top | item 10360565

(no title)

john_b | 10 years ago

> "They however do control access to the account. This means there's a point where they get all sorts of data on me, and while I personally don't mind, I must admit I felt a bit safer when I thought it was a smaller, purpose-built company managing things."

I've never really understood the appeal of account-based password managers. It was a startup and it needed a business model, sure, so from the company's perspective it makes sense. But from a customer's perspective you're accepting a new type of risk that you don't have to worry about if you use a glorified encrypted list (e.g. KeePass) to manage passwords. The payoff is convenience, but personally no amount of convenience is enough to make me comfortable with storing all of my encrypted passwords on a single server somewhere and hoping that there are no exploitable security vulnerabilities (or malicious insiders who might seek to profit from finding or introducing them). Having an offline password manager that never uploads data to a server provides defense in depth, though it's less convenient.

discuss

scrollaway|10 years ago

Agreed. Logically, something like KeepassX (https://www.keepassx.org/) is the most logical, secure choice. I think a lot of people pick Lastpass and such for the convenience of browser integration, but I don't think that's necessarily impossible with keepassx - just so happens that nobody is really working on it (which is a shame).

manveru|10 years ago

There's actually rather good browser integration for KeePass now, I just switched a few weeks ago from LastPass.

Check out http://keepass.info/plugins.html (I use PassIFox and ChromeIPass via KeePassHttp)

mistersquid|10 years ago

Another reason to use LastPass is if you need to share sensitive data with a team.

Group credentials and secure keys for production environments, among other things, can be shared using LastPass.

ultramancool|10 years ago

Beware, KeePass uses a weird custom key derivation function. LastPass uses PBKDF2 with a configurable number of iterations, a pretty widely accepted standard.

Maybe this has changed since I last checked but this and many other things seemed highly questionable on KeePass.

marcofiset|10 years ago

An important thing is that LastPass works on mobile.

Niten|10 years ago

I wouldn't consider Keepass the most secure choice. One of the most common attacks in practice is phishing, and browser integration discourages carelessly pasting your password into something that looks like your bank's site. The Chrome password manager and LastPass can help there, but Keepass does not.

cuillevel3|10 years ago

But if an attacker steals your Keepass file and acquires your password you won't notice.

Lastpass can detect logins from new IP adresses and throttle requests, send warning mails etc.

But sure, once their servers are cracked and their plugin is infected with master-password-stealing code it's all game over.

mhurron|10 years ago

> Lastpass can detect logins from new IP adresses and throttle requests, send warning mails etc.

This, Duo integration and Linux support are the features that are making finding an alternative to LastPass difficult for me.

kemitche|10 years ago

> The payoff is convenience

It's true for any level of password management. KeePass is less secure but more convenient than simply memorizing each of your long, secure passwords. Choosing less secure passwords or repeating passwords is more convenient than memorizing long, unique passwords.

Finding the right balance of convenience & security is critical for securing the myriad accounts of the "masses." We know that the average person isn't going to bother memorizing long unique passwords - even the most security conscious person won't do that (except for maybe a handful of super-critical passwords).