LogMeIn To Acquire LastPass For $125 Million

An anonymous reader writes: LogMeIn has agreed to acquire LastPass, the popular single-sign-on (SSO) and password management service. Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.

Will Use Neither

LassPass got their ass handed to them in the no-so-distant past. No, thank you. Having a company that collects passwords now marrying a company that handles remote logins. Hmmm... What could go wrong?

Re:Will Use Neither

[kullnd]

Meh, I feel they handled that "breach" pretty well...

That being said, I fear LogMeIn is going to destroy LastPass.

Re:Will Use Neither

[Gaygirlie]

Having a company that collects passwords

The quoted part never sat right with me, I've always felt somewhat icky about the idea of giving out all of my passwords to a company-controlled service. I don't know if it is rational to be wary of them or not, I certainly haven't heard of them doing anything nefarious or anything to earn it, but passwords and usernames are just so damn important that I just don't know if I'd want to hand the whole damn treasure-trove out to an unknown 3rd-party. I've always used Keepass 2.x to store my passwords -- the password-database is always in my control, and there are good, open-source apps for Keepass-databases for Windows, Linux, Android et.al.

Re:Will Use Neither

[JustAnotherOldGuy]

Having a company that collects passwords now marrying a company that handles remote logins. Hmmm... What could go wrong?

Nothing, absolutely nothing could possibly go wrong.

Re:Will Use Neither

I thought that they were encrypted and that their servers never touch the unencrypted usernames and passwords.

Re:Will Use Neither

[Anonymous+Psychopath]

Meh, I feel they handled that "breach" pretty well...

That being said, I fear LogMeIn is going to destroy LastPass.

They did handle it well. Preaching to the choir a little bit, but LastPass has always responsibly disclosed threats, usually to their own detriment because most of their customers can't be bothered to understand how security is supposed to work (hint: it should be designed to withstand a breech). The breech only provided worthless data to the attackers. Brute-forcing is hard, and assuming we were all smart enough to change our master passwords, the attackers only got old, useless passwords in return for all their efforts.

Meanwhile, everyone ran around saying KeePass on Dropbox is far better, because open source is magically more secure (it can be, but that doesn't mean it is), and Dropbox gets compromised almost annually.

I know I probably sounds like I work there or something, but I'm just a happy user. I hope LogMeIn doesn't fuck it up. I don't really know anything about them.

Re:Will Use Neither

[Anonymous+Psychopath]

Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

Re: Will Use Neither

[cyber-vandal]

Breach*

Re:Will Use Neither

[sexconker]

KeePass IS better. It's far more functional and far more customizable.
Throwing a KeePass database on Dropbox is secure even if Dropbox exposes the database.

I find it hilarious that you bitch about people who don't understand that LastPass's breaches meant nothing, yet you go on to imply that Dropbox's breaches are a problem for people using it for KeePass databases.

Re:Will Use Neither

[thaylin]

It is funny. Last pass openly stated they dont know the extent of the data that was take, just that they feel it was not much, yet you think that is handled well?

Re:Will Use Neither

[jimbo]

Meh, people are so often binary. Unfortunately the world isn't as simple as "A is far better than B". While I prefer the way KeePass handles its data, the various browser plugins handling form data (inserting/extracting) seem much inferior to Lastpass. Using it in a browser is my main use case.

I really want to use KeePass but it'll need to be a bit smoother in browsers first. I'm sure it will be.

Re:Will Use Neither

[sexconker]

There is no such thing as two-factor encryption for cold data.

Using a keyfile and a password is the same thing as using a complex password. You just know one and you have the other and you chain them.
The same for using a password and thumbprint hash. Anyone who has the encrypted data and knows how it's encrypted can feed it the password and hash.
These are functionally no different than a single complex password - there is nothing "two factor" about it. And in many cases this type of layering can make it much easier for attackers to break ur shit.

