Password Manager?
- Thread starter James M. Fisher
- Start date
I've been using KeePass for about 2 years now I think and have become very dependent on it! I just checked and have 160 passwords saved.
I have a 20+ character master password which is now one of the only passwords I need to remember. I've been looking at 2FA with a YubiKey but since my phone doesn't support NFC it won't work for me at the moment.
My main KeePass DB is stored on my OneDrive, so I do need to know my OneDrive password off the top of my head. I then backup the DB to a few other locations for redundancy - if I lost it I'd be very stuck! It backs up using the plugin DataBaseBackup: Plugins - KeePass.
I also have Favicon Downloader installed so I can easily get the website favicon: Plugins - KeePass
On my phone I have KeePass2Android (https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=en_GB) installed, which syncs with OneDrive automatically so I can just load it and enter my password and it downloads the latest copy from OneDrive automatically. It also has its own keyboard so it doesn't ever have to copy credentials to the phone's clipboard.
I have a 20+ character master password which is now one of the only passwords I need to remember. I've been looking at 2FA with a YubiKey but since my phone doesn't support NFC it won't work for me at the moment.
My main KeePass DB is stored on my OneDrive, so I do need to know my OneDrive password off the top of my head. I then backup the DB to a few other locations for redundancy - if I lost it I'd be very stuck! It backs up using the plugin DataBaseBackup: Plugins - KeePass.
I also have Favicon Downloader installed so I can easily get the website favicon: Plugins - KeePass
On my phone I have KeePass2Android (https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=en_GB) installed, which syncs with OneDrive automatically so I can just load it and enter my password and it downloads the latest copy from OneDrive automatically. It also has its own keyboard so it doesn't ever have to copy credentials to the phone's clipboard.
James M. Fisher
Well-known member
Thanks for the quick reply. I think I will give KeePass a try.
Why LastPass in particular? Is it much bigger than the rest, tested in some particular way the others aren't [e.g. some unique connection with a certain browser], or the others have had problems?
KeyPass for instance seems to have a lot of stuff going for it: Security - KeePass
Realistically, provided they used an external library for the cryptographic implementation - and I'm certain they did since it's very popular & open source: there would be an uproar if they hadn't, all should be well. And let's be honest, if someone breaks AES, we're all in serious trouble in far bigger ways than this.
Basically what I'm trying to say is that I see absolutely no reason to see why KeyPass or any of the other big names - LastPass included, should be particularly insecure & not worth recommending. If there's specific evidence to back this up, I'd love to take a look.
However, on another point, I think it's all moot anyway: the default password managers built into IE & most other browsers are terrible, it's all readable pretty much in plain text, certainly with iepv. And yet we don't really see any particular issues as a result of this. Basically, if the vast majority of the population store their passwords in plain text and get away with it due to other protections, does it really matter if a generally ultra secure password manager has some tiny, really complex break in it? There are far easier targets for malware authors to chase.
James M. Fisher
Well-known member
Patrick, does LastPass have some key feature(s) that you really like and cause you to recommend it to others?
Been using LastPass for almost a year and I'm really happy with it.
The main thing that keeps me coming back to LastPass premium ($12 a year) is the fact that I can enable secondary authentication on my account via a Yubikey. LastPass works like this in a big TLDR:
- Make an account.
- With every account you have what is known as a vault.
- In this vault are your passwords for any website you choose to save the username and password for.
- By default (LastPass free) you have a username and a password (known as a master password). This master password is the password that's used to log into your vault. If you however buy premium, you can add different multi-authentication methods. For example, as I mentioned above, mine is setup with a Yubikey (one time password USB device). When I open Firefox, LastPass pops up and asks me to enter my username and master password. After I give LastPass this information and press login, it then prompts me to insert my Yubikey and press the button to generate my one time password. Once I do this, LastPass authenticates me and I log in to my vault. Immediately after I am logged into my vault, that password that was just generated is already junk and cannot be used again.
I do this for the main reason that I can comfortably log into my LastPass vault anywhere out in the world, on any device, without being in fear that the device is infected with malware (keylogger for example) that can get my master password, or the device is on an insecure network, etc. If you have my master password, you have all of my passwords.
There's a few other neat things that just go along with it that I like, such as the ability to generate random and really strong passwords. You can choose any # of characters from 1-whatever, and then select whether or not you want it to contain symbols, capitals, etc. All of my passwords are pretty long character-wise and I'm being 100% honest when I tell you I have no idea what any of my own passwords are for sites I log into every single day, because my vault takes care of all of that for me. When you want to log into a site, LastPass has a button to autofill your username and password that you've given to LastPass within your vault.
The major downfall to doing all of that is if I ever lose my Yubikey, or every single LastPass server somehow explodes and all records are lost, I'm really screwed :grin1: Aside from that though, it's really amazing. Again, I've never used KeyPass or any other password manager, so I don't know if any have similar features, the same features but better/worse, etc. I have been with LastPass now going on three years, and I am being completely honest when I say I have absolutely zero complaints.
