Password Manager Recommendations

beh said:
It's a compromise, if it's too much hassle the average person will just (re)use weak passwords which is probably worse.
Click to expand...

Keepass has an auto-type feature which can be used in place of browser integration. It's not as good, but it's preferable to the mess that we're seeing with LastPass.

The longer-term answer is going to be the use of a trusted central authentication service, with federated access to downstream services. A lot of places will currently accept Facebook or Google auth, which is a start. That way you can enforce strong authentication via a single username/password with 2-factor protection, and you don't have to have individual passwords for each service you use. Ideally we would have something like the Danish NemID but the average Daily Mail reading moron would throw a fit if the government decided to get into the authentication game.
 

El Pew said:
but it's preferable to the mess that we're seeing with LastPass.
Click to expand...

The mess which was fixed, as have others? Are you saying that there is software out there that doesn't have flaws?

You seem to have a chip on your shoulder, I remember some of your other posts from months ago.

I'd be interested to know who you work for.
 
ChrisD. said:
The mess which was fixed, as have others? Are you saying that there is software out there that doesn't have flaws?
Click to expand...

Strawman, I have never suggested that other software doesn't have flaws. Stop putting words in my mouth.

However, there is other password management software out there which hasn't had at least 3 critical, data-spewing flaws discovered in the last year. The real question is why you feel so attached to LastPass. One critical flaw I might forgive, but three or more? Fool me once, shame on you; fool my twice, shame on me; fool me three times and it suggests I don't take security seriously at all.

I seriously don't understand the attachment to LastPass when there are better, more secure, and more importantly free alternatives out there. There's no excuse for sticking with it. I stopped using it and deleted my account when the first major issue was discovered.

ChrisD. said:
You seem to have a chip on your shoulder, I remember some of your other posts from months ago.

I'd be interested to know who you work for.
Click to expand...
It's none of your business who I work for. The important thing is that I understand InfoSec, and why LastPass is very bad at it. And the fact that you want me to post personally identifiable information on a public forum tells me you don't understand it.
 
Last edited:
El Pew said:
However, there is other password management software out there which hasn't had at least 3 critical, data-spewing flaws discovered in the last year.
Click to expand...

How do you know that there haven't been internal issues identified by LastPass competitors? You don't, so you wouldn't know if for example 1Password hadn't had 3 or more major flaws patched in the last year.

El Pew said:
The real question is why you feel so attached to LastPass.
Click to expand...

Who said I am? I haven't changed because mainly I CBA and I seriously doubt any of the flaws that have been discovered could have been used by an attacker to gain access to my passwords. I'm not saying others can, but the published ones so far have not from skim reading.

El Pew said:
I seriously don't understand the attachment to LastPass when there are better, more secure, and more importantly free alternatives out there.
Click to expand...

Unless you've analysed the source code of all common alternatives to LastPass, that's a pretty wild assumption.

El Pew said:
It's none of your business who I work for. The important thing is that I understand InfoSec, and why LastPass is very bad at it. And the fact that you want me to post personally identifiable information on a public forum tells me you don't understand it.
Click to expand...

What I was saying in between the lines is that your posts make it look an awful lot like you work for or have dealings with a LastPass competitor. I personally couldn't give two hoots what you think about me and whether I understand Information Security or not.
 
ChrisD. said:
How do you know that there haven't been internal issues identified by LastPass competitors? You don't, so you wouldn't know if for example 1Password hadn't had 3 or more major flaws patched in the last year.
Click to expand...

I already posted why the very architecture of LastPass (browser plugin, cloud platform) makes it inherently less secure than competitors like Keepass and Enpass. Even if the latter had similar critical flaws, they are far less vulnerable because a) they benefit from your internal network security, sitting behind your own firewall etc. and b) the fact that each installation is separate makes it impossible to conduct the mass data theft of the sort that has afflicted LastPass. LastPass themselves should recognise this and up their game accordingly, but they haven't.

ChrisD. said:
Who said I am? I haven't changed because mainly I CBA and I seriously doubt any of the flaws that have been discovered could have been used by an attacker to gain access to my passwords. I'm not saying others can, but the published ones so far have not from skim reading.
Click to expand...

CBA? And you clearly haven't read any of the published bug reports, because attackers gaining access to your password is exactly the problem here. So how you can claim otherwise, I don't even...

ChrisD. said:
Unless you've analysed the source code of all common alternatives to LastPass, that's a pretty wild assumption.
Click to expand...
No, it's not. See my first point about the architecture differences; see the fact that Keepass source code is available, and has been vetted in exactly the manner you describe; see the approach of 1Password, who have offered a bug bounty in exchange for highlighting flaws in their software (something that all of the major, responsible software manufacturers are starting to do - and notably LastPass is not).

ChrisD. said:
What I was saying in between the lines is that your posts make it look an awful lot like you work for or have dealings with a LastPass competitor.
Click to expand...

So what if I do? It doesn't make any of my comments about LastPass untrue. If you want to critique what I've been saying then feel free to do so, but making it personal is just sad.
 
There is no ******* way I'm switching pw managers from LastPass after bumping my security level to high 90s across 100s of sites.
I'll learn the hard way if needed.
 
El Pew said:
Keepass has an auto-type feature which can be used in place of browser integration. It's not as good, but it's preferable to the mess that we're seeing with LastPass.
Click to expand...
I still think you're ignoring the average user that given even the slightest amount of friction just isn't going to bother. Browser extensions are a necessary evil.