Consider someone using 7-Zip to encrypt their "Secret My Little Pony Costume Design" directory.
1 layer of encryption using "aj29dn(3nb1A3n+d,c^D" is much better than 4 layers using "aj29d", "n(3nb", "1A3n+", and "d,c^D". The smaller passwords will be cracked almost instantly, and each one gets them 25% of the way to your shit. The full password will take ages to crack and it has to be done all or nothing.

You only want to layer passwords if your password's entropy exceeds the length (in bits) of the output of your encryption algorithm (or really, length minus one bit).
It's far more common to increase the number of rounds than it is to layer, but if you suspect an algorithm may be compromised it may make sense to use multiple layers with different algorithms. Layering also makes it easier to slap on plausible deniability and steganography.

Temporal passwords (RSA clocks) require a verification step by an arbiter. These are vulnerable to DoS attacks and MITM attacks, as well as all the usual "LOL HACKED UR DB AND GOT UR SHIT" attacks. Anyone with the seed of your particular authenticator app / dongle can generate those temporary codes and get access from the arbiter.
These kinds of passwords aren't there to protect the actual stored data, but control access to it. Anyone who gets the data will be able to try to decrypt it as usual.

For a temporary password to be considered a secondary layer of encryption, the data must be decrypted (temp pw layer only) and reencrypted each time that temporary password changes, AND you must ensure all previous copies of the decrypted AND encrypted data are destroyed (you can't do this if you hand the decrypted file to the user for them to decrypt the inner layer). You generally don't do this for cold data, you do it for live communication across an untrusted channel, such as the itnernet.

Re:Will Use Neither

[BradleyUffner]

There is no such thing as two-factor encryption for cold data.

Using a keyfile and a password is the same thing as using a complex password. You just know one and you have the other and you chain them.

That's the the very definition of 2 factor authentication. The 3 factors are Something you know, Something you have, and Something you are.

Re: Will Use Neither

[wernercd]

Versions I use:

iPhone: https://itunes.apple.com/us/ap...
Android: https://play.google.com/store/...
Windows: https://ninite.com/keepass
Linux: http://keepass.info/help/v2/se... - Mono supported

More versions (official and unofficial at: http://keepass.info/download.h... )

Without Dropbox access to dropbox, you could use others: Onedrive, Google Drive, Box, etc... whats available largely depends on whats allowed (or just not yet blocked yet). Also, options MIGHT be expanded with plugins: http://keepass.info/plugins.ht...

Keepass allows plugins... one of which has Two Factor: http://keepass.info/plugins.ht... - I've never used it, so I'll leave it up to you. Other options exist on at the plugins link above.

Re:Will Use Neither

[The-Ixian]

Indeed. This is the reason I use and love RoboForm. It runs on every platform and integrates very well with every major browser.

Re:Will Use Neither

[wernercd]

Or so the NSA has forced them to lead you to believe... gotta love those "be quiet or be crushed" letters that don't require a judges seal.

Re:Will Use Neither

[Anonymous+Psychopath]

What I was trying to point out is that there's no practical difference between unauthorized access to either LastPass or KeePass, meaning that there's no real security advantage either way.

Re:Will Use Neither

[Anonymous+Psychopath]

It is funny. Last pass openly stated they dont know the extent of the data that was take, just that they feel it was not much, yet you think that is handled well?

"We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

https://blog.lastpass.com/2015...

That looks pretty specific to me.

Re:Will Use Neither

[sexconker]

That "very definition" is used incorrectly by so many people, including you. When you're slapping it into a call to an encryption/decryption function, it's ALL effectively "something you know". A thumbprint hash is just data, so is a keyfile, so is the output of an RSA clock at any time. Security "experts" tried to model this off of physical security principles, but they don't translate over. That doesn't stop them all form parroting "something you know, something you have, and something you are hurr derp", though.

Something you HAVE and something you ARE need to be verified by some authority that controls access. It's like buying pseudoephedrine at the drug store. They ask for something you HAVE (your driver's license), and they verify it to a reasonable extent. Without an active arbiter, you can only use something you KNOW. Imagine buying pseudoephedrine on Amazon. That something you HAVE becomes something you KNOW because all you can do is type in your driver's license number, state, and expiration date. At the drugstore, they expect a physical card with a photo that looks like you and a magstripe that swipes with valid data. They can also physically see if you look like a tweaker who's got the shakes because they need another hit.

