Ideally you’d find a single password manager that features synchronizing (or remote storage) and works with all the devices you normally use. Failing that, if there’s one device which you use primarily, and the others you use only for a small number of websites, then you could install and use the password manager on the main device, and then just manually remember and enter your passwords on the other devices. (That is, your use of a password manager on your main device doesn’t affect the accessibilty of websites on other devices that don’t have it. You just don’t benefit from its ability to remember your passwords.)
LastPass has apps for your iPhone and iPad, it’s not only for PC browsers.
I chose LastPass because when I was looking it was the only one that worked across all the platforms I was using (iOS and both a PC and a Mac). Others may do this now.
Speaking as someone who has a lot of clients that use this system - it sucks.
If the notes are handwritten, the passwords rapidly become unreliable - Capital letters get switched with lowercase, spaces are misplaced, 1’s look like l’s, etc, etc.
It’s also unsearchable.
Once you have a few hundred passwords and logins, it becomes a nightmare.
I store my passwords in a simple text file which I encrypt with GnuPG. Not as comfortable as a password manager, but very straightforward and I have total control.
Au contraire, I specifically asked what security there was against hacking and if some were better than others.
The answer, “proprietary, so trust us,” raises different concerns than “open source, tested by computer geeks with no personal financial stake”. I fund that discussion is relevant to both my questions.
Thanks for all the answers, everyone. I’m finding it very interesting (to the extent I can follow it).
But he’s right. Open source software isn’t necessarily more secure, and blanket support for it is more of an ideological position than a technical one. Many people, including me, would like for open source code to be intrinsically more secure. But it just isn’t so.
If it makes you feel better, the mathematical algorithms used by 1Password to encrypt data are open source and widely used. You can read more about the encryption for 1password used here – I assume something similar exists for other managers.
True, but I also never claimed that free software is necessarily more secure. I said only that it is possible to verify that a given free software program is secure, whereas with proprietary software you have no such possibility.
Convenience has a big price, and that price is security.
Maybe not a big deal for your SDMB account but probably a big deal for work and personal finance accounts.
One thing KeePass has done for me is lowered the cost*of using unique high-entropy passwords. So I don’t tier logins the way I did before I got it, with one password for all the stuff I designated low-risk or low-worry, and something else for e-mail, and something else for banking** etc.
*In effort and memorization
**Not that I’m all that worried about that right now, but it’s the principle of the thing.
Ooops. It looks like that may have happened:
Password storing company LassPass is hacked.
Hackers stole the encrypted passwords and other information.
It remains to be seen if that data is useful. If the encryption is as strong is they claim, it is essentially uncrackable.
If they have the data and are any good at decryption, it is only a matter of time.
Why not just use Chrome or Firefox’s built-in password manager and sync? With Chrome it works across all devices, and you can encrypt it with either your Google credentials or a separate passphrase. It’s a lot simpler than any third-party solution. I imagine Firefox’s works similarly.
If your browser is hacked you’re fucked anyway, and realistically only big companies like Google have the resources to defend against ever-evolving security attacks. And if Google does get hacked, your data will be just one person’s out of several hundred million, both giving you time to react while nefarious actors dig through the huge pile and making front-page news so you’ll know about it. If some random third-party plugin gets hacked, you’ll likely never even hear about it until it’s way too late.
TL;DR: “In Google We Trust” makes life a lot simpler.
If they don’t have the keys and the data is properly encrypted, “matter of time” is either several billion years or at least several decades for quantum computers.
Contrary to what psychonaut said, LastPass is not a black box and it’s simple to see that it works as they describe. They use standard SHA hashes and AES encryption. The important bits of LastPass are effectively open-source because they are in JavaScript, and therefore in plaintext and easily readable by anyone that wishes to do an audit.
I use LP and am not worried about the break. I considered it inevitable, really. As long as you have a strong master password, brute-force attacks are simply not a problem.
A long time.
Unless they hack your computer/smartphone camera or your drone and fly it over to get a peak
I’m not sure I’d call that technique “simple”—at least, not in comparison to reading source code. The author of that blog used a tool which sniffs his outgoing web traffic.
That a product uses secure cryptography is no guarantee that it isn’t also doing something insecure with the data before it’s hashed or encrypted.
Really? They don’t use any obfuscation at all? (Because if they do, you might as well argue that all proprietary software is easily readable on the basis that it can be decompiled or at least disassembled.) If LastPass’s browser-based interfaces are indeed in easily readable JavaScript, then that’s very reassuring. However, it should be noted that these interfaces are not the only way of using LastPass. There are also offline clients which I’m pretty sure are not supplied with source code, and therefore cannot be audited.
Looks like someone had a go at Lastpass:
That’s entirely fair; same thing applies for encryption algorithms. If you don’t publish it, how does anyone know you’re not doing some kind of ROT13-like encoding that makes everything look encrypted, but is in reality, trivially crackable.
Simple for anyone capable of doing a legitimate audit.
Sure. Encryption can be used inappropriately. But using standard algorithms is a first step towards legitimate security, since it means they benefit from all the existing research that’s been done. If they used proprietary algorithms, I’d consider it insecure, even if it had been audited.
Here’s the source code for their command line client (I haven’t looked at it myself).