LastPass Makes Password Management Free Across All Of Your PCs, Tablets and Smartphones (cnet.com)

← Back to Stories (view on slashdot.org)

LastPass Makes Password Management Free Across All Of Your PCs, Tablets and Smartphones (cnet.com)

Posted by msmash on Wednesday November 2, 2016 @02:45AM from the free-stuff dept.

LastPass on Wednesday announced that its popular password manager will now be free for all to use. LastPass previously charged a fee of $12 per year to sync passwords across multiple devices, such as a computer, tablet or phone. From a report on CNET: To entice newcomers, the service allowed you to access select features for free on either the web or on a mobile device, but syncing between the two required a premium membership. Not anymore -- that service is now free. LastPass is one of the best known and most trusted password managers. Its main purpose is to store all of your passwords in an encrypted vault in the cloud. The vault can only be opened using a master password that only you know. LastPass doesn't store the master password or have access to it, which means even if its servers were to be breached, your precious passwords would remain encrypted and protected.

234 comments

Min score:

Reason:

Sort:

No news at 11 by TimothyHollins · 2016-11-02 02:48 · Score: 3, Insightful

I don't see anything newsworthy here at all. Did some sneaky little marketer pay for someone's lunchy-lunch yesterday?
Bad Slashdot, bad!
A Master Password.... by Bing+Tsher+E · 2016-11-02 02:49 · Score: 1

...that only you transmit up to 'the cloud' anytime you want to use any of your passwords, anywhere.
I know it isn't quite that simple or risky, but it's rather close.
Password Managers, by design, serve the function of reducing your security.
1. Re:A Master Password.... by Jawnn · 2016-11-02 02:51 · Score: 4, Informative
  
  ...that only you transmit up to 'the cloud' anytime you want to use any of your passwords, anywhere.
  I know it isn't quite that simple or risky, but it's rather close.
  Password Managers, by design, serve the function of reducing your security.
  That's not how it works.
2. Re:A Master Password.... by suutar · 2016-11-02 03:02 · Score: 5, Informative
  
  from How It Works:
  Local-Only Encryption
  User data is encrypted and decrypted at the device level. Data stored in the vault is kept secret, even from LastPass.
  Now, you don't have to believe that if you don't want to, but unless you have evidence I'm gonna say you appear to be mistaken in your understanding of how it works.
3. Re:A Master Password.... by silas_moeckel · 2016-11-02 03:04 · Score: 2
  
  Or ya could use keepass across all your devices without using somebody shared hosting.
  
  --
  No sir I dont like it.
4. Re:A Master Password.... by Anubis+IV · 2016-11-02 03:07 · Score: 5, Informative
  
  I don't use LastPass, but they make it abundantly clear that all encryption and decryption is local-only, done on-device, not in the cloud, so that they never have access to the information in your vault. From what I can gather, their cloud is little more than a sync engine between devices, rather than the place from which you access your data.
5. Re:A Master Password.... by Anonymous Coward · 2016-11-02 03:24 · Score: 0
  
  Except if I know your master password (like with a work keylogger), I would normally need to be at your home computer to use it with your local software. Not with LastPass though, I can now access all your passwords from wherever.
  Thanks LastPass!
6. Re:A Master Password.... by hsmith · 2016-11-02 03:25 · Score: 3, Informative
  
  If you have a keylogger installed then none of your passwords you'd be storing are safe anyway. A useless fucking point.
7. Re:A Master Password.... by MightyYar · 2016-11-02 03:33 · Score: 2
  
  Password Managers, by design, serve the function of reducing your security.
  That's too simplistic. They can both increase your security and decrease other aspects at the same time. If they make it feasible to have different login credentials for every site, that will increase your security. Since they also create a single point of failure to your entire kingdom, that will decrease your security.
  Here's my analysis - please point out any logical flaw: if I use the same credentials on many web sites, an attack on a single web site is just as damaging as someone installing a keylogger on my PC/phone. By using a password manager, I can use a different set of credentials for the hundreds of different sites that I use, making me immune to any one of them being hacked. The single point of failure makes it slightly easier for a hacker to gain access to any of those sites, but I'm not sure I lose any security in practical terms because if they have a way to extract my memorized password, they can just wait patiently for me to access the target website, or they can any other passwords that I type for other sites - knowing that there will likely be some overlap.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
8. Re:A Master Password.... by EmeraldBot · 2016-11-02 03:37 · Score: 4, Informative
  
  Oh look at that, a shill posting a boilerplate explanation from his company's own website.
  Unless you have "evidence" to the contrary, I'm gonna say that your opinion is irrelevant because it isn't your own, your corporate pimps handed it down to you and you sucked it up like the good little whore you are.
  This is where we thank the wonders of open-source, so you can freely read the code and see for yourself how it works.
  Not that I suspect, of course, that you ever have done that, ever wanted to do that, or ever will do that. At least I'm the honest whore.
  
