KeePass or LasPass?

Discussion in 'other software & services' started by Montmorency, Jun 21, 2012.

Thread Status:
Not open for further replies.
  1. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,076
    Location:
    USA
    What do you mean by "hacked"? Was it ever confirmed that anyone's data was compromised?
     
  2. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    they go access to the encrypted files and could download them and start bruteforcing/cracking them
     
  3. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,076
    Location:
    USA
    Can you link to information that documents that?
     
  4. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    just google... i dont have any links
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It was never confirmed that the single time they were actually hacked whether or not anyone got anything.

    And bruteforcing anything over 8 characters isn't even possible given the way LastPass is set up.
     
  6. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    But with Rainbowtables/Word lists it is "easily" possible.

    And I am pretty sure I have read (I think it even was LastPass's own security mail which told me to change my password as hacker could have got access to the db) something about them being hacked.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It still isn't easy because for every 1 password you have to try you have to try it at least 500x by default for LastPass users. So take however long your typical SHA256 hash takes and multiple it by 500. That's how long a single hash takes.

    Unless your attacker is using a massive cracking system 8 characters + a full feature set is enough to stop even a fast cracking scenario for a while. Adding only one more letter makes both pretty difficult (nearly 1000 hours for trillion per second, over 1000 MONTHS for 1billion)

    Avoiding dictionary attacks isn't difficult. Simple password padding is all it takes. Maybe your attacker has "password" in their dictionary but they won't have <<<<<password00000 - they'd have to bruteforce those two characters, which adds a ridiculous amount of time to the process.

    I also assume there's a salt so rainbow tables wouldn't work. I also don't see how they could because the number of rounds used is variable - you could rainbow table for 500 but then I'd just use 1,000 and you'd have to do another 500 rounds.
     
    Last edited: Jul 16, 2012
  8. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Cracking password is fairly "easy" these days.

    Cracking a password like this "Fgpyyih804423" takes 160 seconds with rainbowtables.

    A few more examples:

    thequickbrownfoxjumpsoverthelazydog = 700 seconds
    http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html

    Not to mention cracking via some botnet (so thousand of computers cracking for you).
     
  9. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,885
    Location:
    Stockholm Sweden
    Well I just did. Cant find that any users passwords has been leaked and it has been more than a year ago since that breach. Usually the ones who copies and cracks databases brag about it and provide evidence for having done so. Cant find any evidence that the breach has done any harm in real life, maybe you can direct us to such claims so that your posts doesn't get mistaken for FUD, Google doesn't seem to help.

    And since then LP has strengthened even more with stronger cryptography. Here some info about the event back in the day for people who havent heard of it.
     
  10. Kirk Reynolds

    Kirk Reynolds Registered Member

    Joined:
    May 8, 2011
    Posts:
    260
    LastPass are the innovators. The fact is that other password vendors are following in their footsteps, and security vendors (Webroot, Avast, Norton, etc. ) are starting to either license LastPass or similar password manager, or they're implementing their own, using the same methods of storing your encrypted data in the cloud so that you have access to it from anywhere on any device.
     
  11. Less

    Less Registered Member

    Joined:
    Dec 24, 2008
    Posts:
    276
    Lastpass for me.

    can used with yubikey.
     
  12. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    Well, since I'm the OP of this thread let me share my thoughts and final decision (I'm not going into the argument of which is more secure, both must have their flaws).

    KeePass on its own is not as easy to use as LastPass. The later will save and fill logins in a much more transparent way. It is, as well, more user friendly.
    But when you install KeeFox things change dramatically and usability is very close to LastPass's (after a learning curve).
    I also consider KeePass to be more configurable (even if some options are not obvious for the average user).

    All in all these two apps are arguably the best pass managers around.

    Personally I'm choosing KeePass.

    Thanks to all who gave their input, it has been a very stimulating discussion.
     
  13. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,885
    Location:
    Stockholm Sweden
    Good that you got the info you needed. The most important thing is not if you use Lastpass or Keepass or whatever, the important thing is that you take responsibility for your own safety online.
    Thanks to threads like this I decided to try Keepass to see if it would be more convinient for me (that is one of my biggest criteria to use any software :) ), but unfortunately it doesnt seem to manage to import the (to CSV) exported lastpass passwords :(
     
  14. guest

    guest Guest

    I could easily import the lastpass database into keepass, so is possible and easy but sadly and can't remember what I did.
     
  15. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,885
    Location:
    Stockholm Sweden
    Thanks for the info. It should of course be possible, may be something with my setup. I have been experimenting quite hard with my windows setup, I will try the same in Linux.
     
  16. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,654
    Location:
    USA
    My feeling exactly! :thumb:
    I think it is an ideal situation for you to be able to utilize Wilders this way, and I am encouraged that over 100 responses actually helped you to arrive at a decision as opposed to hindered you!
    I also appreciate when an OP takes the time to get back to the thread with his decision. Good job, Montmorency. :cool:
     
  17. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    Crumbs... I'm blushing :oops:

    Thanks Page42.
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,654
    Location:
    USA
    Ha ha. You're welcome. You should grow to really appreciate KeePass.
    Good luck with it.
    Remember to select "two-channel auto-type obfuscation" for all entries, and also make sure to select "Enter master key on secure desktop".
    :thumb:
     
  19. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    That is exactly what I meant with:
    Bit by bit I'm finding options, tweaks, bells and whistles.
    This program grows on you.
     
  20. drleper

    drleper Registered Member

    Joined:
    Nov 21, 2012
    Posts:
    1
    Old thread, but you can't use rainbow tables against LassPass because the passwords are salted (twice) before hashing.

    See this interview.
     
  21. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    Yeah salted LastPass.:thumb:
     
  22. wiwul

    wiwul Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    133
    Getting back on this older thread. There is an interesting article on Lastpass on:

    http://blogs.computerworld.com/18265/four_things_you_should_know_about_lastpass

    and

    http://www.techerator.com/2011/03/why-i-left-lastpass-for-1password/

    Some people, in fact quite a significant number, donot wish to have their passwords/master passwords stored elsewhere. Even if it is encrypted a million times. It is out there somewhere and 'they' promise it is safe.
    Maybe it is.
    I am one of those (old-fashioned?) people feeling uncomfortable/uneasy with that idea. Having to depend on some server and where my email address is my user-id etc. (can be guessed easily)

    That said, I do agree, both Lastpass and the Lastpass website, they definitely look fantastic! No doubt about that. If you donot worry about depending on a server somewhere, well, LastPass is one of the very best choices. A yearly fee of 12 dollar isn't expensive.

    Keepass is free.

    Am not sure about their browser integration though.


    =
     
  23. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    I keep my keepass password database in Dropbox so it's available on all my computers and android devices. I use a keyfile + password for protection, so even if someone hacked into my dropbox account and obtained the database file, they wouldn't be able to open it with password recovery software unless they somehow obtained my keyfile, which is only located locally on my devices.
     
  24. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,654
    Location:
    USA
    Excerpted
     
  25. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,209
    Location:
    USA
    I used to think that way, but then I realized that even though I consider myself to be pretty skilled with a computer, I'm sure the IT staff at LastPass spends 100% of their time keeping my info safe. Even though they are a huge target they have much greater resources than I do. The odds of someone getting my passwords from them is probably lees likely than them getting into my machine and getting them. I have been using LastPass for about a year now and couldn't be happier. Use a good password and there shouldn't be too many worries.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.