LastPass vs. RoboForm and KeePass

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantie, robyn, JoeSiegrist

LastPass vs. RoboForm and KeePass

Postby kilgry » Sat Feb 18, 2012 7:32 pm

Hold on a second... I've always read comments from people saying their opinion is that RoboForm or Keepass rocks compared to LastPass, but no one has ever pointed out the RoboForm and KeePass do not support multi-factor authentication!

Are you kidding me? That would remove RoboForm and KeePass from my password manager short list. Even if I didn't wish to use multi-authentication, I would at least want the option, plus I believe it shows LastPass to be more interested in my password safety.

Go LastPass!
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: LastPass vs. RoboForm and KeePass

Postby evilthought » Thu Feb 23, 2012 5:14 am

Lastpass only uses your master-password (and email) to encrypt your passwords. The multi-authentications is only irrelevant when you are downloading the encrypted file from the last password server. That's all. It plays no part otherwise in the encryption. KeePass is offline software, so It doesn't need multi-authentication (like Lastpass does).
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Re: LastPass vs. RoboForm and KeePass

Postby kilgry » Thu Feb 23, 2012 1:16 pm

That is mostly true (except it does use the Yubikey static portion for encryption as well and I think Sesame does something similar), but the benefit of that is debate-able. Yes, I agree it would be better if the additional authentication was applied at the encryption level.

However, multi-factor auth does provide an added benefit, which you mentioned, in that it helps controls access to your encrypted blob of data. Yes, it isn't foolproof, but it does add another layer of security, which I believe can be substantial when setup properly by the user.

With LastPass I have the option to add this layer of security within the product itself, and with RoboForm and KeePass I don't.
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: LastPass vs. RoboForm and KeePass

Postby evilthought » Thu Feb 23, 2012 2:20 pm

I don't think Yubikey and Sesame play any role in encryption. They are only used in protecting the encrypted file from being downloaded from the lastpass server. You can test it yourself. Try opening the local encrypted copy that you saved on your hardrive using lastpocket. It will only require the email and master password. Also, we know Yubikey and Sesame play no part in encryption because if you lost your Yubikey and Sesame, you can disable them via email.

By the way, KeePass does have key file option. Basically, you can create keyfile. Unlike lastpass's Yubikey and Sesam , the keyfile is needed for decryption.

Image
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Re: LastPass vs. RoboForm and KeePass

Postby kilgry » Thu Feb 23, 2012 6:30 pm

evilthought wrote:I don't think Yubikey and Sesame play any role in encryption. They are only used in protecting the encrypted file from being downloaded from the lastpass server. You can test it yourself. Try opening the local encrypted copy that you saved on your hardrive using lastpocket. It will only require the email and master password. Also, we know Yubikey and Sesame play no part in encryption because if you lost your Yubikey and Sesame, you can disable them via email.


I'm not sure exporting is the same as copying. I will admit that my knowledge does not extend far enough to sufficently answer your points above but I believe they are probably false to some degree. However, I believe Yubikey and Sesame work somewhat similar to how your data is encrypted with your MP but also has the ability to work with OTPs.

By the way, KeePass does have key file option. Basically, you can create keyfile. Unlike lastpass's Yubikey and Sesam , the keyfile is needed for decryption.


Keyfiles can be copied and thus don't really follow the "something you have rule" too well, since everyone else can have it too. KeePass admits as much:
http://keepass.info/help/base/keys.html

The same might be able to be claimed about Sesame (again I don't know the details) and is why I chose Yubikey instead.

Keepass' Windows login feature is interesting, but extremely limiting.

Again, LastPass uses multi-factor as a security layer, and Keepass and Roboform do not offer such, except maybe Keepass' Windows login feature, but it carries a very large downside.
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: LastPass vs. RoboForm and KeePass

Postby evilthought » Fri Feb 24, 2012 2:40 am

I love lastpass, and it's not just for protection, but also. more importantly. to manage the passwords and keep them sync on different computers.