  --
  "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
9. Re:A Master Password.... by idji · 2016-11-02 03:37 · Score: 0
  
  As long as LastPass' software is not open-source, you can only hope they are telling the truth. I can put keepass in a debugger and see what it does.
10. Re:A Master Password.... by butzwonker · 2016-11-02 03:39 · Score: 1, Insightful
  
  These kind of "promises" by closed-source software security companies are rather worthless. If they want to, they'll have all your passwords, since they provide the software. Another question is whether they can be legally subpoenaed or forced by a national security letter to get your passwords by somehow modifying the way their software works. Probably not, but this may be a grey zone in the US.
  But the real problem with closed-source software security solutions is that the company can do whatever they want and make their software as buggy as they wish (to save development cost, or out of incompetence), and you'll only ever know if somebody publishes an exploit. Which is what usually happens. Open source forces you to be way less sloppy, because there will always be some "annoying prick"(TM) who actually looks at your source code and points out its flaws.
11. Re:A Master Password.... by Anonymous Coward · 2016-11-02 03:51 · Score: 0
  
  https://github.com/LastPass/la...
12. Re:A Master Password.... by boskone · 2016-11-02 03:53 · Score: 1
  
  what were the results when you popped it in the debugger on the last update? Anything interesting? I'm trying to decide on a pass manager because i'm not going to let FB take over, and sites are idiotic with their various rules/etc.
  could sites at least tell you what the password rules are ON THE LOGIN SCREEN so that I can determine which password I likely used?
13. Re:A Master Password.... by Lopton · 2016-11-02 03:56 · Score: 2
  
  This is also not true with default settings from LastPass, by default last pass won't let you login from an unknown device or unknown location, it will send an e-mail to a account you specify and require you to click the link to allow access from the remote location. Also you can secure access like I do with a physical token (Yubikey).
14. Re:A Master Password.... by 110010001000 · 2016-11-02 03:56 · Score: 1
  
  That is only one side of the code (that they are presumably using in their closed source client). Where is the rest?
15. Re:A Master Password.... by LiENUS · 2016-11-02 04:00 · Score: 2, Interesting
  
  Since LastPass is open source whats your complaint?
  https://github.com/lastpass/la...
16. Re:A Master Password.... by tepples · 2016-11-02 04:07 · Score: 0
  
  That's not the complete corresponding source code to everything in the executable. It's the source code to lastpass-cli, not the source code to the GUI that wraps it. One or both of the following could be the case:
  A. The source code in lastpass-cli is not the source code that gets built in the proprietary client.
  B. Even if it is, the proprietary GUI component could be passing data to a server independently from the components disclosed as part of lastpass-cli.
17. Re:A Master Password.... by Anonymous Coward · 2016-11-02 04:08 · Score: 0
  
  you're a dumbass who won't admit you were mistaken
18. Re:A Master Password.... by 110010001000 · 2016-11-02 04:09 · Score: 1
  
  That is only half of the side of the conversation. Where is the other half?
19. Re:A Master Password.... by Anonymous Coward · 2016-11-02 04:10 · Score: 1
  
  Hmm, that's not quite true: without using a password manager, only the passwords that you type while the keylogger is installed would be unsafe! If you don't log into some account, then a keylogger is not going to log that password and that password will clearly not be compromised. Whereas with a password manager, as soon as your master password is typed, all your passwords are compromised. (Unless you are clever and do some manual obfuscation on your passwords in your password manager...)
  But a password manager still seems a safer bet than other alternatives (e.g. what most people do, lazily using one password everywhere)...
  Like many things in our imperfect universe, there is no perfect solution. :)
20. Re:A Master Password.... by EmeraldBot · 2016-11-02 04:15 · Score: 3, Informative
  