You can try to use automated arbiters, but they're vulnerable. A thumbprint scanner can be tricked into scanning a fake thumb or someone else's thumb, or it can be bypassed completely if you know the output it gives for your target thumb. A car with a breathalyser can be tricked by having someone else, or a raccoon, blow into it (that story was fake by the way - http://www.inquisitr.com/24605... ). Or, again, if you know what the breathalyser outputs on a good blow you can bypass it entirely.

You can try to use remote arbiters. A typical example is a security camera and a remote person monitoring and unlocking doors and shit. You can attack the camera, dress up as the target, put a photo of the empty hallway over the camera so that's all it sees, whatever. For an apartment gate/door with an intercom and a "buzz me in" system, you can pretend to be anyone to anyone who can buzz you in, or you can click the button a bunch and make the sound distorted and someone will just fucking buzz you in to make it stop, or you can always attack the gate.

Something you KNOW is the only thing you can use without an arbiter, because the mere knowledge of that thing is what constitutes valid access.
Something you ARE and something you HAVE require an arbiter for verification, otherwise the mere knowledge of those things can be used to masquerade/forge the thing that you ARE/HAVE. Automated and remote arbiters are better than nothing, but their automation/remote nature make them less able to verify the ARE/HAVE to the same degree an active and present arbiter can.

The most common "two factor" authentication systems in place are RSA clocks and one-time passwords sent via SMS.
No one verifies that you have and own that dongle with seed XYZ or that the specified phone number belongs to you. They verify that you know the code the dongle output or that you know the code they send you. Knowing either isn't very hard, and you can attack on either end.

RSA clocks: Attack the database that has the seeds and generate your own valid codes willy nilly. Steal the dongle. The easiest, however, is to pwn the target's device / MITM the target's network connection. When they're doing shit intercept the code and use it in your own attack (they all have pretty wide validity windows to account for clock skew, time for users to type it in, latency and processing time, etc.) This is why many places now require you two input two separate codes to disable the dongle - a victim will typically not provide 2 codes within a short time span. Of course this is pointless as the attacker can spoof a message to the victim s

Re:Will Use Neither

[chihowa]

Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

So they claim, but since you're using black-box software provided by them to access your passwords that's a pretty specious claim. If the current binary that they provided to you doesn't harvest your access keys, the next one very well could (and most certainly would if their lives depended on it).

Marketing claims may provide some hint at utility, but they shouldn't be conflated with an actual measure of security.

Re: Will Use Neither

[Anonymous+Psychopath]

Noted

Re:Will Use Neither

[vux984]

Bingo. Zero knowledge encrypted storage service providers of pretty much any stripe all suffer from the same flaw:

You are trusting them to provide you the software you are entering your decryption keys into when its time to decrypt anything.

How do you that software doesn't send them the keys? You don't.
Even if it doesn't, today, and they send you an udpate, how do you know the update doesn't send them the keys? You don't.

And if you are using a web based service... they don't even have to send you a client update; you get the latest 'client' pushed from the website automatically every time you login. Did you audit all that javascript to make sure it wasn't sending your key up? Did you compare the javascript served to you today to the javascript you audited yesterday?

It fundamentally requires that you trust them not to steal your keys, and that you continue to trust them each time you visit their site / or update the client.

Your best solution to achieve real security is to use one provider for storage (doesn't really matter who...dropbox or google or use the NSA directly if you like), and do the encryption and key management yourself; ideally using audited open source code.

Nothing is perfect, even this. And I could go on and on about how to further mitigate risks to your client side solution. But its a lot better than simply trusting your storage provider.

Re: Will Use Neither

[TechyImmigrant]

+KylePass for my macbook.

Re: Will Use Neither

[Redbehrend]

I enjoy roboform, they say everything is encrypted client side so even if there was a breach they wouldn't have viable info. I think the only thing they use credentials for is licensing a basic profile and sync.

