evilthought wrote:I am not convinced. Given if you lose your YubiKey, you can disable it via email, there must be an encrypted copy somewhere that is encrypted only with your master password. Otherwise, losing your YubiKey would have meant losing your entire data, which I consider far more dangerous than a thief stealing my master password (which is highly unlikely anyway to begin with).
Um, so a quote by an employee of LastPass has not convinced you? Sounds like they do the same thing they do with OTPs, which are also used to recover your account when you forget your password...or do you now wish to claim your master password is not used to encrypt your data?
Also, the ability to access my data when I am offline (or when lastass server is down, or in case lastpass go out of business and disappears) is far more important to me than multi-factor authentication. I won't use any kind of multi-factor authentication that has any possibility of I losing access to my data. If there was even a hint of such a possibility, I would immediately delete lastpass and move to something else. Luckily, that's not the case.
I don't see that possibility, so I don't worry about it.
I really don't consider your argument a knock against KeePass. KeePass is safer in many other ways (you are in total control of the software, there are no auto-updates, and your encrypted data is 100% in your control; nothing ever is uploaded to any server). But I use Lastpass because there are other very important things besides safety, like easily keeping my passwords in sync and integration with the browser. Grid plus a good mater-password is safe enough in my book.
Total control of the software? You mean you wrote the code? Your review every line of Keepass code before applying updates?
I haven't seen an auto-update to LastPass; only notifications.
If your computer is connected to the internet, your Keepass data is on a "server." It is security through obscurity that you are talking about. Personally, I trust the encryption being used by LastPass, probably more than SSL. If someone grabs your SSL traffic, it is no good to them and same goes for your LastPass data on the server.
A strong master password is a good start, but multi-factor is the extra security I'm after and Keepass and RoboForm don't offer it. Sounds like you agree by your use of Grid. That is my whole point, LastPass gives you that option and that option carries a lot of extra security with it. People who bash LastPass for storing encrypted data on their servers ignore a very important security offering by LastPass that their "preferred" KeePass and RoboForm don't.