Password Manager Discussion.

Discussion in 'other software & services' started by Mayahana, Jan 28, 2015.

  1. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,457
    Location:
    "An Apple a Day, Keeps Microsoft Away"
    I've been using RoboForm Desktop on my Windows computers since 2008 without problems, 3 lifetime licenses. Just recently I bought 2 lifetime licenses of RoboForm Desktop for Mac. One I'm using on my Big Mac and the other will go on my wife's future Mac. There are some features of RoboForm that cannot be done on the Mac. One is double login on a website.
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,906
    Location:
    localhost
    Lastpass pocket will let you choose...
     

    Attached Files:

  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,906
    Location:
    localhost
    Oh, ok ... not an open source issue, not an offline problem, but a "logmein" issue. It would have been faster to say I don't like lastpass for whatever emotional/personal issue, its all fine. Anyone can choose whatever software he/she wants. LOL :thumb:
     
    Last edited: Aug 21, 2016
  4. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States

    This, below, is my original post.

    I never once anywhere stated that it was superior to LastPass but someone's preferred interpretation of what they wanted to respond to dragged this out.

    It's too bad you found it too difficult to read the entire back and forth before responding out of context though you appear to be pretty practiced in those types of posts.

     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,906
    Location:
    localhost
    [offtopic ON] Its fine, your original post was mostly clear. I think other users were interested about your "to make sure it was worth switching". Then there was some incorrect statement about lastpass (open source, offline) and finally we understood the main reason for switching (LogMeIn aversion). Took a bit of time :D [offtopic OFF].

    Cheers!
    Fax
     
  6. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    Yeah, taken out of context those things must have really upset you.

    Cheers.
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Link: https://twitter.com/taviso/status/769378052254015488

    Link: https://twitter.com/taviso/status/769515425117777920

    Link: https://twitter.com/taviso/status/769391927892598784
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,225
    Has anyone tried Wladimir Palant's Easy Passwords available for Firefox, Chrome and Opera? He introduced it in two blog posts in April. According to his newest blog post he's planning to make it a full Lastpass alternative. A sync functionality - among other things - is still missing, though.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,997
    Location:
    The Netherlands
    What do you guys think about this one, is it a good replacement for KeePass? Of course I wouldn't use the cloud feature.
     
  11. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,295
    Location:
    EU
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,230
    Location:
    USA
    Do you know if this is just a "proof of concept" or has it actually appeared in the wild? Also note that the attack begins with "Get the victim to go to a malicious website that looks benign". It is not explained how that is accomplished and apparently that's separate from the LostPass attack. It seems to me that there are a lot of moving parts to this and a lot of work which would make it unattractive to the bad guys.
     
  13. guest

    guest Guest

    If you generate a password for a website, it's always the same password -- But only if the username, parameters (length, allowed characters) and the master password are the same.
    Basically you can "generate" your passwords again (if all parameters are the same), if you have to start from the beginning.
    If you only change one parameter, you'll generate different passwords. And if you don't want the same password generated for a specific username you can create different "revisions" of the password (same username = different password)
    After exporting the password-list to a file, i see that "Legacy" passwords are stored encrypted in the file (and they are stored encrypted in the extension)
    "Generated" passwords are not stored in the file, only some parameters - allowed characters, length.
    1_Easy Passwords-1.1.5_Options.png 2_Easy Passwords-1.1.5_Master password.png 3_Easy Passwords-1.1.5_Website.png 4_Easy Passwords-1.1.5_Website_username.png 5_Easy Passwords-1.1.5_Website_options.png 6_Easy Passwords-1.1.5_Passwords.png 7_Easy Passwords-1.1.5_Website_Revision.png 8_Easy Passwords-1.1.5_Website_Revision_list.png
     
  14. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,906
    Location:
    localhost
    That's is simply a phishing attack, nothing to do with lastpass security. In fact the user is re-directed to a fake website "chrome-extension.pw/..." which display the fake lastpass notice. From there you can get whatever. As always mind to always check where you are ;)
     
    Last edited: Nov 2, 2016
  15. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,098
    Location:
    USA
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,230
    Location:
    USA
  17. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,906
    Location:
    localhost
    It seems not really based on ads. Simply less features than the Premium. Premium features, IMO, seems not essential. i.e. family sharing, Yubikey and Sesame 2FA, priority tech support, lastpass for applications, desktop finger authentication, 1GB encrypted file storage.
     