Re:Will Use Neither

[el_chicano]

It's like buying pseudoephedrine at the drug store. They ask for something you HAVE (your driver's license), and they verify it to a reasonable extent. Without an active arbiter, you can only use something you KNOW. Imagine buying pseudoephedrine on Amazon. That something you HAVE becomes something you KNOW because all you can do is type in your driver's license number, state, and expiration date. At the drugstore, they expect a physical card with a photo that looks like you and a magstripe that swipes with valid data. They can also physically see if you look like a tweaker who's got the shakes because they need another hit.

You are an idiot. You do know that you need to process pseudoephedrine to turn it into meth? That the amount of pseudoephedrine needed to make meth is a lot more than you get at a drugstore? That most "tweakers" are consumers, not producers?

The laws "controlling" pseudoephedrine are nothing but security theater, it is a hassle for consumers yet it has not affected the supply of meth out there. The people making meth buy barrels of the stuff and not at your local drug store.

After saying stupid stuff like that it is very easy to discount any "computer security" knowledge you claim to have. You should have just stuck with a car analogy and have people think you are a moron rather than saying shit like this and proving it to the the world.

Get ready for high pricing

[kullnd]

They are talking about combining it with the Meldium product? Look at the pricing on that. It starts at 24/month

I just took a $120 chance and added 10 years to my subscription... Figure they can't jack up my prices for 10 years if I already paid for it. $120 isn't too much to lose if they make the product unusable (which is a possibility with these a**holes).

Re:Get ready for high pricing

[pushing-robot]

In fairness Meldium starts at 20 users for $24/mo.

Not that it matters for me as I've been burned by LogMeIn's user-hostile behaviour in the past. I don't trust them, and I sure as hell won't trust them with my passwords.

Re:Get ready for high pricing

[kullnd]

I don't trust them LogMeIn in the least, but I trust the methods used by LastPass with my passwords. I only hope they do not make changes to the architecture that makes Lastpass the trustworthy platform that it is today.

Re:Get ready for high pricing

[Shatrat]

It doesn't seem to have worked for logging you into Slashdot, though.

Re:Get ready for high pricing

[pushing-robot]

Meldium's security FAQ is a joke:

In order to provide app management and automatic login, Meldium must store some of your sensitive information on our servers. For user management, we may store your API keys, your username and password, or an OAuth credential.

A limited set of Meldium employees have access to the secure fleet and the master encryption keys

Due to the architecture of our system, it is technically possible for a Meldium employee to gain access to your secret data. As a matter of corporate policy, this kind of access is forbidden.

I, too, hope LastPass will be able to maintain their passion in the face of LogMeIn's corporate culture, but when it comes to security I will not trust to hope.

Re:Get ready for high pricing

[kullnd]

I would consider them having "master keys" to be unacceptable. I really hope this is a feature they side with the LastPass methods on.

Re:Get ready for high pricing

[The-Ixian]

Hello fellow RF user.

The Everywhere product was a major reduction in price but it then became a subscription. Even still, I am happy to pay for it. It is one of the most used pieces of software I have.

Re:Get ready for high pricing

[FredyFerry]

I feel pretty happy now with Sticky Password for $19.99 per year

Passwords passed around

[rodrigoandrade]

I used one of these passwords services back in the day. Coincidentally, the one I used (Xmarks, which started as a browser plug-in) was later acquired by Last Pass, which's being acquired by another company.

I wonder if my passwords would be safe during all these M&A's when the buyer eventually turns out to be a little less than ethical (what if it gets bought out by a Chinese company?), not to mention all the technical possibilities of data leak while integrating all the infrastructure.

Re:Passwords passed around

[Overzeetop]

If they're unsafe it's too late now. Putting your passwords in a cloud service is like putting nude pictures online. Nobody may want to look at them, but they're out there forever, and somebody has them backed up somewhere.

It depends on whether they ever had the keys to unlock them or they were all locally encrypted (barring the whole "they lied and stored your password anyway" tin foil hat argument).

