LastPass, KeePass, 1Password, etc - A good solution to password management?

[J.C]

Like many or all users nowadays, I have too many passwords to remember, since I don't use the same password between services. I was looking for a service to securely store my passwords, and I have read in many sites about LastPass. I'm testing this service right now and it's awesome, really good, but, I can't help thinking how and where my passwords are being stored, who can access them, are the service/servers secure against attacks, if the service goes offline for maintenance or problems, how can I login in my accounts? And many others questions...

So, I'm here to listen a word from you guys, services/tools like LastPass, KeePass, 1Password worth it?

[bsvols]

Try "Sticky Password": http://www.nsaneforums.com/topic/180819-sticky-password-pro-6012455-ml-serial/ Or, if you prefer free, "Dashlane" is a recent release that lets you keep your passwords only on your computer or sync them to their online service for use with other computers.

Edited September 21, 2013 by bsvols

[J.C]

Try "Sticky Password": http://www.nsaneforums.com/topic/180819-sticky-password-pro-6012455-ml-serial/ Or, if you prefer free, "Dashlane" is a recent release that lets you keep your passwords only on your computer or sync them to their online service for use with other computers.

Actually, we can get Sticky Password 6.0 for free for limited time (http://www.nsaneforums.com/topic/185855-giveaway-sticky-password-60-pro/?hl=%2Bsticky+%2Bpassword+%2Bpro#entry641027), and I don't mind if it's free or paid.

[manb]

I personally prefer Sticky Password...

[J.C]

I personally prefer Sticky Password...

[bsvols]

I thought the "Sticky Password" promo had expired, so I didn't mention it. :s

[J.C]

I thought the "Sticky Password" promo had expired, so I didn't mention it. :s

[emerglines]

Keepass for me cause its free, not very known, not easy for simple user, non popular which means for me less security risks ( something popular means more security problems ), never had any problem using it :)

[Siddharta]

Well as everybody knows I use Roboform (Nsandown main choice and frontpaged password manager), but I have to admit I'm impressed with Last Pass. I've been testing it for a while now in a virtual machine and it is very good. Also, I find it as safe as CoolZoid mentioned above :showoff:

Edited September 21, 2013 by Siddharta

[emerglines]

@CoolZoid : they most given you the Master key to trust their service ( your own DB Master key )

[J.C]

J.C ,

Passwords are stored in LastPass on your computer before transferring it to the server is encrypted.

LastPass generates a hash of your login and password, and it is the key to the AES algorithm:

KEY = SHA256 (EMAIL + PASSWORD)

For authorization, the service uses a dual hash, that he sent to the server and is a key screening for authorization:

AUTH_HASH = SHA256 (KEY + PASSWORD)

Indeed, the group titles, records and data are transmitted in encrypted form, they always use HTTPS.

LastPass approaches the subject as follows: all data is encrypted on the client side and the user key is transmitted in encrypted form on the server. This key (aka the master account password) known only to you: on the server it is not stored in the case of loss can not restore it. LastPass database is duplicated in two separate data centers, so that in case of failure of one of them, you can continue to use the service. But even if the service is in a period of time is not available, you will still be able to access the data, as they are present on your computer. Additional security settings allow you to nullify the possibility of breaking your data intruder: You can configure the Auto Logout of your account at a simple, limit the list of countries from which the possible signing in, disable access through Tor, increase the iteration passwords (the larger it is, the harder they are to decrypt ) enable two-factor authentication (table will be created with a password that must be entered when logging into LastPass with a new device or a new place), set up a notification about the change of data. Plus the developers rather kind to protect users' data, is still not a single case of mass leak passwords. If data theft is possible, it is much more likely because of the negligence of users to its own security.

LastPass - has long been my choice ;)

[emerglines]

Stay away from famous stuff http://mashable.com/2013/08/19/lastpass-password-bug/

[J.C]

I have had experience in comparison managers passwords, including the above-mentioned; for convenience and ease of use - LаstPаss the most suitable for all пользователям.

Simply, reliably, and at no charge. ;)

J.C ,

I do not know what you're ... You asked - I answered.

You want maximum safety - keep passwords in your head.

Everything can be hacked.

Yeah, I know, but when we are talking about many different and long passwords it's not easy. Anyway, I didn't mean to be rude, if you thought so.

[Whi5t1eR]

Run the code flow in Sticky and examine it, it's really nice work, (and very secure) and can use a 8192 key. If you want a new OEM or a Pro key let me know.

[ande]

For regular folk I'd say strong offline password manager such as Sticky Password or RoboForm - I prefer first one.

Once your password database is out of your reach (cloud) there is always possibility of 3rd party getting them (N$4).

No matter how good encryption is and how long key is once "they" catch your data there are chances of decrypting it.

For paranoid user it is important to mention fact many govt. are collaborating with (or forcing) companies which create Proprietary Privacy & Security Software,

they are payed (forced) to slightly change code in order to create unnoticeable holes/bugs. That is later used to encrypt data with ease.

