KeePass or LasPass?

Again, number of downloads is not the same as number of users. I think you know this, right? When comparing numbers you should at least use the same metrics as SrPeterPan did with search engines hits. Finally since KeePass cannot measure number of users, I am afraid you cannot support the statement about both been at the same level. Probably it's easier for LastPass to count the number of users based on active accounts. Probably best to ask them directly or ask the journalist quoted initially.

 

Yes, Webroot is using a rebranded version of LastPass in its SecureAnywhere Complete product. Norton Identity Safe now supports synchronization across multiple computers, but I don't know if they store user data like LastPass does. Based on a quick read it looks to be peer to peer only. Can't comment on RoboForm.

 

I think a password manager should not disclose to the developer or other third parties what is being stored by the password manager. That would include not only usernames, passwords, and other form fill data but also the sites/pages for which you are storing information.

Looking at that page you linked to and specifically the first video where he demonstrated the use of bookmarklets, I see him logged into lastpass.com via a browser that is not equipped with the extension. There on the Sites tab is a list of sites with favicons. I'm inclined to think that the video shows an older version of the Online Vault which is also shown at http://helpdesk.lastpass.com/password-manager-basics/your-lastpass-vault/#Online Vault. At the later page I notice it says "Your online Vault allows you to access your stored LastPass data on computers that do not have the installed plugin(s). From the online Vault you can control many of your global LastPass settings, as well as view, edit, and delete your stored information much the same way you would on your local Vault.". The obvious question is how is that implemented and is the implementation such that the LastPass server knows absolutely nothing about what is in the Online Vault. I think it possible to have client-side javascript do all of the encryption, decryption, and manipulation of the data. I'm inclined to interpret "We don't allow you to send LastPass critically important information like your usernames, passwords, account notes, and LastPass master password; instead your LastPass master password is used locally to encrypt the important data that's sent to us so that no one, including LastPass employees ever can access it." to apply to even this non-extension scenario. However, the "critically important" qualifier worries me a bit together with sites/URLs not being mentioned in that list.

It appears that bookmarklets rely on and require Referrer header, which would seem to communicate to LastPass servers what sites/pages you are trying to log into even if the bookmarklet itself doesn't already to that. It appears that bookmarklets contain Master Password related information and that, together with a third party cookie to LastPass's servers, allows the bookmarklet to automatically log you into your account and retrieve login/form data for the site you are visiting. IIRC I've seen extensions that sync bookmarks which makes me think any rogue extension would be able to read that bookmarklet and attempt to arbitrarily access stored information by mimicking the bookmarklets steps. I assume they're trying to protect against such things.

I notice the "We don't recommend the bookmarklet in Internet Explorer, Firefox, Safari, or Google Chrome, as the LastPass plugin is vastly superior.". I haven't properly studied/tested LastPass and its usage scenarios, but my gut is somewhat inclined to think there is something to what they say. So if one does use bookmarklets, I hope they research things thoroughly and appreciate the issues.

 

Yeah. Read this: http://lastpass.com/support.php?cmd=showfaq&id=1166

 

I find that description and in particular the "A hash is then created of that (which is also salted with your username) and sent to LastPass as a way to grab an encrypted copy of your key (encrypted with the locally created random number). " a bit confusing. It makes it sound as though LastPass (servers) can create an encrypted a copy of your key which suggests that LastPass (servers) access your key. Something doesn't feel right, to me, about the bookmarklet approach and also the ability to access the Online Vault without an extension. Maybe if I rolled up my sleeves and studied it I would to some extent feel better. I don't know. It seems to me that the security/privacy of both those mechanisms would rely upon the security/privacy of the client-side javascript that is pulled from their servers at the time you login or use the bookmarklet. I suspect they could, for example if coerced into doing so, snatch what is necessary to decrypt the information that is in the Online Vault and even do that on an account specific basis which could reduce the odds of someone catching it.

Something similar could be said about the extension; they could, for example if coerced, offer a version of the extension that snatches data. It might be easier to defend against that though, if the extension one currently has doesn't have behavior modification features built-in (doesn't pull javascript, whatever from their servers) and you take steps to check future updates.

I myself would prefer a stand-alone password manager that is isolated from network as well as the browser environment. Partly because it is more difficult to identify a potential leak when something is routinely communicating with a remote server (and doing so via secure connection that will require a special setup to analyze). One can take some steps to try to block a stand-alone password manager from directly accessing the net and leaking information via other approaches. A clueful rogue, be it a password manager developer or someone else attempting to gain access to a stand-alone database, might still be able to pull something off though.