Wah wah...

[jeremiahstanley]

Damn, I like the free version of LastPass... a lot. I do not like any of the services that LogMeIn offers (I've run the office account).

Sooooo /. hivemind... are there any alternatives to LastPass out there?
Any strong words re: https://www.dashlane.com/passw... ?

Re:Wah wah...

[Nemyst]

The alternatives I hear most about seem to be 1Password and KeePass.

Re:Wah wah...

[I'm+just+joshin]

I use KeePass (http://keepass.info) or a compatible app and keep my data file synced in OwnCloud. Using Dropbox instead worked fine too.

Re:Wah wah...

[Dr_Barnowl]

+1 for a local password safe program and Dropbox.

Password Safe 3 for me : you can get compatible programs for Windows, and Android, and Linux (I use the eponymous apps for Windows and Android and Pasaffe on Linux).

Open source, and you control your own encryption key.

Re:Wah wah...

[DaTrueDave]

Do either of those generate strong passwords, track password changes, and keep encrypted form fills?

Re:Wah wah...

[Mike+Van+Pelt]

Before I went to LastPass, I tried first pwsafe, then KeePass. pwsafe (at the time) wasn't cross-platform enough, but I liked it enough better than KeePass that I was in the process of moving everything back to pwsafe, and just using it from a windows virtual box on Mac and Linux. Then I read a tear-down report on LastPass by a professional paranoid that convinced me that it was plenty secure enough, switched to it, and I've liked it best of all.

I sure hope Logmein doesn't ruin it.... (crossing fingers, toes, and eyes.)

Now, Android support is a non-negotiable, as is the automatic syncing across all devices that use it. I see that KeePass now has multiple Android versions, so OK on that score. Saving the DB on Dropbox or equivalent... maybe that could be workable, but I don't see it being nearly as automatically transparent as LastPass's syncing.

Waiting to see how this shakes out...

Re:Wah wah...

[gstoddart]

Second keepass as I've used it for work for several years.

Copy around your own encrypted database. Don't entrust some damned service with your passwords.

There's several variations on this kind of thing. No subscription, and nobody else has your passwords.

It's also got a really nice feature where it can put your password into the paste buffer for only 10 seconds or so, and then it disappears.

Using a web-based service to track your passwords seems more dangerous than useful to me.

Re:Wah wah...

KeePass meets all 3 of those requirements.

Re:Wah wah...

[kullnd]

Lastpass doesn't "have my passwords" any more than DropBox has your passwords if that's where you store your encrypted data.

Just pointing that out...

Re:Wah wah...

[DiSKiLLeR]

I love keepass and used it for many years. But the biggest problem is its pretty much Windows only as its written in .Net.

it worked - terribly - under Linux and was almost useless. And I never managed to get it to run under OS X. :(

Re:Wah wah...

[Opyros]

The Unix port is called KeePassX, and it works quite well under Linux, MacOS, the BSDs, etc.

Re:Wah wah...

[mhkohne]

With regards to syncing via Dropbox:
It's not quite as spiffy as having the passwords stored on the far end of the wire, but I use DropSync on my Android devices, and I keep it's 'sync on change' feature activated (whenever a file changes locally, it gets pushed to the Dropbox ASAP), and then run the Dropbox client on windows boxes and it's been great. You will have some lags between Android devices (DropSync has a timer to control how often it checks for stuff to download), but Windows is pretty much instant, as the Dropbox client is always in contact.

One big advantage to using the replication rather than keeping everything remote is that if I hit a spot and my phone can't get a net connection, I've still got all this stuff stored locally, so I'm not out of commission just because I'm out of contact.

Re:Wah wah...

[Mousit]

KeePass is free and open source, and easy to use. Its interface is fairly basic, but it gets the job done. It can generate strong passwords, it has a password strength checker, some fairly decent management and organization options, etc. It's aimed primarily at Windows but it can function in Linux and BSD (including OS X) under Mono, and fully supports this. We use this at my workplace and it serves its purpose.

