Password Software

Discussion in 'privacy technology' started by T_Durden, Mar 16, 2011.

Thread Status:
Not open for further replies.
  1. T_Durden

    T_Durden Registered Member

    Joined:
    Jun 9, 2010
    Posts:
    90
    Location:
    Chicago area
    what is the general thought on programs like Lastpass, Keepass etc..? Are they safe to use overall? I have been questioning getting one but am not yet sure.o_O
     
  2. MajorPleasure

    MajorPleasure Registered Member

    Joined:
    Feb 8, 2011
    Posts:
    20
    Location:
    Denmark
    I've never been fond of password managers.
     
  3. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    Your had is the best password safe
     
  4. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    I use KeePass because it can run on both linux and xp, and I've been using both. You can backup your PW database on a usb stick or something to take it with you if need be. I personally decided not to use an online service. I just don't like the idea of my passwords being stored on a device controlled by someone else, even if it is encrypted.

    I disagree that "your head is the best password safe" (at least I assume he meant head). Unless you have a phenomenal memory, you will either make most of your internet passwords simple, or the same, with a few exceptions like your bank. With Keepass, for example, my passwords to all forums are different, 16-20 characters, each character randomly chosen out of 70 or so possibilities. I have NO hope of remembering them. With Keepass I have a single complex password to remember.

    As with many choices, there are tradeoffs. You have to log on to the password safe each time you log in, if you want to visit forums or such. Your alternative is to let your browser remember passwords, but that is not very secure, and not portable.

    Logging on forums and such requires using the clipboard to cut and paste passwords. There is the possibility that your computer could be compromised and the PW stolen, but the same is true if your computer is compromised by a keylogger, so I don't think the risk is that much greater. Keepass can add a little more security to the cut and paste (TCATO or something), but they admit it could be cracked. Also, that option is not available on the linux version (KeepassX).

    The PW safes I know of will provide some method of easily filling in the username and PW to log you in, so all you would have to do would be to navigate to wilders, put the cursor in the username field, hit a hotkey, and the PW safe will fill in the username and password for you.

    Good luck with your choice.
     
  5. Pazzie

    Pazzie Registered Member

    Joined:
    Feb 24, 2011
    Posts:
    14
    There are differences between password managers.

    Lastpass stores all your passwords (encrypted) on their server.
    As far as I know, Keepass stores them (encrypted) on your computer.

    So you have to decide if you want to store your passwords online or offline and whether you trust a company to store your passwords on their servers.

    I use 1Password for Windows (but not for my bank accounts etc). Which also uses encryption. You have the option to store your passwords on Dropbox so they can be synced, but you can also store them on your computer.

    Another option is maybe:
    PasswordCard
    Or a combination (like using PasswordCard for your Master Password). It doesn't use symbols, but I think it is better than a dictionary password.

    Their are some risks. If someone knows your master password (and with offline stored passwords, also has access to your password container) they could get access to all your passwords.

    I also saw this:
    https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I use LastPass, because it works with almost all browsers and OS, but only for non-important sites (not bank or e-mail).
     
  7. monkeybutt

    monkeybutt Registered Member

    Joined:
    May 18, 2009
    Posts:
    126
    Anyone know how safe LP is with Yubi key? I would think this would help immensely
     
  8. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    LastPass is vulnerable to XSS attacks, which is why I now use KeePassx. It's much more secure since the passwords never leave your machine and are encrypted.
     
  9. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Opera has it's own password manager it has AES 256 bit encryption password controlled, but I use keepass witch is encrypted with AES or Twofish.
     
    Last edited: Mar 20, 2011
  10. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    I would never trust offline storage for anything I value.

    I've had no issues using both KeePass and Ilium eWallet for many years now. If I didn't need Palm synchronization, I would just use KeePass.
     
  11. tlu

    tlu Guest

    That's fixed. They've implemented a bunch of countermeasures.

    The passwords you use with Keepass are also encrypted, of course, and also stored on your computer (not only on their server).
     
  12. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    The discoverer of the XSS flaw said he feels it is only a matter of time before someone else uses a similar flaw to actually get a hold of the passwords stored by LastPass.

    Meh, KeePassX is just as good. It doesn't fill out forms automatically, but it does have an option to "Perform Autotype" which works in most cases the same way. Most importantly, the data is encrypted on my machine and never leaves it. It's just safer, imo.
     
  13. crash79`

    crash79` Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    114
    Location:
    Isle of Bute Scotland
    I use sticky paword but I don't know if it is safe or not.
    John
     
  14. tlu

    tlu Guest

    Well, they did not only fix the XSS hole and also implemented HSTS as suggested by Mike but also X-Frame-Options and Content Security Policy which are additional security layers. (besides, I'm also using Noscrpt with its XSS filters.)

    BTW: In a comment on Mike's site Steve Gibson wrote:

    ... and Mike hasn't contradicted so far.
     
  15. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    While agree Lastpass is good and secure for the most part. For me I would rather not have all of my passwords for everything encrypted or not stored on one single server somewhere. Is it paranoid? Maybe but I don't care. Id rather have my password stored locally where I know they are. I use Keepass and have Keefox installed in Firefox which makes Keepass very convenient to use in Firefox.
     
  16. tlu

    tlu Guest

    I wasn't aware of Keefox. What I don't like at all about it is that it's not available on AMO and, consequently, did not undergo the AMO review process.
     
  17. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    I have emailed the author of Keefox and asked him about this. Will let you know what he responds. In the meantime anyone can view the Keefox source code here: http://keefox.svn.sourceforge.net/viewvc/keefox/
     
  18. tlu

    tlu Guest

    Thanks :thumb:
     
  19. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    Try SHA1_Pass. It does not store passwords, it only generates them. Nothing to backup, synchronize or loose. It's free, open source and other utilities (sha1sum, openssl, etc.) can re-produce the passwords. I wrote it and use it every day.

    http://16s.us/sha1_pass/
     
  20. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,115
    Run only the Keepass with the internet connection blocked by Avira, so don't run the risk of my passwords are sent over the internet. How to fill out the password in the browser, I don't see any problem in having to type them.
     
  21. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    Here is the response I got about Keefox being added to AMO.


    Hi,

    It's not been approved because I've not submitted it. That's because AMO is unsuitable for long-term development projects - they require a stable non-experimental version of each add-on; although recent AMO policy changes may have relaxed this somewhat, I've not had time to prepare the descriptions and explanations for the submission because I'm too busy trying to get the add-on out of beta and stable enough that it can be easily installed and used by everyone who accesses AMO. Whether AMO reviewers accept the add-on is of course uncertain but I hope that they will when I eventually get around to submitting it.
     
  22. tlu

    tlu Guest

    Thanks for this info! So the Keefox author himself admits that this extension is not yet stable enough. I think I'll wait for that.
     
  23. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    True but I have been using it for 6 months now and have yet to have any issues. It seems to work great with Firefox 4 as well.
     
  24. x942

    x942 Guest

    I use KeePass sandboxed with sandboxie and store the Encrypted (AES-256 BIT) database on my Encrypted 1TB External HDD (Cascade Algorithm W/TrueCrypt).

    This way it:
    1) Is Isolated from the rest of my system
    2) Has no Internet access
    3)Requires 2 Passwords to get in. (My HDD which is 64 Chars. Randomly Generated using 4 generators and than the 40 Chars. Randomly Generated Keepass Password + Keyfile +Windows account).

    That's what I call Security :D
     
Loading...
Thread Status:
Not open for further replies.