In this case combination of Open Source software and Proprietary software is highly recommended, on the other hand this makes things more difficult.

To note new Sticky Password, v7, is releasing soon, v7 comes with Cloud and data synchronization which is from my perspective very bad.

I would very much like to recommend Open Source password manager Password Safe which is recommended by security authorities such as Bruce Schneier.

[davmil]

I like Last Pass. I've never had problems with them being unreachable.

A while back I came across this article from LifeHacker which enhances Last Pass's security even further.

recommended reading for Last Pass users. Like AVirus software, I think this is one situation where buying a license for a commercially viable and supported product is well worth it.

http://lifehacker.com/5879117/how-to-build-a-nearly-hack+proof-password-system-with-lastpass-and-a-thumb-drive?utm_source=Lifehacker+Newsletter&utm_campaign=5b0b3cbd5e-UA-142218-1&utm_medium=email

[Pedrito]

As far as I know, LastPass and others, only store passwords for sites!

I use and recommend KeePass, as you can store passwords for anything.

For example I have passwords there for my modem router.

You can save attachments too, like pictures or anything else.

It's also cross platform, a little ugly on Linux though...

And it's very secure, you can use several methods at the same time.

You can use a normal password, the Windows' user account password and an encrypted file; the most secure method this last one.

Even if your passwords file is stolen it will take forever to decrypt. ;)

[emerglines]

As far as I know, LastPass and others, only store passwords for sites!

I use and recommend KeePass, as you can store passwords for anything.

For example I have passwords there for my modem router.

You can save attachments too, like pictures or anything else.

It's also cross platform, a little ugly on Linux though...

And it's very secure, you can use several methods at the same time.

You can use a normal password, the Windows' user account password and an encrypted file; the most secure method this last one.

Even if your passwords file is stolen it will take forever to decrypt. ;)

Don't use windows account NTLM Hashes its a bit easy to decrypt them, so make sure to use Master Key instead.

[InEvX]

Lastpass tends to be my bet. If you don't trust it being on their servers, use it offline only.

A quote from their CEO "LastPass is open source primarily -- Firefox, Chrome, Safari, Opera and Maxthon extensions can all be utilized 'binary free' and are open source. If you wanted you can utilize these exclusively and only log-in from them. Disable updates and you're using _only_ open source and you could audit it and continue to use it forever, safely.

That being said, when Steve Gibson (from security now) reviewed Lastpass and gave it the all clear... I can be assured Lastpass is very secure.

I have two passwords. One password for truecrypt and one password for Lastpass. You really can't go wrong with lastpass.

Do note: If you want to be 100% secure, use something open sourced. Period.

Edited September 21, 2013 by InEvX

[r1223]

My world stops at sticky password.. I tried others but none of them were able to make me convinced to switch from sticky.. been using since 4 years.. and i think kaspersky password manager is the same sticky engine..

[Pedrito]

As far as I know, LastPass and others, only store passwords for sites!

I use and recommend KeePass, as you can store passwords for anything.

For example I have passwords there for my modem router.

You can save attachments too, like pictures or anything else.

It's also cross platform, a little ugly on Linux though...

And it's very secure, you can use several methods at the same time.

You can use a normal password, the Windows' user account password and an encrypted file; the most secure method this last one.

Even if your passwords file is stolen it will take forever to decrypt. ;)

Don't use windows account NTLM Hashes its a bit easy to decrypt them, so make sure to use Master Key instead.

Of course not. I use my own password and sometimes an encrypted file, when I need more security. :)

[J.C]

As far as I know, LastPass and others, only store passwords for sites!

I use and recommend KeePass, as you can store passwords for anything.

For example I have passwords there for my modem router.

You can save attachments too, like pictures or anything else.

It's also cross platform, a little ugly on Linux though...

And it's very secure, you can use several methods at the same time.

You can use a normal password, the Windows' user account password and an encrypted file; the most secure method this last one.

Even if your passwords file is stolen it will take forever to decrypt. ;)

Don't use windows account NTLM Hashes its a bit easy to decrypt them, so make sure to use Master Key instead.

Of course not. I use my own password and sometimes an encrypted file, when I need more security. :)

NTLM rainbow tables, Cain & Abel... NTLM isn't secure!

- https://www.freerainbowtables.com/en/tables2/

- http://it.slashdot.org/story/13/01/09/0047202/ntlm-100-broken-using-hashes-derived-from-captures

Edited September 21, 2013 by J.C

[emerglines]

Latest underground shit, Lastpass Backdoor :)

[smallhagrid]

A cute vid about it:

I would very much like to recommend Open Source password manager Password Safe which is recommended by security authorities such as Bruce Schneier.

And though I do have Sticky PW 6, the zip file for this seems worth looking at=>

https://downloads.sourceforge.net/project/passwordsafe/passwordsafe/3.31/pwsafe-3.31-bin.zip

Thanks.

[J.C]

Latest underground shit, Lastpass Backdoor :)

But this is a modified plugin, it's the same principle as downloading any paid software and using a fake crack/keygen with backdoor. The question is where you download.