However, I personally am a fan (and long-time user) of 1Password, which is my vault of choice. It's got a highly polished and very easy to use interface, very active development, it's cross-platform Windows, OS X, iOS, and Android. It has plug-ins for all the major web browsers. It supports a range of features KeePass lacks, and also some third party support (like DropBox, for keeping your vault synced over all devices). It's also got a good community--I've found a few bugs myself, and the developers were very accessible and responsive to my posts in their 1P forum they have available for such things. The only downside with 1P, of course, is that it is not free nor is it open source (though the schema and design of their vault file format is fully open and documented, and has been audited in the past). However, I think it is worth its price, and I'm happily a paid user.

Re:Wah wah...

[Mike+Van+Pelt]

LastPass keeps a local copy of the encrypted password DB, so if it can't connect, it will use the local copy. Though, really, if you don't have a network connection, what are you going to do with the password? For me, the main feature there was, if lastpass.com were to go away forever without warning, or get acquired by someone truly evil, I've still got all my passwords.

Re:Wah wah...

[FredyFerry]

Or Sticky Password is a good one too

Book'em dano

[goombah99]

On Hawaii 5-0, Lo Mien is the arch underworld rival of Lo Fat. Log Mein is what I see in my toilet.

Oh great

[JustAnotherOldGuy]

Now ALL your passwords can be compromised in one hack.

Say "hello" to progress!

This just in!

LastPass Free will no longer be available and instead move entirely to a monthly subscription service for only $15 a month. Oh Premium was $12 a year? No worry! Our professional customer support that you'll never need more than make up for this 1500% increase in price!

Just another product now

[wh1pp3t]

I liked(ed) LastPass a lot. But my problem is that it is now another product. When it was its own company, LP put 100% behind the one flagship product. Now, LP is "another" product and will receive resources based on value to the owner.

Password Schemes password schmemes.

Yes.
It is called a Simple or Complex and Unique Long Password System, or SCULPS for short. (patent pending, pls no steal)

Take a sentence, a quote if you will. Take out important word(s), replace it with something unique to you.
Now, take away the spaces and replace the spaces with a number unique to you. (so1something2like3this4)
Congrats, you already have a password better than LastPass passwords and just as random, and will NEVER be brute-forced with any brute-forcing library as long as you are alive and the sentence is at least 5 reasonably average sized words with a number that isn't 1234 or pi.

Now comes the unique part, if you want to add extra security by preventing same-password-use-itis.
easy route: You can go the easy route and use any random word assigned to a website. This is easier, but it is also easier to forget since it isn't based ON the name. Example words could be a funny person related to the website, or someone well-known and loved/hated (apk ).
Or it could be some funny word people have come up with and use, or something you have come up with.
harder route: Take your service / website name, condense it to 2 character groups of letters based on major components of the word or something similar, just make it smaller. (Facebook = fabo, slashdot = sldo, google = goog)
You can, if you want to, use the full name, but I wouldn't.
Now you can add a number on the end of that. Say, the same condensed name encoded using the standard phone number grid.
Harderer route: As above, now split the alphabet in to groups. Say, A-G, H-M, N-S, T-Z. Arrange that in to 2x2 grid.
On top axis, add letters. On left axis, add numbers. Recreate your (condensed) service name based on the axes in whatever direction you prefer.
All left then all top (xxxx,yyyy), left-top left-top (xy,xy,xy,xy) etc., or whatever you want.
You could even be some mad-man and try to use a grid cell for each separate number and letter. (punctuation as well, but as you know, some password schemes are awful and don't allow them)

So, using the above on hardest:
Mary Had A Little Lamb Little Lamb -> Mary Had A Massive Phone Massive Phone
Remove spacers and replace with number: 3.14159 (skipping point) -> Mary3Had1A4Massive1Phone5Massive9Phone
Gridify it: Slashdot (SLDO), with 01 and GP on the axis, 1001GPGG.
Mary3Had1A4Massive1Phone5Massive9Phone1001GPGG.
I think that is right. Should be. I am eating so I might have made a mistake.

