LastPass vs. RoboForm and KeePass

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantie, robyn, JoeSiegrist

Re: LastPass vs. RoboForm and KeePass

Postby kilgry » Sat Feb 25, 2012 11:07 pm

evilthought wrote:I am not convinced. Given if you lose your YubiKey, you can disable it via email, there must be an encrypted copy somewhere that is encrypted only with your master password. Otherwise, losing your YubiKey would have meant losing your entire data, which I consider far more dangerous than a thief stealing my master password (which is highly unlikely anyway to begin with).


Um, so a quote by an employee of LastPass has not convinced you? Sounds like they do the same thing they do with OTPs, which are also used to recover your account when you forget your password...or do you now wish to claim your master password is not used to encrypt your data?

Also, the ability to access my data when I am offline (or when lastass server is down, or in case lastpass go out of business and disappears) is far more important to me than multi-factor authentication. I won't use any kind of multi-factor authentication that has any possibility of I losing access to my data. If there was even a hint of such a possibility, I would immediately delete lastpass and move to something else. Luckily, that's not the case.


I don't see that possibility, so I don't worry about it.

I really don't consider your argument a knock against KeePass. KeePass is safer in many other ways (you are in total control of the software, there are no auto-updates, and your encrypted data is 100% in your control; nothing ever is uploaded to any server). But I use Lastpass because there are other very important things besides safety, like easily keeping my passwords in sync and integration with the browser. Grid plus a good mater-password is safe enough in my book.


Total control of the software? You mean you wrote the code? Your review every line of Keepass code before applying updates?

I haven't seen an auto-update to LastPass; only notifications.

If your computer is connected to the internet, your Keepass data is on a "server." It is security through obscurity that you are talking about. Personally, I trust the encryption being used by LastPass, probably more than SSL. If someone grabs your SSL traffic, it is no good to them and same goes for your LastPass data on the server.

A strong master password is a good start, but multi-factor is the extra security I'm after and Keepass and RoboForm don't offer it. Sounds like you agree by your use of Grid. That is my whole point, LastPass gives you that option and that option carries a lot of extra security with it. People who bash LastPass for storing encrypted data on their servers ignore a very important security offering by LastPass that their "preferred" KeePass and RoboForm don't.
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: LastPass vs. RoboForm and KeePass

Postby evilthought » Sun Feb 26, 2012 4:30 am

"Um, so a quote by an employee of LastPass has not convinced you? Sounds like they do the same thing they do with OTPs, which are also used to recover your account when you forget your password...or do you now wish to claim your master password is not used to encrypt your data?"


If so, that's no more secure than KeyPass's key files, which is also multi-factor authentication. If it's possible that someone can copy your keypass, then it's also possible that someone can hack your email and disable your Yubikey

"I don't see that possibility, so I don't worry about it."


I do. The ability to access my data off-line is very important.. The assurance that I won't lost access to my data is also very important.

"Total control of the software? You mean you wrote the code? Your review every line of Keepass code before applying updates?"


It's open source software, so if there is a flaw in any update, it's far more likely to be exposed before you update to newer version.

"I haven't seen an auto-update to LastPass; only notifications."


Source? I think the plugin for the chrome browser is automatically updated to the newer version. Now here is a potential issue. What if the LastPass server is hacked, and the hacker is able to install/update a hacked version of lastpass plugin on millions of users who are using LastPass?

If your computer is connected to the internet, your Keepass data is on a "server."


And it's far less likely that a hacker would randomly target someone random on the internet to find an encrypted Keypass file. Besides, Lastpass keeps (by default) an encrypted file on user computers. So in this there are two files: one on your computer and an identical one on lastpass server. Yes you can turn local vault off, but that also means you no longer have access to your own data if you are off-line. Or if lastpass server is down. That's an unacceptable comprise, as far as I am concerned. Moreover, Lastpass stores OTP by default (many people don't even know that and haven't turned it off) on local computer. So if your computer is hacked, Lastpass would be no better (and probably much worse) than Keepass.

A strong master password is a good start, but multi-factor is the extra security I'm after and Keepass and RoboForm don't offer it. Sounds like you agree by your use of Grid.


You have not convinced me really that LastPass is any more secure than KeePass. Let me repeat: Grid only protects my encrypted copy from being downloaded from Lastpass server. It plays no part in the encryption. Since Keeppass doesn't store anything on the server, I wouldn't even need Grid if I was using Keeppass.
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Re: LastPass vs. RoboForm and KeePass

Postby Lars » Sun Feb 26, 2012 8:46 am

I've read this thread with much amusement, as it reminds me of a discussion about which religion is better.. (sorry for sounding so sarcastic).

Only comment I have is this.. A program being open source doesn't mean it's better than proprietary, as 99.9% of all users 1) aren't capable of understanding the code or 2) doesn't keep track of their program on ie. forums.
Lars
 
Posts: 2154
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: LastPass vs. RoboForm and KeePass

Postby kilgry » Sun Feb 26, 2012 4:44 pm

Lars wrote:I've read this thread with much amusement, as it reminds me of a discussion about which religion is better.. (sorry for sounding so sarcastic).


I have to agree, since most religious debates include at least one side (maybe both) not applying logic to the discussion. Seems to be the case here.