  That is only one side of the code (that they are presumably using in their closed source client). Where is the rest?
  Ermm... This is pretty much a full blown client, which it says right on the giant README. On phones you have a point, but on the desktop you can use this and be guaranteed it's the same client. As for the rest, what does it matter? You see your password is being encrypted, and you can check it's not backdoored. If you trust modern encryption at all, then you know your secrets are safe because there's no way to crack your passwords unless your master password is literally "1234". If you don't trust encryption, well, I'm afraid you're a little out of luck for security then. :)
  
  --
  "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
21. Re:A Master Password.... by Anonymous Coward · 2016-11-02 04:17 · Score: 0
  
  I found it:
  function moveGoalPosts(){}
22. Re:A Master Password.... by DRJlaw · 2016-11-02 04:22 · Score: 1
  
  That's not the complete corresponding source code to everything in the executable.
  If you were as awesome as your paranoia suggests than you wouldn't need source code in addition to the debugger, now would you?
  Step through the program and capture the traffic like a real security researcher. If the obfuscated C contest hasn't already proven that the things that you haven't actually bothered to do with the keepass source code can't save you, nothing will.
23. Re:A Master Password.... by LiENUS · 2016-11-02 04:29 · Score: 1
  
  If the client doesn't send the master password and only sends an encrypted blob,how the hell do you think they manage to decrypt it on the server?
24. Re:A Master Password.... by unixisc · 2016-11-02 04:31 · Score: 1
  
  Except that it is
25. Re:A Master Password.... by Chelloveck · 2016-11-02 04:31 · Score: 1
  
  The nice thing about KeePass is that the database format is documented and the encryption can be done with gnupg. There are other clients available, or write your own. I use my own command-line Python script to read/write the DB on my computers and a third-party client on my phone, with Google Drive to keep them in sync.
  
  --
  Chelloveck
  I give up on debugging. From now on, SIGSEGV is a feature.
26. Re:A Master Password.... by bigfinger76 · 2016-11-02 04:47 · Score: 1
  
  But you will be typing in your master password, which makes everything else moot.
27. Re:A Master Password.... by mlts · 2016-11-02 04:48 · Score: 1
  
  As a compromise, I have started using an app (mSecure) that offers a different encryption key for what is syncs with Dropbox or iClouyd, as it does for the local device. The nice thing about this is that one can use a very long password (32+ characters) for the file that is stashed on the cloud, while having a much shorter key for the app that is sitting on an already encrypted device.
  I don't trust a service that is dedicated to storing passwords. It is an obvious target. Yes, one has an encryption password, but those tend to be relatively short so one can access it on a device without taking too much time. Even if their system is secure, how can one be assured that they don't push out an update that might save the decryption password somewhere else. In a two tier system where the password manager rides atop a cloud provider, it would require an attacker to compromise both the cloud provider account and the password manager in order to get access.
  Ideally, the password manager of choice would be one that would have all endpoints use RSA keys. When adding a new device for access to the password database, its key would be "introduced" by an existing device, and the master decryption key encrypted by the device's public key. For a general purpose Web browser, JavaScript and HTML5 support key generation and use, so for that browser session, a temporary key can be used and "introduced" by another device, perhaps stored locally, or if the user is using a client cert, use that as a means of decryption somehow. Just for recovery's sake, if the user wanted, they could input (or have generated for them) a long recovery string. This can even be done with existing formats. The OpenPGP file format can easily handle multiple keys, be it public keys or symmetric passphrases.
  This way, the password database stored on the cloud provider has no password to be easily brute forced.
28. Re:A Master Password.... by Anonymous Coward · 2016-11-02 04:55 · Score: 0
  
  Actually the master password never leaves your device.
  The only thing transmitted to the cloud is a blob of your other strong passwords encrypted with your strong master password (that never leaves your device and only you know) and hidden behind a service that adds even more layers of security to limit the access to even that opaque theoretically secure blob.
29. Re:A Master Password.... by Anonymous Coward · 2016-11-02 04:57 · Score: 0
  
  There is enough of their protocol that you can create your own client. Actually they have public (open source) javascript implementation that you can inspect and verify that it is behaving how they document and that the official client matches.
30. Re:A Master Password.... by suutar · 2016-11-02 04:57 · Score: 1
  
  yep, that's why I said you can believe it or not, as you choose.
31. Re:A Master Password.... by suutar · 2016-11-02 05:01 · Score: 1
  
  nope, I don't work for them or even use their product. I just read the website. (Though not completely - I did overlook the more applicable quote "Private Master Password: The user’s master password, and the keys used to encrypt and decrypt user data, are never sent to LastPass’ servers, and are never accessible by LastPass.")
32. Re:A Master Password.... by Anonymous Coward · 2016-11-02 05:01 · Score: 0
  