There are various other ways you can do stuff with this, making it simpler or harder to fit your needs.
You could make the sentence as long as you can be bothered to make it. (as long as it isn't one of those pesky limited password length crap services, automatically tells you their server-side DB is probably unsecure as hell)
You can go as low as high with the grid separation as you are capable of remembering. For the love of god don't forget this part, use the phone number grid if you aren't confident enough, or similar grid-ified system.
You could even go full paranoia, requiring you to actually sketch down your grid scheme for things you actually consider super ultra turbo secure, like bank information or something.
You could even go Captain Paranoid and write an equation that spits out your password number, or grid, or similar.
This is Slashdot damn it, the more pointlessly complex and paranoia-fuelled, the better!
Of course, another thing you could do is use this system to encrypt your lastpass passwords and become the King of Paranoialand.

warning: will not work for people with low imagination or memory skills. Any attempt to use this will lead to blackholes and doom. DON'T DO IT.

KeePass vs LastPass

[irrational_design]

For those who have experience with both KeePass and LastPass (ideally on an iOS and OSX) how do they compare? Is KeePass as tightly integrated into the browsers in both ecosystems as LastPass is?

All your password belong to us

[frovingslosh]

What a nice story about how all the passwords that were entrusted to LastPass are being sold to LogMeIn. Of course, there will be less fanfare when the story is " NSA To Acquire LogMeIn For $200 Million ". Or maybe that already happened.

That hardly matters

[frovingslosh]

Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

That hardly matters. Consider what a password is, it is a way to get into an account. What you really care about is that others can't access your accounts, not that they can't unscramble all of the hashes and find out the perverted strings that you used to create your passwords. So if LastPass can be sold to LogMeIn or to the Chinese or to the N.S.A. then they have bought a way to get into your "protected" accounts. It really doesn't matter if they can retrieve the silly little strings that you think protect you or not.

Re:That hardly matters

[Anonymous+Psychopath]

Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

That hardly matters. Consider what a password is, it is a way to get into an account. What you really care about is that others can't access your accounts, not that they can't unscramble all of the hashes and find out the perverted strings that you used to create your passwords. So if LastPass can be sold to LogMeIn or to the Chinese or to the N.S.A. then they have bought a way to get into your "protected" accounts. It really doesn't matter if they can retrieve the silly little strings that you think protect you or not.

Can you explain how LastPass would be able to retrieve your passwords to do as you suggest, keeping in mind that they lack the ability to decrypt your data without resorting to brute-force?

Re:That hardly matters

[frovingslosh]

If LastPass was only a place that you stored an encrypted file that you created yourself and could only give it back to you in encrypted form, then what you say could be argued. The argument might or might not hold up, but it could be argued.

But if you are using LastPass software on your own machine to do the encrypting and the decryption of the passwords and then logging in to sites that you want to be secure, then you have given up control.

If you are too trusting to understand this, replace "LastPass" with "Chinese" or "N.S.A." in the above and read it again.

Re:Worth WHAT?

[reve_etrange]

Unfortunately, your passwords are weak. Good managers like LastPass, KeePass, etc. allow all of those passwords to be 30-character random strings using all symbol types.

Re:Worth WHAT?

[irrational_design]

I just checked and I have 228 passwords in my lastpass account. All of them are random strings of numbers, letters, and symbols. Less than 1% of them have less than 30 characters (due to lame restrictions imposed by certain websites that only allow short passwords). Your 32 passwords are probably used on more than one site. None of mine are duplicated. You may not want it, but you really do need a password manager.

Great news

[FredyFerry]

Good news there are still other alternatives like Sticky Password (http://www.stickypassword.com) or Roboform.

Alternatives

[DavidJones8462]

I use Intuitive Password online password manager. It's a web-based password manager and your data is securely stored in the datacenter. With Intuitive Password, you can easily access your data at any time, any where. It works on all devices without installation.

Re: Alternatives

[DavidJones8462]

Intuitive Password: www.intuitivepassword.com