Password Software

what is the general thought on programs like Lastpass, Keepass etc..? Are they safe to use overall? I have been questioning getting one but am not yet sure.

 

I've never been fond of password managers.

 

Your had is the best password safe

 

I use KeePass because it can run on both linux and xp, and I've been using both. You can backup your PW database on a usb stick or something to take it with you if need be. I personally decided not to use an online service. I just don't like the idea of my passwords being stored on a device controlled by someone else, even if it is encrypted.

I disagree that "your head is the best password safe" (at least I assume he meant head). Unless you have a phenomenal memory, you will either make most of your internet passwords simple, or the same, with a few exceptions like your bank. With Keepass, for example, my passwords to all forums are different, 16-20 characters, each character randomly chosen out of 70 or so possibilities. I have NO hope of remembering them. With Keepass I have a single complex password to remember.

As with many choices, there are tradeoffs. You have to log on to the password safe each time you log in, if you want to visit forums or such. Your alternative is to let your browser remember passwords, but that is not very secure, and not portable.

Logging on forums and such requires using the clipboard to cut and paste passwords. There is the possibility that your computer could be compromised and the PW stolen, but the same is true if your computer is compromised by a keylogger, so I don't think the risk is that much greater. Keepass can add a little more security to the cut and paste (TCATO or something), but they admit it could be cracked. Also, that option is not available on the linux version (KeepassX).

The PW safes I know of will provide some method of easily filling in the username and PW to log you in, so all you would have to do would be to navigate to wilders, put the cursor in the username field, hit a hotkey, and the PW safe will fill in the username and password for you.

Good luck with your choice.

 

There are differences between password managers.

Lastpass stores all your passwords (encrypted) on their server.
As far as I know, Keepass stores them (encrypted) on your computer.

So you have to decide if you want to store your passwords online or offline and whether you trust a company to store your passwords on their servers.

I use 1Password for Windows (but not for my bank accounts etc). Which also uses encryption. You have the option to store your passwords on Dropbox so they can be synced, but you can also store them on your computer.

Another option is maybe:
PasswordCard
Or a combination (like using PasswordCard for your Master Password). It doesn't use symbols, but I think it is better than a dictionary password.

Their are some risks. If someone knows your master password (and with offline stored passwords, also has access to your password container) they could get access to all your passwords.

I also saw this:
https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details

 

I use LastPass, because it works with almost all browsers and OS, but only for non-important sites (not bank or e-mail).

 

Anyone know how safe LP is with Yubi key? I would think this would help immensely

 

LastPass is vulnerable to XSS attacks, which is why I now use KeePassx. It's much more secure since the passwords never leave your machine and are encrypted.

 

Opera has it's own password manager it has AES 256 bit encryption password controlled, but I use keepass witch is encrypted with AES or Twofish.

 

I would never trust offline storage for anything I value.

I've had no issues using both KeePass and Ilium eWallet for many years now. If I didn't need Palm synchronization, I would just use KeePass.

 

That's fixed. They've implemented a bunch of countermeasures.

The passwords you use with Keepass are also encrypted, of course, and also stored on your computer (not only on their server).

 

The discoverer of the XSS flaw said he feels it is only a matter of time before someone else uses a similar flaw to actually get a hold of the passwords stored by LastPass.

Meh, KeePassX is just as good. It doesn't fill out forms automatically, but it does have an option to "Perform Autotype" which works in most cases the same way. Most importantly, the data is encrypted on my machine and never leaves it. It's just safer, imo.

 

I use sticky paword but I don't know if it is safe or not.
John

 

Well, they did not only fix the XSS hole and also implemented HSTS as suggested by Mike but also X-Frame-Options and Content Security Policy which are additional security layers. (besides, I'm also using Noscrpt with its XSS filters.)

BTW: In a comment on Mike's site Steve Gibson wrote:

... and Mike hasn't contradicted so far.

 

While agree Lastpass is good and secure for the most part. For me I would rather not have all of my passwords for everything encrypted or not stored on one single server somewhere. Is it paranoid? Maybe but I don't care. Id rather have my password stored locally where I know they are. I use Keepass and have Keefox installed in Firefox which makes Keepass very convenient to use in Firefox.

 

I wasn't aware of Keefox. What I don't like at all about it is that it's not available on AMO and, consequently, did not undergo the AMO review process.

 

I have emailed the author of Keefox and asked him about this. Will let you know what he responds. In the meantime anyone can view the Keefox source code here: http://keefox.svn.sourceforge.net/viewvc/keefox/

 

Thanks

 

Try SHA1_Pass. It does not store passwords, it only generates them. Nothing to backup, synchronize or loose. It's free, open source and other utilities (sha1sum, openssl, etc.) can re-produce the passwords. I wrote it and use it every day.

http://16s.us/sha1_pass/

 

Run only the Keepass with the internet connection blocked by Avira, so don't run the risk of my passwords are sent over the internet. How to fill out the password in the browser, I don't see any problem in having to type them.

 

Here is the response I got about Keefox being added to AMO.


Hi,

It's not been approved because I've not submitted it. That's because AMO is unsuitable for long-term development projects - they require a stable non-experimental version of each add-on; although recent AMO policy changes may have relaxed this somewhat, I've not had time to prepare the descriptions and explanations for the submission because I'm too busy trying to get the add-on out of beta and stable enough that it can be easily installed and used by everyone who accesses AMO. Whether AMO reviewers accept the add-on is of course uncertain but I hope that they will when I eventually get around to submitting it.

 

Thanks for this info! So the Keefox author himself admits that this extension is not yet stable enough. I think I'll wait for that.

 

True but I have been using it for 6 months now and have yet to have any issues. It seems to work great with Firefox 4 as well.

 

I use KeePass sandboxed with sandboxie and store the Encrypted (AES-256 BIT) database on my Encrypted 1TB External HDD (Cascade Algorithm W/TrueCrypt).

This way it:
1) Is Isolated from the rest of my system
2) Has no Internet access
3)Requires 2 Passwords to get in. (My HDD which is 64 Chars. Randomly Generated using 4 generators and than the 40 Chars. Randomly Generated Keepass Password + Keyfile +Windows account).

That's what I call Security