However, your this argument is just not valid against KeePass. The LastPass's multi-factor authentication protects your encrypted copy from being downloaded from the lastpass server by someone who stole your master password. The theif would still need your Yubikey to download the encrypted file saved on the lastpass server. Yubikey (or other kinds of multi-factor authentications) play no part whatsoever in the encryption itself. Since Keepass doesn't keep anything online on their server (everything is local on your computer, and it's your job to keep backups and keep them sync on different computers), there is no need for multi-factor authentication like lastpass.

I have said this now three or four times, and the point is really clear. LastPass only uses your email and password to encrypt your data. . The multi-factor authentication only protects unauthorized downloading of the encrypted file from their server . I am not sure why we are repeating the same thing over and over again. The point is really clear.
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Re: LastPass vs. RoboForm and KeePass

Postby kilgry » Fri Feb 24, 2012 1:57 pm

Saying it multiple times does not make it true. You might want to refer to this thread to see that Yubikey is used for encryption as well:

viewtopic.php?f=12&t=13499&p=48429&hilit=yubikey+static+encryption

Now, in terms of KeePass and LastPass being equal in terms of offline functionality, I would lean to saying "yes." However, LastPass users have the option to disable offline access.
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: LastPass vs. RoboForm and KeePass

Postby evilthought » Fri Feb 24, 2012 4:11 pm

kilgry wrote:Saying it multiple times does not make it true. You might want to refer to this thread to see that Yubikey is used for encryption as well:

viewtopic.php?f=12&t=13499&p=48429&hilit=yubikey+static+encryption
.


In the thread that you linked, someone posted that they were able to open local vault without needing yubikey with LastpassPocket. I have tested it with grid authentication, and can confirm the same thing.
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Re: LastPass vs. RoboForm and KeePass

Postby kilgry » Fri Feb 24, 2012 5:21 pm

Perhaps you should read the whole thread. :roll: The thread goes on to state that LastPass released an update which changed the behavior:

5. Pocket now also allows opening and exporting of data based on your yubikey/sesame settings. On export, if yubikey/sesame is enabled, it will doubly encrypt things with your offline password. If you have "online only mode" specified, then double encryption is performed with a unique "online only" password instead that is provided by the server only after a OTP has been verified.


The user you mentioned then tested again with this update and found Yubikey was required.

Grid (and Google Auth for that matter) is a different beast from Yubikey and Sesame, and is also why it comes with the free version of LP.

I realize admitting you were wrong is difficult, but after the comment about having to repeat yourself to me, I think I should be able to ask...
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: LastPass vs. RoboForm and KeePass

Postby evilthought » Sat Feb 25, 2012 4:14 am

kilgry wrote:Perhaps you should read the whole thread. :roll: The thread goes on to state that LastPass released an update which changed the behavior:

5. Pocket now also allows opening and exporting of data based on your yubikey/sesame settings. On export, if yubikey/sesame is enabled, it will doubly encrypt things with your offline password. If you have "online only mode" specified, then double encryption is performed with a unique "online only" password instead that is provided by the server only after a OTP has been verified.


The user you mentioned then tested again with this update and found Yubikey was required.

Grid (and Google Auth for that matter) is a different beast from Yubikey and Sesame, and is also why it comes with the free version of LP.

I realize admitting you were wrong is difficult, but after the comment about having to repeat yourself to me, I think I should be able to ask...


I am not convinced. Given if you lose your YubiKey, you can disable it via email, there must be an encrypted copy somewhere that is encrypted only with your master password. Otherwise, losing your YubiKey would have meant losing your entire data, which I consider far more dangerous than a thief stealing my master password (which is highly unlikely anyway to begin with).

Also, the ability to access my data when I am offline (or when lastass server is down, or in case lastpass go out of business and disappears) is far more important to me than multi-factor authentication. I won't use any kind of multi-factor authentication that has any possibility of I losing access to my data. If there was even a hint of such a possibility, I would immediately delete lastpass and move to something else. Luckily, that's not the case.

I really don't consider your argument a knock against KeePass. KeePass is safer in many other ways (you are in total control of the software, there are no auto-updates, and your encrypted data is 100% in your control; nothing ever is uploaded to any server). But I use Lastpass because there are other very important things besides safety, like easily keeping my passwords in sync and integration with the browser. Grid plus a good mater-password is safe enough in my book.
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Next

Return to Feedback

Who is online

Users browsing this forum: Google [Bot] and 6 guests