Very strong password? Nothing to worry about.
1Password
- Thread starter ShaggyRS6
- Start date
Very strong password? Nothing to worry about.
Looks like you need to pay to use it on Android. I'll stick with completely free Keepass thanks.
Correct me if i'm wrong but it looks like with Lastpass it's all stored on their servers which makes it less in your control. Keepass is all completely local, except for Dropbox but that's a user choice not a necessity.
Associate
- Joined
- 17 Sep 2008
- Posts
- 1,759
LastPass keeps local copies of your encrypted password database on each synced device as well as on the remote server.
To be honest I'm a bit baffled by people who say they won't trust LastPass because their (client-side encrypted) passwords are stored on a remote server, yet are apparently quite happy to sync their Keepass data file via SkyDrive, Dropbox or whatever. At the end of the day the net result is pretty much the same, except the LastPass route is more streamlined and convenient.
I suppose the concern that LastPass is a tempting target for hackers has some validity, but unless the bad guys have a quantum computer (or you've been stupid enough to use a weak master password), they couldn't do much with any data they did manage to exfiltrate.
To be honest I'm a bit baffled by people who say they won't trust LastPass because their (client-side encrypted) passwords are stored on a remote server, yet are apparently quite happy to sync their Keepass data file via SkyDrive, Dropbox or whatever. At the end of the day the net result is pretty much the same, except the LastPass route is more streamlined and convenient.
I suppose the concern that LastPass is a tempting target for hackers has some validity, but unless the bad guys have a quantum computer (or you've been stupid enough to use a weak master password), they couldn't do much with any data they did manage to exfiltrate.
It's different if key file support is enabled and kept away from the sync server.
True, I just worry a little about the size of target LastPass is for bad guys. On top of the encryption with Keepass I have a degree of security through obscurity - who's going to bother to try to decrypt one individual encrypted file with a strong password even if they did happen to get it.
Perhaps misguidedly but in my head (
) it works the same way as a lock and alarm on a house. It's still possible to get in if you really are determined but the rewards make it not worth while, it's just more productive to pick a bigger/more lucrative target..You're quite right though, strong master password is the way forward, at least 15 characters, preferably more. Pass Phrases with some randomisation seem to be a good compromise. Relatively secure and relatively easy to remember. e.g. iLove44kebabsEarlyIntheday (I love 44 kebabs early in the day) is much easier to remember than jjsd883hbdhyy7dhj8hd0hrpxg. Actually substituting 1s of Ls and 0s for Os, 3 for E etc really doesn't help much as they are well known and so amongst the first combos tried. You can add special characters and more numbers but in effect you have an instant 26 character password that I bet as you're reading this now you can still remember where the random letter combo you'll not get past remembering the first 2 characters if you are lucky
Last edited:
I think it's the fact you have a choice whether it's on a server somewhere or not. Not everyone needs it synced between devices so won't even be using dropbox, meaning it is only stored on their local machine.
Plus, I've renamed my KeePass database to a different file ext. aswell so if anyone does get access to my dropbox account they won't even know they've got a database full of my passwords.
Also you mention LastPass being more streamlined. Dropbox updates automatically anyway so I doubt there's much difference.
KeePass and Dropbox user here.
Same concerns as others about any online solution being an obvious target.
Saying that other solutions "do this automatically" isn't much of an argument when you actually consider how easy the KeePass and dropbox solution is to set up and how transparent it is after that.
Not saying I would suggest anyone would move away from LastPass through any belief that my data is any MORE secure than yours though.
Same concerns as others about any online solution being an obvious target.
Saying that other solutions "do this automatically" isn't much of an argument when you actually consider how easy the KeePass and dropbox solution is to set up and how transparent it is after that.
Not saying I would suggest anyone would move away from LastPass through any belief that my data is any MORE secure than yours though.
Do you want to attempt to break AES-256 encryption then because that is exactly what would be needed to break through. All you data is stored locally and then encrypted, the data is then sent to their servers in its encrypted form.
$12 USD a year for that which is hardly expensive.
To be honest I had many of the above mentioned concerns when I first heard about it and so I spent hours on their website reading everything I could and then found the review by Steve Gibson which I sat and watched (epic), I have been using Lastpass for years now and never once had my data stolen or hacked.
Stoner.
Don't forget to enable Dropbox two-step verification! https://www.dropbox.com/help/363/en
It is when you could just use keepass and not pay a penny.
Already done. And yes i would highly suggest anyone with dropbox do this.
I just looked at LastPass premium so I can use it on my S3 but frankly with the number of poor reviews it doesn't look worth it over and above the free version. Many people with my phone having the same issues.
I just did the DropBox/Google two-step...what a faff but I seem to have managed it. Google's Authenticator app is nice and user friendly.
I just did the DropBox/Google two-step...what a faff but I seem to have managed it. Google's Authenticator app is nice and user friendly.
Associate
- Joined
- 17 Sep 2008
- Posts
- 1,759
It's not just a case of it updating automatically - it's the automatic form filling and tight integration with all the major browsers which makes LastPass so convenient (I don't use the Android app so can't comment on it). Yes, KeePass also has browser plugins, but they don't work as well in my experience, and having to involve a separate cloud provider just makes it all seem a messier and more cobbled-together solution IMHO.
Plus, the KeePass/Dropbox route can run into sync issues as someone mentioned above - I've also come across the "xxxx's conflicted copy" situation after leaving a KeePass data file open on two machines and making independent modifications on both.
Still, whatever works best for you... the point I'm really making is that IMO concerns about security with LastPass are unfounded, and are often based on a misunderstanding about the way it operates. It might also be worth mentioning that Dropbox doesn't exactly have a spotless security reputation, and SkyDrive doesn't even encrypt files at the server end, although a KeePass database file with a strong password should be pretty bombproof regardless.
I use lastpass these days and have the paid for android app, wouldn't be without it either. Saves a huge amount of issues regarding some very obscure sites and the password generation options are handy.
Keepass is good though, but I'm not sure I'd be saving it somewhere like Dropbox etc, people don't seem to realise that two factor authentication isn't much of a barrier to a hacker who's targeting you - although the chances of being targeted are exceptionally low. Personally I save nothing valuable or personally important to dropbox, skydrive etc and only use Crashplan for those sorts of backups as I can if I need to get access to any file on my PC from anywhere using it, it's just not that fast !
Keepass is good though, but I'm not sure I'd be saving it somewhere like Dropbox etc, people don't seem to realise that two factor authentication isn't much of a barrier to a hacker who's targeting you - although the chances of being targeted are exceptionally low. Personally I save nothing valuable or personally important to dropbox, skydrive etc and only use Crashplan for those sorts of backups as I can if I need to get access to any file on my PC from anywhere using it, it's just not that fast !
1Password is a must on a Mac. But feels half baked on a PC. The best alternative imo is LastPass.
No.