Ok this is the last straw for me. I'm finally done with Lastpass.
Can anyone who uses Keepass with desktop and iPhone please explain their setup? I'm finally going to make the switch, but I'm not sure what the best options are for smart phone use.
Keep in mind that LastPass is the only one that Tavis has seriously looked at so far. I'd be willing to bet he'll start finding similar problems with Dashlane or 1Password once he starts digging into them.
With that said, KeePass + iOS port + something to sync the database (Dropbox, Drive, whatever) should be good enough.
I self-host an instance of Nextcloud and sync my KeePass DB between devices with their desktop/mobile syncing applications. You could do the same with Dropbox/Google Drive/et al.
I feel like just having a browser extension is a major security hole for any password manager. Yes it's more usable and prevents domain spoofing, but it makes the attack surface huge.
Whereas to exploit a desktop app that doesn't interface with the browser (written in a decent way), you'd need code execution already.
I think it depends on the extension. For example browserpass [0] can be only invoked on button press in browser's Chrome (not via scripts on page) and while it runs native app via Native Messaging it just uses JSONs to communicate.
From down thread: "@moeadham It will take a long time to fix this properly, it's a major architectural problem. They have 90 days, no need to scramble!"
[+] [-] timmytokyo|9 years ago|reply
Can anyone who uses Keepass with desktop and iPhone please explain their setup? I'm finally going to make the switch, but I'm not sure what the best options are for smart phone use.
[+] [-] AdmiralAsshat|9 years ago|reply
With that said, KeePass + iOS port + something to sync the database (Dropbox, Drive, whatever) should be good enough.
[+] [-] m-p-3|9 years ago|reply
Keepass is accessing the database that is kept in sync on my desktop, and on Android I use Keepass2Android which includes Google Drive integration.
Changes are synchronized in both directions. So far it works well, and at no time the database is kept in plain-text on a system I do not control.
[+] [-] grawlinson|9 years ago|reply
It's pretty effortless.
[+] [-] chainsaw10|9 years ago|reply
Whereas to exploit a desktop app that doesn't interface with the browser (written in a decent way), you'd need code execution already.
Thoughts?
[+] [-] hdhzy|9 years ago|reply
[0]: https://github.com/dannyvankooten/browserpass
[+] [-] robk|9 years ago|reply
[+] [-] xs|9 years ago|reply