  The master password is only useful if you can gain physical access to the drive storing the password database. That was the entire point of this post. Do try to keep up.
33. Re:A Master Password.... by Anonymous Coward · 2016-11-02 05:04 · Score: 0
  
  Please send me your credit card numbers. I am making it abundantly clear right now that I will not charge anything to them.
  In other words, you are fucking naive.
34. Re:A Master Password.... by houghi · 2016-11-02 05:06 · Score: 1
  
  When talking about companies and security I do not believe anything. They must give proof, because I have no idea if it is marketing or the developers who tell me that it is encrypted or decrypted on the device level.
  Sure, I might guess that something is done, but perhaps they use a backdoor.
  Please give me a reason why I should trust a company or government when I want something to be kept a secret. Hint: I don't.
  To me believe has no place when it comes to security and trust.
  
  --
  Don't fight for your country, if your country does not fight for you.
35. Re:A Master Password.... by Anonymous Coward · 2016-11-02 05:11 · Score: 0
  
  Then how does it work? Most people will take a look at OP's post and go "well, yeah, that makes sense. How else will it decrypt those passwords?" If you want to counter that, you'll need to provide a more detailed explanation than "no it doesn't".
36. Re:A Master Password.... by Anonymous Coward · 2016-11-02 05:15 · Score: 0
  
  The architecture is that if you trust the client, and trust modern crypto used by that client, you don't actually need to trust the server other than for tertiary levels of security.
37. Re:A Master Password.... by Anonymous Coward · 2016-11-02 05:28 · Score: 0
  
  Hack email account password, change LastPass master password using said email account, gain access to all passwords for everything the person uses.
  It's a really STUPID way to store your passwords.
38. Re:A Master Password.... by Anonymous Coward · 2016-11-02 05:31 · Score: 0
  
  Great, link the source code to the GUI clients and server backend.
39. Re: A Master Password.... by TuballoyThunder · 2016-11-02 05:33 · Score: 3, Insightful
  
  Unless you are making your own CPU, firmware, compilers, personally audit every line of code, etc, I guarantee you that you hit the "I believe" button somewhere along the way.
  Going for absolute security is a great navel-gazing exercise. Pick the security boundary you are comfortable with and realize that you have no control outside the boundary. Hopefully you pick a boundary that fails gracefully.
  I personally do not believe open source is any more secure than closed source in any practical sense.
40. Re:A Master Password.... by RandomSurfer314 · 2016-11-02 05:41 · Score: 1
  
  I'm saying that you shouldn't believe them, based on experience and a vast history of failures of private security companies. That's not "as you choose".
41. Re:A Master Password.... by Anonymous Coward · 2016-11-02 06:09 · Score: 0
  
  He's not paranoid, you are just naive.
42. Re:A Master Password.... by Anonymous Coward · 2016-11-02 06:11 · Score: 0
  
  It's an American company which provides the client software, and therefore inherently not safe.
43. Re:A Master Password.... by kevmeister · 2016-11-02 06:21 · Score: 4, Interesting
  
  Calling anyone who disagrees, especially when they point out that you are wrong, a "shill" is just the same as any unsupported BS from a presidential candidate. Null content.
  Several years ago I had the job of evaluating LastPass for $DAY_JOB. I tested it by capturing the data uploaded to the network and confirmed that it was AES encrypted using my password on my system and the data was all encrypted before leaving my system. the master password was never transmitted in any form that I could find. No traffic was generated to/from any other port or location.
  While it is true that things might have changed since then, the server remains open source and you can confirm that it does not ever touch the master password in any form. More importantly, the system is heavily examined on a continuing basis by security researchers and, while vulnerabilities have been found, reported, and fixed, there has never been any question of the master password leaving the client.
  With well over 100 unique, random, long passwords, some only used once or twice a year, I really lack other options than a password vault in a world where accounts might need to be accessed from a desktop, two laptops, and two phones running six OSes (2 VMs and one dual boot).
  
