enlightening...

    roboform - About 4,100,000 results

    lastpass - About 1,890,000 results

    keepass - About 434,000 results

    And results from Bing:

    roboform - 6,790,000 results

    lastpass - 1,630,000 results

    keepass - 1,180,000 results

    And from CNet...

    RoboForm Total downloads: 19,154,521

    LastPass Total downloads: 89,789

    KeePass Total downloads: 31,896

    And from Facebook...

    http://www.facebook.com/LastPass - 71,762 likes / 607 talking about this

    http://www.facebook.com/RoboForm - 49.686 likes / 237 talking about this

    http://www.facebook.com/pages/KeePass/262143223820786 - 784 likes / 7 talking about this
     
  23. Kirk Reynolds

    Kirk Reynolds Registered Member

    Joined:
    May 8, 2011
    Posts:
    260
    Hasn't Webroot licensed LastPass for their Webroot SecureAnywhere Complete application? What about Symantec? Aren't they using their own password software called Norton Identity Safe that uses the same methods, or is it all local? What about Roboform Everywhere and the methods it uses?
     
  24. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    It's not FUD, and you're missing a key point imo. Lastpass represents a central storage of very valuable data, albeit encrypted. All in one place. History has shown that where there is a large amount of valuable data stored in one place hackers go after it. Repeatedly. Until they get it. Witness the breaches of major payment processors, where in some cases hackers infiltrated them for over a year, gathering information on how to fully breach their systems. Witness also the evidence that Lastpass has been breached once already, saved by their encryption that time.

    Will hackers give up on Lastpass and not try again? Or will they try to find a way round the encryption to the millions of passwords? Well I'm not betting my security on that. We have differing opinions on this, and different feelings towards the level of risk associated with these two solutions, so let's agree to disagree.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    LastPass uses PBKDF2 with SHA 256. SHA 256 is cryptographically secure. SHA 1 hasn't even been broken yet (well sorta, it has technically) and the weaknesses proven for it don't apply to SHA 2 algorithms (sha 256, 512.)

    SHA 256 is FIPS approved and it's undergone its fair share of scrutiny.

    They aren't going to break into SHA256. The chances are that by the time any cryptanalysis has allowed for attacks to be shown in SHA2 we'll have moved onto SHA3.

    The amount of effort it would take to break SHA2 is far less than the amount of effort it would take to simply hack your computer and rootkit it and steal your passwords that way.

    Bruteforcing isn't really worth discussion. It's simply not possible if you have any kind of decent password and / or mess with your settings. It's just not happening.

    And there's the fact that breaking into LastPass likely isn't super easy and since their breach they've apparently taken further measures.

    Agreeing to disagree is fine by me. But I would post my encrypted information right now and be entirely confident that no one anywhere is getting into it. It would likely take more computing power than the world's got.
     
    Last edited: Jun 23, 2012
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.