FYI, another alternative to Lastpass. While I am currently not going to use any cloud based password service any longer (at least until the NSA affair will somehow clearer..) it's interesting to see their technology, which seems pretty standard. https://www.mitro.co/security-faq.html
i installed Comodo Dragon to give Mitro a try, at least for some not high-sensitive passwords. Some first impressions: 1. Work pretty flawless 2. More basic than Lastpass, much less notifications 3. Lack of customization, for example it's not possible to set the PDFK2 iterations, being set by default. 4. Two factor auth. not tested so far. 5. I think it does not have any web interface, all is just in the browser. 6. Not tested Team Password sharing service.
Update: Mitro does not have any Password Generation function, thus when I want to add a new site I have to generate a psw with Keepass and then store it in Mitro. Not very comfy indeed.
Carrying on testing. Some issues around (Mitro fails to ask to save passwords in some websites), but support is really quick to answer. The more I use it, the more I like it. Also they told me that a new version is under development with some new features. Two factor authentication set up and works fine. Also it generates some backup codes, to be able to login even if without phone.
perhaps i shouldnt say this but after some people have started to realize what the government has been doing for decades just recently , one word , backups and off cloud storing of password databases is a must, i suggest to take a look at keepass , works perfect over here
happy with lastpass, auto logging into a forum is just a life saver especially if you have set security/privacy addons onto your browser. If you are worried about usernames/passwords being NSAed or other adversaries then perhaps not to save any info from any strange websites !
sure why not ...NO! , use a proper offline password manager such as keepass and be done with it , end of discussion , if you want online availability use in conjunction with tc encrypted container in dropbox etc. , tootaloo
Hosting on Dropbox makes it no more secure than LastPass, try your own server. We can use whatever we want, thank you very much. Lastly, this kind of discussion belongs here: https://www.wilderssecurity.com/showthread.php?t=348713
well in a tc container ..it is , or if youre up to it as youve already said your own server , and last but not least sure use whatever you want im just stating opinions thats all , enjoy your lastpass , lols
I'm not intimately familiar with Dropbox or LastPass, but I think I have a relevant comment. Applicable to this topic even. In the "using a known cloud password manager site with strong connection security" scenario, intermediary snoops can/will discover that you are (repetitively) accessing a particular cloud password manager site. From that they can/will learn you are using a cloud password manager, which one, and (assuming its algorithm is fixed/published) what encryption/decryption algorithm is in use. The cloud password manager company also knows that information. Someone that gains unauthorized access to the files on their server should know that as well. In the "uploading privately encrypted password database files to generic cloud storage with strong connection security" scenario, intermediary snoops can/will discover you are accessing generic cloud storage but they won't know what it is that you are accessing. The generic cloud storage provider, also, shouldn't know what it is that you are accessing. Filenames *should* be encrypted too, and users *should* use obscure filenames and extensions for their (encrypted) password database. Even if the user were foolish and named their file 'MyPasswordDatabase' and the generic cloud storage provider could see it, the provider *should* have to guess or do some work to figure out what tool was used, what the encryption/decryption algorithm is, etc. Those last two items would also apply to anyone that gains unauthorized access to the files on the server. Exposing as little information as possible, to strangers, about your method of managing/encrypting passwords is wise. Which makes this an even better approach than the two mentioned above. Especially if it is not an Internet accessible server.
How will they identify your account if they cannot find what you uploaded? Either way, exposing your data to a third-party eliminates the worthwhile benefits of using a "proper" password manager.
Going open source, but also end of development I guess. https://www.eff.org/deeplinks/2014/07/mitro-a-new-free-password-manager http://labs.mitro.co/2014/07/31/mitro-is-joining-twitter/
Will check it on my new machine, nice that they made it open source. I guess it´s all about the money that they decided to switch to Twitter.
So, is anyone using this? What's missing and what's great? There's not much info on the web about it. I might need test it out later.