Keepass password safe?

beachBOYken

beachBOYken

beachBOYken

Soldato
Joined
18 Feb 2007
Posts
13,393
Location
London
Hi

Does anyone use keepass to remember all the passwords they use or anything else better?

I have so many passwords I'm always forgetting them and came across keepass password safe.

I'm wondering if this program is any good and if you can use it from a USB stick.

Thanks
 
Yes, I use Keepass and I keep the database on Dropbox. Not everyone is comfortable doing that, but you can also use a key file alongside your password (don't upload the key file to Dropbox too) so that even if Dropbox is compromised, and your password is worked out, they still can't get at your database. If you intend to use a key file make sure you keep multiple copies scattered around different drives/USB sticks/etc, as without the key file the database is useless.

Personally I'm content with just a secure password for the database.

There are plugins to get Chrome and Firefox to automatically fill in password boxes from Keepass too.

The other popular option is the cloud-based Lastpass (the browser plugins for which are less clunky than the Keepass method), but it costs $12 a year for the premium version (which adds mobile support). Give the free standard version a go first.
 
Last edited:
beachBOYken said:
Hi

Does anyone use keepass to remember all the passwords they use or anything else better?

I have so many passwords I'm always forgetting them and came across keepass password safe.

I'm wondering if this program is any good and if you can use it from a USB stick.

Thanks
Click to expand...
Used to use it, until i totally forgot my master password and was then screwed. I needed to use it lots to keep that password fresh in my own head, but didn't :(
 
I use and have setup KeePass for a number of people - including one business.

I've got a couple of piece of advise that I tell everyone:

First, like others have said above, use Dropbox or Google Drive to sync your password database.

This lets you use it on your phone and, in turn, log in to services on other computers. On the iPhone use KyPass 3, not sure what the best Android app is as I don't have one.

The mobile apps also let you set up a "pin" (which you can only get wrong once before you need to reenter your full master password again) that means in the situation where you forget your master password you've got one last chance to log in to your KeePass database with an easy to remember number - although this is mitigated with the advice below as well.

Secondly, extract a portable version of KeePass to your Dropbox folder. In addition to always having access to your KeePass database this means you'll always have a trusted version of KeePass you can use.

With this in mind, my third suggestion is to remember 4 key passwords - which you make long and complex (20 characters kind of thing)

1) Your KeePass master password - this should be obvious!
2) Your file syncing password - If you find yourself without your phone or own computer knowing your Dropbox / Goolge Drive password will allow you to access your KeePass database.
3) Your email password - If you forget both of the above then knowing your email password means you can reset your passwords for any service
4) Banking Password - Personal preference here but I choose not to store my banking password in KeePasss

These key points should mean you don't end up in the same situation as nade!
 
mattyg said:
I've just started using Lastpass.

Can't fault it so far.

But I don't have a yard stick to measure it
Click to expand...

Very similar, I used Keepass and moved to Lastpass only because at the time LP has an android app and keepass didn't, never gone back though as Lastpass is just that little bit less hassle but arguably also probably that little bit less secure.
 
lastpass. their servers are just as safe as any other server out there and definitly more secure than your own!

also couple it with a yubikey and you have a great password management system.

Currently have 84 passwords that are extremely complex. But only 1 that I need to remember, plus to have my yubikey with me.
 
I use Keepass 2 with auto-type enabled, this is using a keyboard combination of your choice and it works in all browsers. This eliminates the need to install an addon for each browser just to auto login to a website.
 
Do you guys who use last pass like the auto field feature when entering passwords into websites?

Also is it a hassle if I ever get a new pc to move the password db across or is everything stored in the cloud, Is anything stored on the computer or browsers?
 
If you use Android I recommend keepass2Android. VERY VERY VERY important rule for using any Android password manager, don't use copy and paste, it's trivial for a malicious app to sniff the clipboard. Keepass2Android comes with a keyboard that directly enters usernames and passwords into fields.

For the Windows program there is an option in the settings somewhere called something like "enable secure desktop". This makes it almost impossible for key loggers to read your master password.
 
If you use Android I recommend keepass2Android. VERY VERY VERY important rule for using any Android password manager, don't use copy and paste, it's trivial for a malicious app to sniff the clipboard. Keepass2Android comes with a keyboard that directly enters usernames and passwords into fields.

For the Windows program there is an option in the settings somewhere called something like "enable secure desktop". This makes it almost impossible for key loggers to read your master password.
 
Halfmad said:
Lastpass is just that little bit less hassle but arguably also probably that little bit less secure.
Click to expand...

Utter garbage.

Lastpass uses AES-256 encryption to secure your data, the decryption happens on your machine and any changes that are made to the file which is then encrypted and the encrypted file is sent to Lastpass. Lastpass never ever receives your master password in any form, even if they were ordered to hand over information by a court they couldn't do since they don't have the information.

I have been an avid user of Lastpass for 5 years or so now and never once had any data stolen, lost or anything else.