 

You've gone into some detail here that is out of my area, but to the extent that I follow it I'd say Yes, it's in the realm of possibility. In fact I think it spills over into the "anything is possible" realm where no matter how good the security is we can still be paranoid. My perspective is people who use either LastPass or KeePass are exponentially more secure than the great majority who are using the names of their pets as passwords and writing them down on sticky notes (which would be really funny if it was not really true). I come across customers on a regular basis who don't even know the password to their primary email account. Why? because someone set it up for them and had the email client save it so it never needs to be typed. I'm glad that you and others are analyzing LastPass to the limit because that will make it even safer over time, but in the scheme of things my LastPass passwords are probably more secure than any other part of my life

 

A friend's email account began sending me spam emails last week.
This friend has nearly zero computer knowledge.
I told him he needed to change his yahoo account password, and I also advised him about other obvious security measures he needed to take.
A few days later, after the emails had stopped, I spoke again with him. He said he'd changed his yahoo password.
I asked what did it used to be?
It had been his wife's name.
I wish I could say I was joking.

 

Just to be clear, I'm not analyzing it or for that matter providing Lastpass with feedback on what I think could be issues. I'm just sharing some thoughts, here, that came to me after reading a little bit about LastPass, watching some videos of its configuration/operation, trying to mentally think through how it works and where issues could be, etc. As for whether anyone else here is taking or has taken a good look under the hood... and is providing feedback to LastPass... I don't know. Edit: Is there?

 

Been using KeePass happily since a few months ago!
The only downside i have with KeePass is that i cannot remove the app from the taskbar or the program will close completely. I have to leave it there minimized the whole time.

 

@Noob: Which version/OS? (Clearly I don't pay attention to sigs)

 

Besides the window in the taskbar there's also an icon.
Right click it/options/interface, check the box Minimize to tray instead of taskbar

 

Noob,

I use the portable version. You can carry it in a flash drive and use it on any computer.

 

Did you mean any computer you own and keep secure or or any any computer?

 

On any computer.

http://keepass.info/features.html

 

Do consider this too though:

http://keepass.info/help/base/security.html#secspecattacks

I'm sure I've seen some posts in the forum where the developer mentioned some other "specialized" attacks would also work including several obvious ones. I'm in favor of attempting to counter all threats be they "generic" or not. However, I find it hard to argue with the idea that there is only so much one can do.

 

Point taken.

 

Windows 7 x64 SP1 with all updates.
KeePass v2.19

BTW, just in case you guys didn't understand what i was referring to, heres a picture.
I cannot remove the KeePass icon highlighted in the screenie, if i close the KeePass window the whole program will close.

 

LOL, thanks man it worked.

 

I use both. Lasspass for regular websites and services. Keepass for important ones.

 

Why?
Is one safer than the other? Or just personal preference.

 

I think the idea people have is that if your data is "in the cloud" it's less secure. But the entire point of encryption is to create safe communication where eavesdroppers can't see the message (asymmetric at least) so as long as you're encrypted it doesn't matter.

 

KeePass or LasPass? It is more about, where do you want to keep passwords, so the question is: Offline or Online? I go for KeePass, LastPass was hacked at least 3 times.

 

I would publicly post my lastpass database. I have 0 issue with it being open to the public.

It's encrypted. I don't care.

And even if LastPass's servers are seized it's encrypted even further on their servers.

Like I said, the entire point is that anyone can have the data but only you can use it.

And like you said, it's a matter of where you want the data. Do you want to be able to access it online? Use LastPass. Do you only want ot access it from one computer? Use KeePass.

 

LastPass vs KeePass:

Tbh I feel much more confident with KeePass syncing via my own server with my own security compared to having LastPass sync it's password (nothing open-source so who know's what kind of stuff they could do) via a big database which is a main target for every hacker compared to my little unknown server.

Besides that I feel like my KeePass setup would be way more secure when syncing:

KeeFile (which never get's synced as it is always the same) inside several encrypted files (e.g. AxCrypt + Zip/rar/whatever). In a completely encrypted/secured folder. My KeePass database is highly encrypted (takes ~20 seconds to decrypt on my mobile phone but my core i7 sanybridge needs like a half second ). The KeePass file is also in a very secure folder. The whole syncing connection goes via VPN/SSH-Tunnel. My firewall allows syncing only to my server and no other IP/server.

As hungryman said: Even if someone would ever find out about where my files are, they are still encrypted several times with different encryption methods/programs. Only I know the passwords (which are different for every encryption and pretty secure). I feel that this is more secure than LastPass and I also prefer to see/know what my password manager does and where my passwords are going.

KeePass:
- More secure
- Open Source
- Free
- Same features (if not more) as LastPass (e.g. Browser support, replacing password managers of other programs, etc)


How I use KeePass:

I use it as replacement for pretty much all password managers. WinSCP,Filezilla,Putty,Firefox/Waterfox,Outlook/Thunderbird,MSN,Skype,..... all passwords are stored inside KeePass and I log-in/open programs by just right-clicking the KeePass entry and selecting "Open". And all that on every computer/mobilephone.

 

I've just moved on to KeePass. Had to using LastPass for a long time. I love KeePass now. It's more secured than LastPass imo.