  --
  Kevin Oberman, Network Engineer, Retired
44. Re:A Master Password.... by tempo36 · 2016-11-02 06:37 · Score: 1
  
  And even if your master password gets keylogged, 2FA is easy to set up on Lastpass (and maybe on other platforms...I only have experience with Lastpass). Keylog my master password as much as you like.
45. Re:A Master Password.... by fph+il+quozientatore · 2016-11-02 06:44 · Score: 1
  
  That's only the command-line client. Is the source for the browser extensions available?
  
  --
  My first program:
  Hell Segmentation fault
46. Re:A Master Password.... by Anonymous Coward · 2016-11-02 06:46 · Score: 0
  
  Not if you want to use it without paying the subscription, which is what the "article" is trying to push.
47. Re:A Master Password.... by wendyo · 2016-11-02 06:46 · Score: 1
  
  Here you go: https://github.com/lastpass/la...
48. Re:A Master Password.... by Anonymous Coward · 2016-11-02 07:09 · Score: 0
  
  False: yubikey? or your master password is stored (not safer, but not susceptible to key logger)
49. Re:A Master Password.... by Anubis+IV · 2016-11-02 07:59 · Score: 1
  
  As long as LastPass' software is not open-source, you can only hope they are telling the truth. I can put keepass in a debugger and see what it does.
  1) It is open source. The command-line underpinnings are available here on github, and you can easily look at the source for any extension by just navigating to it in your file system and opening the various files. Admittedly, the desktop GUI and cloud backend aren't available, but neither is necessary for verifying that the cloud never receives data it can decrypt, and neither is necessary to use the app.
  2) Given that you said "I can put keepass in a debugger", rather than "I have put keepass in a debugger", it's pretty clear that it's not something you've ever done. Likewise, I'd wager you're like the rest of us and have never confirmed that someone you know and trust has done a security audit of KeePass*, so it's fair to say that you've been placing your trust in blind faith to keep KeePass secure.
  3) Since you're relying on blind faith for security, either you don't actually care about security, even though you may think otherwise, or else "if it's not open source, I don't trust it" has become a form of dogma for you (i.e. "open source" = "stamp of approval"), rather than being the practical means for ensuring better security that it's supposed to be (i.e. "open source" = "now it's up to us to review the code").
  More or less, it's abundantly clear that you didn't look into LastPass at all and that you're not holding KeePass to the same standard you're applying to LastPass, so it's rather disingenuous to suggest that the issues you've raised are any sort of genuine concern you actually have. As it so happens, I strongly agree that open source is a great means for providing enhanced security, but I also recognize that I can't treat it as a religion, so if I'm not reviewing the code or confirming that someone trustworthy is, then it might as well be a closed source black box, for all the good its openness is doing me.
  *I'm not saying KeePass has never had a security audit. I'm expressing my doubt that you ever bothered to check.
  (Disclaimer: As I said in my previous comment, I've got no horse in this race. Both seem like decent apps, so far as I can tell.)
50. Re: A Master Password.... by Anonymous Coward · 2016-11-02 08:11 · Score: 0
  
  Use the screen keyboard and click in your password with the mouse.
  How will a keylogger handle THAT?
51. Re:A Master Password.... by Anubis+IV · 2016-11-02 08:14 · Score: 1
  
  While it would be incredibly naive for me to share my info with you, an AC, given that I'd have no recourse against you if you abused it, the same is not true for established companies. If I share my credit card number with a retailer or reputable online company in exchange for goods and services, I have recourse against them if they abuse that number or fail to live up to their end of the contract. As such, it's perfectly reasonable for me to do so.
  In this case, LastPass has said that their service includes a particular feature. Should it later be discovered that that wasn't true, their users (which I'll repeat do not include me) have recourse against them. But even if that's not enough for you, as others posted above, LastPass' underpinnings are open source, so feel free to look them over yourself.
52. Re:A Master Password.... by Rick+Schumann · 2016-11-02 08:40 · Score: 1
  
  Personally I'd rather not take any chances about who is and is not telling the truth about what they're doing and just keep my own passwords.
53. Re:A Master Password.... by Anonymous Coward · 2016-11-02 08:48 · Score: 0
  
  The source for the browsers is javascript. So... yes.
54. Re:A Master Password.... by Anubis+IV · 2016-11-02 10:17 · Score: 1
  
