Security

[cleverwise]

Lastpass is no less secure than a Keepass DB stored via dropbox. Properly implemented with 2 factor auth both are only a very small step down from a locally stored Keepass DB. Keepass on a usb key is great IF you have the ability to mount USB drives on all the machines you log in on.(I unfortunately don't always have that luxury with my work environment)

Lastpass also only stores an encrypted DB of the users passwords that is encrypted/decrypted client side upon login/logout. They never have the decryption key, nor is it transmitted to them so they can't leak it.

That is only partially true. For starters you don't have to upload the Keepass information to the cloud. So in that situation Keepass is far safer. However in the case of uploading to say dropbox it is obviously more at risk. Still even in this environment the risk weight isn't the same.

Which is far more likely to be targeted? A dropbox account or LastPass with username and passwords? True the dropbox service could be compromised but there is some safety in numbers. LastPass is nothing but secure data. Also you can easily hide your Keepass file among 100's or 1000's of other files and give it a boring name.

I also question LastPass' mobile application security as many mobile apps fail big time in security. Theirs might not but it raises serious questions.

A few months ago LastPass had to security flaws:

http://techcrunch.com/2014/07/11/la...d-manager-doesnt-think-anyone-exploited-them/

Minor? Perhaps but when storing extremely valuable information it raises concern. LastPass is a personal choice, obviously.

 

[2.ooohhh]

Thankfully, to date all of lastpass's security flaws have been in the implementation of extraneous features which I don't use b/c they are inherently more risky(the same is to be said of their mobile device offerings). Keepass also has quite a few plugins that if installed can make it more vulnerable to attack. Either one in a plane jane installation(no bells and whistles) with a proper long and varied master password and 2 factor auth on the DB access are good enough for me ATM. Though knowing this, for either option, requires the user to know enough about computer security and to choose wisely which is the greatest battle to be fought in any computer environment.

 

[cleverwise]

I agree on plugins. In general plugins for any system are risky because you just don't know how well programmed they are. I say this as I have plugins listed in the Wordpress directory. Still I know how many programmers are sloppy with their code.

It is like SQL injection attacks. If they work it is 100% bad coding in that the programmers failed to sanitize the input (usually from the web). It isn't hard to avoid SQL injection. I know another topic.

Of course any security must be weigh against the risk of damage. If someone compromises my bank account that is extremely horrible. If they compromise my cartoon avatar creation account big deal.

 

[Charlie G]

Even if Dropbox is compromised, someone wanting to crack my db file is going to spend a lot of time doing it, and frankly I don't think I'm interesting enough to warrant the effort.

 

[cleverwise]

Even if Dropbox is compromised, someone wanting to crack my db file is going to spend a lot of time doing it, and frankly I don't think I'm interesting enough to warrant the effort.

I will let you know if your key is strong enough in a bit.

 

[Charlie G]

I will let you know if your key is strong enough in a bit.

Sure, go nuts.

 

[cleverwise]

Sure, go nuts.

Oh my! These pictures of Elios you have in your dropbox aren't G rated! How juicy for the tabloids.