  18. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,098
    Location:
    USA
    There was a link to FAQs at the bottom of the blog. It's in the first question/answer. LP FAQ.jpg
     
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    9,030
    Location:
    USA
    I'll continue to pay for the premium version. It's not that much and worth what it costs. I hope that by putting in ads at all that they don't open a hole for exploits.
     
  20. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,906
    Location:
    localhost
    Interesting, thanks. Weird that in the front page that last item is not at all mentioned. Possibly they are not yet ready but it will come.
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,230
    Location:
    USA
    Agreed, for $1/month it is more than worth it, especially now that they are apparently going to incorporate ads in the free version. I also wonder how they will be able to feed ads without creating vulnerabilities.
     
  22. guest

    guest Guest

    At the moment they only display a simple ad for their own product on the right side of the vault.
    No flash content ;), only a picture and a simple hyperlink.
    Lastpass_extension_ad.png
     
  23. 142395

    142395 Guest

    I think I have to withdraw my past comments.
    I will never use LastPass again and don't recommend it to others anymore. This is not because they're hacked, but because I finally reached conclusion that any browser-server based pwdmgr is fundamentaly not secure, although LP made many mistakes (look for Tavis Ormandy's article and another older vuln) in implementation, and they are too ambiguous about their crypt (definitely close to the worst), I now understand those addon-based approach w/ server-stored credentials inherit most badnesses from browser-based cryptography which has been known to be weak, so not secure by design. Talking about these weaknesses will be amount to a whole blog article, just search by yourself.

    I now use KeePass and use different databeses for each platform, and each of them only include minimal set of credentials needed for the platform. I apply Mayahana's salt method so even if they are compromised still attacker can't obtain full account name and password. I also love its function to show password entropy. I was glad to find my old password generation algorithm earned good entoropy, but w/ this help I improved my algorithm. As I use it, actually pwdmgr is not necessary but is convenient to manage all accounts and to help typing password.
     
  24. 142395

    142395 Guest

    No, that can't be alternative to KeePass for those security carings. KeePass is one of the 2 open source, well-reviewed, and off-line pwdmgr but more user-friendly than the other, PasswordSafe. Being open source does not guarantee security, but KeePass earned better score in past scrutiny and will be audited, too. I know some other pwdmgr have 'audit', but most of them are about server/cloud security which is no relevant when you use off-line pwdmgr, it doesn't have those vuln by design. Not only that, the above link does not explain any crypt details. For any closed source crypt software, transparenthy is one of the most important thing. They need to explain at least followings.

    -How they derive key from user input (what KDF is used, how much iteration, if derived key is used to encrypt or it's just key-encrypting key)
    -If derived key is key-encrypting key, how they generate encryption key, especailly what RNG is used and how they earn entropy.
    -What cipher mode is used and if IV or nonse is properly used (randmised, no reuse), and if non-authentication mode is used then how they verify integrity to prevent potential CPA or CCA.
    -How they protect sensitive info on memory, is it encrypted, does dev take care of timing attack. etc.
    -How they treat temporary files which may contain sensitive info or even just metadata.

    Unfortunately most crypt service only say "We use AES256" or "Military grade encryption...bra bra bra" which tells nothing.
     
    Last edited by a moderator: Nov 4, 2016
  25. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,906
    Location:
    localhost
    This is not limited to Lastpass but most browser-server based password and Tavis found issues in most of them (1password, dashlane, etc.). If you don't like server based password managers you can use lastpass offline (lastpass portable or lastpass pocket). Finally if you are really paranoid on auditing then the only way to be sure is to inspect the code yourself. Otherwise you will always need to rely on a third party organisations. No password managers is 100% proof but I really don't understand this race to kill lastpass, lol. Btw, if you want to look into lastpass, then have a look here: https://github.com/LastPass/lastpass-cli

    Btw, experts look into the hashing of lastpass and judged it as one of the best out there.

    http://arstechnica.com/security/201...-lastpass-exposes-encrypted-master-passwords/
     
    Last edited: Nov 4, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.