  Before I answer that, answer this to yourself: if it's available, do you have any plans to review the code yourself or check to see if others have, or is this just a case where you'll feel safer knowing the code is available, even though you have no intention of verifying that the feeling has a basis in reality?
  I feel compelled to ask that up front, because if you were actually concerned about whether your password manager's code was trustworthy or whatnot, you'd already know that browser extensions are just packages of web standard files located in the extensions folder for your browser (e.g. instructions for finding Chrome extensions on your system). That's just as true for whatever your current password manager is as it is for this one. It's fine that you didn't know that, but hopefully it tells you something about what you're actually trusting for your security.
  If you're never going to verify that the code is what it claims to be, then having it available isn't doing you any good, other than providing some warm fuzzy feelings. That's a trap that most of us fall into, myself included, and it's something that we as a community need to be shaking each other out of.
55. Re:A Master Password.... by Anubis+IV · 2016-11-02 10:51 · Score: 1
  
  These kind of "promises" by closed-source software security companies are rather worthless. If they want to, they'll have all your passwords
  1) They're open source: https://github.com/LastPass/la...
  2) The only way they "have all your passwords" is as an encrypted blob. See #1 if you want to confirm it for yourself.
  3) Your master password that could decrypt that blob never leaves your system.
  And then there's this discussion about the quality of code in KeyPass, which seems to call into question some of what you said. While your ideas about open source probably work fine as generalizations, they should not be stated as absolutes, since they oftentimes fail in particular instances.
56. Re:A Master Password.... by Anonymous Coward · 2016-11-02 10:55 · Score: 0
  
  On Screen Keyboard to the rescue!
57. Re:A Master Password.... by irrational_design · 2016-11-02 11:22 · Score: 2
  
  Unless you are on the Apple ecosystem, then keepass is a nightmare to set up (YMMV, but that has been my experience). LastPass on the other hand just works.
58. Re:A Master Password.... by Anonymous Coward · 2016-11-02 11:37 · Score: 0
  
  OK, I'll do that. Please give me your name and address so that I can mail them to you.
59. Re:A Master Password.... by silas_moeckel · 2016-11-02 13:13 · Score: 1
  
  No idea how you could find it hard to setup, install and pull in some addons.
  
  --
  No sir I dont like it.
60. Re:A Master Password.... by fph+il+quozientatore · 2016-11-02 21:02 · Score: 1
  
  You know Javascript can be obfuscated, right?
  
  --
  My first program:
  Hell Segmentation fault
61. Re:A Master Password.... by Anubis+IV · 2016-11-03 01:18 · Score: 1
  
  Any piece of code in any language can be obfuscated. Obfuscation is not unique to JavaScript, it'd be just as much of a purely hypothetical concern with any other random piece of open source code, and it doesn't change the fact that the code is available, which was what you were asking.
  You have no reason to believe that they've made any attempt at obfuscating the code, so other than spreading FUD, why mention it? I mean, are you also concerned that the open source code for the CLI component may be written in BF? It could be, for all you know. Have you checked? You might want to raise that as a concern too...
62. Re:A Master Password.... by Anonymous Coward · 2016-11-03 12:06 · Score: 0
  
  Thanks for the stage pitch, shill. I'll stick to open source software and my own storage, thanks.
63. Re:A Master Password.... by Anonymous Coward · 2016-11-03 12:11 · Score: 0
  
  Send it to trustworthyfriend@naij.com
64. Re:A Master Password.... by fph+il+quozientatore · 2016-11-04 03:57 · Score: 1
  
  I am not spreading FUD. I am just asking. I am not the one who is claiming that the source is available. And no, I don't consider the fact that it's a browser extension an automatic guarantee that the source code for every single part of it is available in human-readable form. Because of obfuscation, because there is the possibility of compiling other languages to javascript, and because maybe they did not release the whole toolchain. Moreover, the docs on their site mention a "binary component" of the browser extension, https://helpdesk.lastpass.com/..., which makes things even more confusing for me. I don't see a "clean" github repo for the browser extension as I see one for the CLI.
  
  --
  My first program:
  Hell Segmentation fault
65. Re:A Master Password.... by Shikaku · 2016-11-04 05:54 · Score: 1
  
  I want money for liking a company too. LastPass is good, now where's my check LastPass?
66. Re:A Master Password.... by wwphx · 2016-11-06 03:40 · Score: 1
  
  Seconded for mSecure. I've been using it since I switched from a Palm Pilot to an iPod Touch back around '08 or so. Palm had a very nice third party encrypted note pad program, but Palm self-destructed and that's all to be said about that. While I consider the interface for mSecure just a tiny bit clunky, I am quite fond of the program and I recommend it to anyone who uses the iOS infrastructure. It's not free, but it was well worth the money.
  