Steve Gibson did a hour and a half long video on Lastpass and their hashing process it's quite fascinating.

beachBOYken said:
Do you guys who use last pass like the auto field feature when entering passwords into websites?

Also is it a hassle if I ever get a new pc to move the password db across or is everything stored in the cloud, Is anything stored on the computer or browsers?
Click to expand...

The auto is a god send since all my passwords are very complex. As for moving to a new PC or even a fresh install is extremely simple since any changes are automatically sent to the Lastpass servers, the local file stored on your PC still needs decrypting before access is granted to the data contained within. On the new machine you simply install the plugin or even login to your vault via the Lastpass website and away you go.

I could not live without Lastpass now it really is that good.

Stoner81.
 
Last edited:
Stoner81 said:
Lastpass never ever receives your master password in any form
Click to expand...
Well, being Mr Pedantic that's not *quite* true as they keep the salted master password hashes in their database, but I get what you're saying. In any case they couldn't do much with them unless they can break AES-256 encryption, and neither could a potential hacker who managed to exfiltrate the database (there was a suggestion this was done once, although IIRC it was never confirmed).

Of course if you've got a rubbish master password all bets are off, but this goes for any other program as well.


Stoner81 said:
The auto is a god send since all my passwords are very complex. As for moving to a new PC or even a fresh install is extremely simple since any changes are automatically sent to the Lastpass servers, the local file stored on your PC still needs decrypting before access is granted to the data contained within. On the new machine you simply install the plugin or even login to your vault via the Lastpass website and away you go.

I could not live without Lastpass now it really is that good.

Stoner81.
Click to expand...
Me too. :)
 
CaptainCrash said:
Well, being Mr Pedantic that's not *quite* true as they keep the salted master password hashes in their database, but I get what you're saying. In any case they couldn't do much with them unless they can break AES-256 encryption, and neither could a potential hacker who managed to exfiltrate the database (there was a suggestion this was done once, although IIRC it was never confirmed).
Click to expand...

How do they do that exactly because all of the encryption/decryption process takes place on your machine first before any data is sent to Lastpass. Breaking AES-256 encryption with a decent sized password would take millions of years.

Stoner81.
 
Stoner81 said:
How do they do that exactly because all of the encryption/decryption process takes place on your machine first before any data is sent to Lastpass. Breaking AES-256 encryption with a decent sized password would take millions of years.

Stoner81.
Click to expand...
Oh I agree, I was just making the point that it's not strictly accurate to say that Lastpass never receives the master passwords "in any form."

It's not entirely nitpicking because if the master password database were compromised, people who'd used a weak master password might theoretically be vulnerable to a brute force attack. Strong master passwords would be safe, at least until someone breaks the AES algorithm itself.
 
CaptainCrash said:
It's not entirely nitpicking because if the master password database were compromised, people who'd used a weak master password might theoretically be vulnerable to a brute force attack. Strong master passwords would be safe, at least until someone breaks the AES algorithm itself.
Click to expand...

What master password database? Do you mean something they use to allow you to login in the first place? If so then it still wouldn't matter since your password is hashed, your email is hashed then the two together are combined and hashed again (I think, it's been a while). The hashing process is one way only so it can't be reversed afaik.

I might have to dig up that Steve Gibson video again it's been a while since I have really gone in to this amount of depth with Lastpass :)

Stoner81.
 
nade said:
Used to use it, until i totally forgot my master password and was then screwed. I needed to use it lots to keep that password fresh in my own head, but didn't :(
Click to expand...

You can use a bit of hardware to store the password like the Yubikey, you can use it for 2 factor or just store a large password on it and it will type it in at the touch of a button :)
 
Stoner81 said:
What master password database? Do you mean something they use to allow you to login in the first place? If so then it still wouldn't matter since your password is hashed, your email is hashed then the two together are combined and hashed again (I think, it's been a while). The hashing process is one way only so it can't be reversed afaik.
Click to expand...
Well, when the (alleged) security breach happened in 2011, Lastpass issued a security notification advising anyone who had a weak password to change it, so I guess it's possible at least in theory: http://www.pcworld.com/article/227268/lastpass_ceo_exclusive_interview.html

"We know the machines involved have the users' encrypted blob data as well as the data for their usernames, their password hashes, and the salt for those hashes. Because of that and the size of the data, we don't think more than a couple hundred blobs could have been taken.

[snip]

You can combine the user's e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. When you do all of that, what you're potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website.

The threat is that once somebody has that process down, they can start running it relatively quickly, checking thousands of possible passwords per second. If you made a strong master password, you are pretty much in the clear--it's not really an attackable thing. But if you used a dictionary word, that is within the realm of someone cracking it in a reasonable time frame."
Click to expand...

It's worth reiterating that (a) the "attack" was never confirmed and (b) for users with a strong master password it was a non-issue in any case.
 
You must log in or register to reply here.
Back
Top Bottom