It's telling that even after all the prompting and scary press coverage it's still a minority of people that use 2FA. I'd read probably <10% of google accounts and nobody makes it any easier than them.
The longer-term answer is going to be the use of a trusted central authentication service, with federated access to downstream services. A lot of places will currently accept Facebook or Google auth, which is a start. That way you can enforce strong authentication via a single username/password with 2-factor protection, and you don't have to have individual passwords for each service you use. Ideally we would have something like the Danish NemID but the average Daily Mail reading moron would throw a fit if the government decided to get into the authentication game.
Click to expand...
This is all very sensible stuff.
 
El Pew said:
I already posted why the very architecture of LastPass (browser plugin, cloud platform) makes it inherently less secure than competitors like Keepass and Enpass.
Click to expand...

Which is all well and good but with Keepass for example you need a certificate file, which is stored on the cloud. If it's not, then it isn't a great solution in todays multi device world.

El Pew said:
CBA? And you clearly haven't read any of the published bug reports, because attackers gaining access to your password is exactly the problem here. So how you can claim otherwise, I don't even...
Click to expand...

Can't be arsed.

Yes I have read them and I don't see how any of them could have affected me. You don't know my browsing habits so it's difficult for you to make assumptions about what I use Lastpass for and what I don't.

El Pew said:
No, it's not. See my first point about the architecture differences; see the fact that Keepass source code is available, and has been vetted in exactly the manner you describe; see the approach of 1Password, who have offered a bug bounty in exchange for highlighting flaws in their software (something that all of the major, responsible software manufacturers are starting to do - and notably LastPass is not).
Click to expand...

Again, see my cloud comment above. The best and most secure place to store passwords don't often go well with cloud computing and multiple devices.

There are many companies that do not release source code; it doesn't make them any less or more secure.

El Pew said:
So what if I do? It doesn't make any of my comments about LastPass untrue. If you want to critique what I've been saying then feel free to do so, but making it personal is just sad.
Click to expand...

I haven't made it personal at all, I pointed out that you seem to have a chip on your shoulder about Lastpass, which is quite clearly the truth.
 
ChrisD. said:
Which is all well and good but with Keepass for example you need a certificate file, which is stored on the cloud. If it's not, then it isn't a great solution in todays multi device world.
Click to expand...

I use Keypass on multiple devices and I don't store my certificate file in the cloud, so I have no idea what you're talking about here.

And even if you absolutely must have a 'cloud ready', multi-device solution, whatever that means to you, there are better options than LastPass, ranging from free to eye-wateringly expensive.

ChrisD. said:
Yes I have read them and I don't see how any of them could have affected me. You don't know my browsing habits so it's difficult for you to make assumptions about what I use Lastpass for and what I don't.
Click to expand...

I don't need to know your browser habits. For the two LastPass browser plugin flaws, all that was required was for you to visit a website with the exploit code on it and your passwords would have been lifted from LastPass without you even knowing it. It could even be added to ad code and pushed out to multiple sites so it would have more chances of catching you. Not great for directed attacks, but for a mass trawl of plaintext passwords? It would have been ideal. LastPass has had effectively the same bug twice now.

ChrisD. said:
There are many companies that do not release source code; it doesn't make them any less or more secure.
Click to expand...

Then why did you bring up source code as a way to verify security in the first place? You don't need the code to vet the solution, that's what penetration testing and related disciplines (including initiatives like 1Password's code bounty, which you ignored) are for. Having access to the source code is a bonus for independent vetting but not a requirement.

ChrisD. said:
I haven't made it personal at all
Click to expand...
The second you took issue with my motivations, rather than the technical points I was making, you made it personal. That's called an ad hominem attack - playing the man, not the ball.
 
beh said:
I still think you're ignoring the average user that given even the slightest amount of friction just isn't going to bother. Browser extensions are a necessary evil.

It's telling that even after all the prompting and scary press coverage it's still a minority of people that use 2FA. I'd read probably <10% of google accounts and nobody makes it any easier than them.
Click to expand...

I'm not sure I agree that browser extensions are completely necessary, but I take your point. I do quite like the Enpass approach (not enough to actually use it, though) where you have to provide a PIN/master password and manually click on the extension to request a logon before it will do the form fill. If LastPass had implemented this approach then it would have defeated the two bugs that Tavis found.
 
El Pew said:
I don't need to know your browser habits. For the two LastPass browser plugin flaws, all that was required was for you to visit a website with the exploit code on it and your passwords would have been lifted from LastPass without you even knowing it
Click to expand...
Except I don't use the browser plugin, so no, they couldn't have been lifted. AFAIK there have been no clipboard malware issues with LastPass for some time.
 
ChrisD. said:
AFAIK there have been no clipboard malware issues with LastPass for some time.
Click to expand...
That might make you safe from LastPass bugs, but there's an awful lot of malware out there which can scrape passwords from clipboards, RAM, network traffic, browsers etc - obviously something that affects every password manager and indeed even manually typed passwords. There's no good solution to this problem for home use unfortunately, other than to use federated sign-on and/or MFA wherever possible.
 
im a lastpass guy, so what solution is better? which can be used on my android tablet and google smart phone as well?

im asking as its ease of use where my wife etc is concerned.

Also if i use the cloud sync and the browser plugin am i still at the same situation as using lastpass?
 
Last edited:
atomic7431 said:
im a lastpass guy, so what solution is better? which can be used on my android tablet and google smart phone as well?

im asking as its ease of use where my wife etc is concerned.

Also if i use the cloud sync and the browser plugin am i still at the same situation as using lastpass?
Click to expand...

I'm the OP and I eventually went with 1pass. Still using it and works great for me. 1pass works on Android.

Can't confirm the lastpass issue.
 
You must log in or register to reply here.
Back
Top Bottom