I also started this discussion based on the comments I have read attached to the bottom of RoboForm, KeePass and LastPass reviews. Those are "religious debates" of sorts and I have added on to them, however even in those (religious or password management) debates Truth can be found if done correctly.
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: LastPass vs. RoboForm and KeePass

Postby evilthought » Sun Feb 26, 2012 4:50 pm

Lars wrote:I've read this thread with much amusement, as it reminds me of a discussion about which religion is better.. (sorry for sounding so sarcastic)..


I am lasstpass user. I just don't think the OP point that lastpass is more secure than KeePass is really valid. Overall, I think KeePass is probably more secure, but I like LastPass better for other reasons.
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Re: LastPass vs. RoboForm and KeePass

Postby kilgry » Sun Feb 26, 2012 6:25 pm

And yet, you haven't been able to show how Keepass is more secure except by trying to claim something that isn't true.

Yes, LastPass look less secure if you misunderstand how it works.
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: LastPass vs. RoboForm and KeePass

Postby evilthought » Sun Feb 26, 2012 6:45 pm

kilgry wrote:And yet, you haven't been able to show how Keepass is more secure except by trying to claim something that isn't true.

Yes, LastPass look less secure if you misunderstand how it works.


I didn't stat the thread. You started the thread with a statement that LastPass is more secure. None of the arguments were convincing. Multi-factor authentication only protects your encrypted file from being downloaded from LastPass server (at least with Grid and Google authentication), and it plays no part in the encryption itself. Yubikey can be turned off via email, which is no more "safer" than KeePass key files (which is the same concept as sesame).
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Re: LastPass vs. RoboForm and KeePass

Postby kilgry » Sun Feb 26, 2012 7:11 pm

evilthought wrote:Multi-factor authentication only protects your encrypted file from being downloaded from LastPass server (at least with Grid and Google authentication),


And that doesn't increase security? So, why are you using Grid again?

and it plays no part in the encryption itself.


False. Yubikey and Sesame do, and LastPass has stated. If you believe they lied, I can't help you. It is a world of distrust you have created.

Yubikey can be turned off via email, which is no more "safer" than KeePass key files (which is the same concept as sesame).


Huh? Anyone else following the logic here?

BTW, you do realize LastPass can use a "security email" address? So, someone has to keylog your master password, get your LastPass data file and hack your security email account (know the account address and password). I only access my security email if I have LastPass send it an email, which is like never so it isn't likely anyone would know my password for that email account, nor would they even know what email account I'm using (and I have several). It honestly boogles my mind how someone could get all the pieces needed for this hack.

With Keepass on the otherhand, once they have access to your PC they can copy your Keepass data file, keylog your master password and watch what file is accessed for a keyfile and then copy that. None of these are all that difficult with access to the PC Keepass is running on.

So, how is Keepass more secure again?
kilgry
 
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: LastPass vs. RoboForm and KeePass

Postby evilthought » Mon Feb 27, 2012 2:38 am

And that doesn't increase security? So, why are you using Grid again?


It protects the encrypted file from being downloaded from lastpass server. It plays no part in in the encryption . Since Keepass doesn't upload anything to their server, I wouldn't need Grid if I were using Keypass anyway.

False. Yubikey and Sesame do, and LastPass has stated. If you believe they lied, I can't help you. It is a world of distrust you have created.


I specifically mentioned Grid and Google authentication. Funny you deleted that part.

With Keepass on the otherhand, once they have access to your PC they can copy your Keepass data file, keylog your master password and watch what file is accessed for a keyfile and then copy that. None of these are all that difficult with access to the PC Keepass is running on.


If you are that paranoid, you don't have to keep Keyfiles on the computer. You can keep them on USB. You can keep them encrypted on USB. You can use any file as Keyfiles (such as photos), making it harder for the hacker to even guess which is the keyfile. Moreover, I just looked it up, *Keepass can use YubiKey* http://keepass.info/help/kb/kb090227_yubikey.html


So, how is Keepass more secure again?


After all this discussion, and looking stuff up, I now believe Keepass is more secure than LastPass. No automatically created OTPs. No auto plugin updates. Open source. Nothing uploaded to server. No auto saving of local vault on every computer that you ever use (this is a global option, something that I complained about in this post: viewtopic.php?f=6&t=79698 ... Plus It's written in C#, and it takes advantage of builtin Microsoft .NET Framework security features, such as Secure Desktop ( http://keepass.info/help/base/security.html ).

Overall, lastpass has no security advantages over keepass, but I will continue using LastPass because security isn't the only reason I use LastPass. I use it to save my password and keep them sync easily without any hassle.
evilthought
 
Posts: 65
Joined: Mon Jan 30, 2012 5:50 am

Re: LastPass vs. RoboForm and KeePass

Postby Lars » Mon Feb 27, 2012 2:58 am

Just want to clarify a few things..

"No automatically created OTPs." - LastPass does not automatically generate OTP's.
"No auto plugin updates." - LastPass does not automatically update your plugin.
"Open source." - Does absolutely not mean it's more secure.
"It's written in C#..." - Programming language means absolutely nothing, correct implementation does.
Lars
 
Posts: 2154
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

PreviousNext

Return to Feedback

Who is online

Users browsing this forum: Google [Bot] and 7 guests