I think *which* manager you use matters much less than using *a* manager.
I am surprised not many people around here are using 1Password. I actually switched over from Lastpass and like the experience better. At the end of the day however, they do the same thing.
I just don't like the pricing for 1Password. I use all types of Operating systems (IOS, OSX, Windows, Android) so I would have been punished, financially, for using it on all my devices. Last pass is just 12 bucks / year to use anywhere you want.
Lastpass is free if you don't need mobile integration.
I've never even looked into 1Password, I tried KeePass, then LastPass and I bought into LastPass and haven't looked back. Looking at it now 1Password seems crazy expensive.
Personally, I just don't think storing your passwords on any cloud service is a good idea. You have only their word that they can't decrypt your files -- and the government, at the very least, can require them to lie to you.
This is what kept me from using any password manager for a long time. I almost pulled the trigger on KeePass a couple of years ago, but I did not feel I could trust an online-based solution. I did not even feel that solutions which kept your file local were any better unless I did are more network monitoring than I really wanted.
I've finally decided to change tune and start using LastPass. I still have some misgivings, but having done some reading, and seeing information like what *Legion* wrote, I feel a little better.
The fact that LifeHacker recently reminded me of the topic did not hurt, either.
Basically, I feel the risk of using LastPass (or something similar) is less than the risk I was imposing upon myself through poor password habits. Having the tools to generate strong and unique passwords, and the encouragement to do so, really helps.
I looked into using 1password as well, but decided on LastPass because I want to be able to access my passwords at home & work (both on PC), and might want to use their Android app as well.
Malor wrote:Personally, I just don't think storing your passwords on any cloud service is a good idea. You have only their word that they can't decrypt your files -- and the government, at the very least, can require them to lie to you.
This is what kept me from using any password manager for a long time. I almost pulled the trigger on KeePass a couple of years ago, but I did not feel I could trust an online-based solution. I did not even feel that solutions which kept your file local were any better unless I did are more network monitoring than I really wanted.
I've finally decided to change tune and start using LastPass. I still have some misgivings, but having done some reading, and seeing information like what *Legion* wrote, I feel a little better.
I looked into using 1password as well, but decided on LastPass because I want to be able to access my passwords at home & work (both on PC), and might want to use their Android app as well.
That's why I started using Password Safe along with the Android/iOS/Mac/Windows app. I don't trust LastPass or any of the cloud providers, especially as most of them are based in the USA. PasswordSafe (and associated apps) all sync to a safe that I have stored on a server in my house, and I just recently pushed that safe up to Dropbox. To me, it's the best of both worlds, since I'm retaining as much control as I can while still being reasonably connected.
Yep, that gives you basically the best of all worlds.... you have a password manager, you have both local and same-house server storage, and you have an encrypted cloud backup that's (hopefully, anyway) completely impenetrable to anyone but you.
Possible weak point there: how good the encryption is on the password file, as well as how good your password is. Remember that, as soon as it goes over the wire, it can be bruteforce-attacked by anyone with a tap anywhere on that wire, so the encryption needs to be good, and the master password needs to be excellent.
Possible weak point there: how good the encryption is on the password file, as well as how good your password is.
Remember that, as soon as it goes over the wire, it can be bruteforce-attacked by anyone with a tap anywhere on that wire, so the encryption needs to be good, and the master password needs to be excellent.
The password is 14 characters and the full mix (upper, lower, special, number). I'm changing it in a couple of weeks (I aim for once a quarter).
I don't know how to audit how good the encryption on the file is, but I do know they've been examined by Bruce Schneier and Wikipedia shows that PasswordSafe was updated to the TwoFish algorithm in the 3.XX series. That brings me some peace of mind, and the reason I've stuck with it for the time being.
Yep, that's probably about as good as you'll reasonably get. One of the things we learned from Snowden: good encryption works. There's just a lot of crappy encryption with lousy code.
Oh, and I'd suggest not using a password of a fixed length, because if someone happens to tag that in a 'facts' file about you (not as crazy as you might think), that means they won't have to search all the passwords up to 13 characters. Rather, generate your passwords so that they're at LEAST X characters long -- and then never tell anyone the value of X.
Lastpass has been hacked and some info taken. They are urging everyone to reset their master password. Servers are currently overloaded...
Lastpass has been hacked and some info taken. They are urging everyone to reset their master password. Servers are currently overloaded...
Didn't get any notice or see notices anywhere, but I just managed to change mine. Not entirely sure if other passwords should be reset. The auto-generated ones are easy, it's the ones I have to type which are the headache.
From the LastPass blog:
If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites.Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.
I think my master password is alright, but it's probably due for a change anyway. Already use multifactor authentication.
No sweat.
Edit: "You last changed your LastPass master password 1365 days ago." Okay, yeah, time for a new one.
Thanks for the clarification. Glad it wasn't worse of a breach. I need to look into multifactor at some point.
From the LastPass blog:
If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites.Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.
I think my master password is alright, but it's probably due for a change anyway. Already use multifactor authentication.
No sweat.
Edit: "You last changed your LastPass master password 1365 days ago." Okay, yeah, time for a new one.
Ha! I last reset my password 54 days earlier than you!
Sorry for no link originally, I heard from a friend and then only found a quick artilcle before posting.
My master password had been over two years old. Changed.
There are a bunch of multifactor options (I have a Premium account), and I have no idea how to pick one. Can anyone here comment on how they work and how they differ?
KeePass ftw.
Damn, I think that'd pretty much sink a company like LastPass.
Thanks for posting this, though. I reset my password even though I no longer use the service.
There are a bunch of multifactor options (I have a Premium account), and I have no idea how to pick one. Can anyone here comment on how they work and how they differ?
I use Google Authenticator on my phone since I'm already using that for Gmail et al. I didn't know there were other options.
misplacedbravado wrote:There are a bunch of multifactor options (I have a Premium account), and I have no idea how to pick one. Can anyone here comment on how they work and how they differ?
I use Google Authenticator on my phone since I'm already using that for Gmail et al. I didn't know there were other options.
They added YubiKey and bunch of other tokens. Google Authenticator is my choice, as it's always around and you usually need it just once per device.
KeePass ftw.
KeePass ftw.
Finally, my slightly Luddite and overly paranoid choice pays off!
I'm kinda angry because I don't trust them to tell us what really happened.
Quintin_Stone wrote:KeePass ftw.
Finally, my slightly Luddite and overly paranoid choice pays off!
Same here. KeePass and miniKeePass for my phone/tablet. Manually copy the db file from my desktop once a month unless I change something vital.
You should, at all times, consider your vault file exposed.
Well yeah, I'm just making a quick quip about my likely very unnecessary rejection of LastPast LastPass as closed source also requires that you trust that their code does what it says.
This paper, reviews a number of current password storage systems (although not LastPast);
https://www.cs.ox.ac.uk/files/6487/p...
tl;dr: they are all rubbish except PasswordSafe v3
This paper, reviews a number of current password storage systems (although not LastPast);
https://www.cs.ox.ac.uk/files/6487/p...It bears mentioning that this was from a few years ago, and some of the vaults have updated - most notably, 1Password adopted PBKDF2 sometime after that paper.
Ahh, I hadn't seen a date on it. I have been idly waiting for a *nix port of PasswordSafe for sometime now
Pages