As far as I know, there are only two breaches on record. One was confirmed to not have leaked any master passwords, and the other was an XSS vulnerability which was a little bit controversial as it was argued whether or not it was a 'serious' exploit. In any case, as far as I know, since it was a white-hat exploit and was properly notified to LastPass, no master passwords were exposed either.
- Make an account.
- With every account you have what is known as a vault.
- In this vault are your passwords for any website you choose to save the username and password for.
- By default (LastPass free) you have a username and a password (known as a master password). This master password is the password that's used to log into your vault. If you however buy premium, you can add different multi-authentication methods. For example, as I mentioned above, mine is setup with a Yubikey (one time password USB device). When I open Firefox, LastPass pops up and asks me to enter my username and master password. After I give LastPass this information and press login, it then prompts me to insert my Yubikey and press the button to generate my one time password. Once I do this, LastPass authenticates me and I log in to my vault. Immediately after I am logged into my vault, that password that was just generated is already junk and cannot be used again.
I do this for the main reason that I can comfortably log into my LastPass vault anywhere out in the world, on any device, without being in fear that the device is infected with malware (keylogger for example) that can get my master password, or the device is on an insecure network, etc. If you have my master password, you have all of my passwords.
There's a few other neat things that just go along with it that I like, such as the ability to generate random and really strong passwords. You can choose any # of characters from 1-whatever, and then select whether or not you want it to contain symbols, capitals, etc. All of my passwords are pretty long character-wise and I'm being 100% honest when I tell you I have no idea what any of my own passwords are for sites I log into every single day, because my vault takes care of all of that for me. When you want to log into a site, LastPass has a button to autofill your username and password that you've given to LastPass within your vault.
The major downfall to doing all of that is if I ever lose my Yubikey, or every single LastPass server somehow explodes and all records are lost, I'm really screwed :grin1: Aside from that though, it's really amazing. Again, I've never used KeyPass or any other password manager, so I don't know if any have similar features, the same features but better/worse, etc. I have been with LastPass now going on three years, and I am being completely honest when I say I have absolutely zero complaints.
As far as I know, there are only two breaches on record. One was confirmed to not have leaked any master passwords, and the other was an XSS vulnerability which was a little bit controversial as it was argued whether or not it was a 'serious' exploit. In any case, as far as I know, since it was a white-hat exploit and was properly notified to LastPass, no master passwords were exposed either.
Last edited:
It's interesting to hear about all of these password managers. I probably ought to start using one. Currently I simply remember my passwords.
I have OEM HP Simplepass (fingerprint scanner), which works surprisingly well.
I've never used a 3rd party app before.
I've never used a 3rd party app before.
- May 7, 2013
- 10,400
I find it easier to remember my passwords. I've never had problems.
Wouldn't it be more secure to write your passwords in some cryptic code on a piece of paper? The person will have to physically obtain that piece of paper, and know how to decrypt the meaning of the symbols you've written.
Professional. The personal/classic version is the older 1.x series and professional is the new 2.x series. Always go with professional, they're both free and professional has many more features. The reason for keeping the personal version is that it doesn't use .NET, but you should always use Professional nowadays.
I use Lastpass premium - have done for 2+ years?
Fantastic product - I use the premium version mainly as it also works on my mobile.
@John - I'd be a bit reluctant to trust a fingerprint scanner. It might be convenient, but historically the software for them has followed really poor security practices.
Unless it's a very security conscious software suite (E.g. One that doesn't store all your passwords in plaintext in the registry... As some do...) I wouldn't trust it with any of my passwords.
Password managers have much better security across the board. I think my current Lastpass settings encrypt everything with about 1,000 iterations of AES. Considering the NSA already has all my private data... There aren't too many other organisations with the computing power to get through it. :grin1:
Fantastic product - I use the premium version mainly as it also works on my mobile.
@John - I'd be a bit reluctant to trust a fingerprint scanner. It might be convenient, but historically the software for them has followed really poor security practices.
Unless it's a very security conscious software suite (E.g. One that doesn't store all your passwords in plaintext in the registry... As some do...) I wouldn't trust it with any of my passwords.
Password managers have much better security across the board. I think my current Lastpass settings encrypt everything with about 1,000 iterations of AES. Considering the NSA already has all my private data... There aren't too many other organisations with the computing power to get through it. :grin1:
I figured there were more features, but I wasn't sure if the Professional version was free or not. I didn't see anything related to price, but then I wondered why they offer both for free and agree with you -- .NET.
James M. Fisher
Well-known member
In the end I went with another year of Roboform. LastPass looked nice, but I have used Roboform for so many years on all my PCs that I couldn't be bothered switching.
Has Sysnative Forums helped you? Please consider donating to help us support the site!