  --
  When you sympathize with stupidity, you start thinking like an idiot.
67. Re:A Master Password.... by mlts · 2016-11-06 11:30 · Score: 1
  
  I also like the fact that mSecure doesn't have to have its own website for syncing one's devices. LastPass gets me a tad leery with some of the features, be it allowing someone to access your password stash, easy password resets, and other items. If LP can reset my password via 2FA, then a bad guy can do the same. With mSecure, if I lose my sync password or endpoint passwords, there is no recovering the data other than brute force, and that's how I prefer it.
Your master password is still vulnerable by HBI · 2016-11-02 02:49 · Score: 1

This is where a hardware token or some kind of biometrics could be beneficial, in combination with the password manager.

--
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
1. Re:Your master password is still vulnerable by Lopton · 2016-11-02 03:57 · Score: 2
  
  Lastpass Premium integrates with the Yubikey.
2. Re:Your master password is still vulnerable by nicolaiplum · 2016-11-02 03:57 · Score: 1
  
  Laspass Premium supports Yubikey.
  (I have no connection with lastpass other than being a customer)
  
  --
  "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
3. Re:Your master password is still vulnerable by HBI · 2016-11-02 04:17 · Score: 1
  
  I know a lot of products are supporting the Yubikeys. That would be a good option.
  
  --
  HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Slashvertisement by Dan+East · 2016-11-02 02:49 · Score: 0

The nice thing about these kinds of Slashvertisements is there are at least 1 million other similar marketing changes to other products that could also become Slashdot stories like this one. So there is potentially no end to Slashdot's pool of potential stories, which is so very reassuring.

--
Better known as 318230.
1. Re:Slashvertisement by IRGlover · 2016-11-02 04:36 · Score: 2
  
  I particularly like them because the comments then provide information about better, usually open source alternatives. So they are essentially paying to have their competitors promoted instead of their products.
Still charging for two factor support by Froze · 2016-11-02 02:50 · Score: 1, Interesting

Which is why I still don't use it. If they really wanted to bolster security then MFA should really be standard, IMHO.
I will just leave this here...
http://keepass.info/help/kb/yu...

--
-- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
1. Re:Still charging for two factor support by Anonymous Coward · 2016-11-02 03:04 · Score: 0
  
  There are several free 2 factor auth methods.
  DuoSecurity, Google Auth, LastPass Auth and three others are free. If you want Yubi, biometrics or Sesame, you need to pay a buck a month. If you want Salesforce, you have to be on the enterprise level.
2. Re:Still charging for two factor support by portnoy · 2016-11-02 03:05 · Score: 2
  
  According to their website, a number of forms of 2FA are available free. The free options largely involve either one-time verification codes like Google Authenticator or push notifications to your smart phone. Premium is required for Yubico, Sesame, and windows fingerprint recognition.
3. Re:Still charging for two factor support by Anonymous Coward · 2016-11-04 03:12 · Score: 0
  
  Yep, can confirm that 2-factor via Google Authenticator works just fine.
Why not just hand it to the NSA then? by Anonymous Coward · 2016-11-02 02:51 · Score: 0

Cut out the middle! The F.B.I. has said this all along:
TRUST NO ONE!
1. Re: Why not just hand it to the NSA then? by Anonymous Coward · 2016-11-02 03:27 · Score: 0
  
  The FBI said no such thing. A fictional character named Fox Mulder said that. He even used it as a password in the form of "trustno1". Not a very secure password especially considering the state-sponsored adversaries he was worried about, but there you go.
  Try to keep up.
This service is brought to you by NSA by ugen · 2016-11-02 02:51 · Score: 1, Funny

Because someone's got to pay for it.
1. Re:This service is brought to you by NSA by Anonymous Coward · 2016-11-02 02:56 · Score: 0
  
  Because someone's got to pay for it.
  I was thinking the same thing.
2. Re:This service is brought to you by NSA by Anonymous Coward · 2016-11-02 04:27 · Score: 0
  
  To be a little bit fair, they aren't making all premium features available for free: https://lastpass.com/how-it-works/ and what is still missing is "Additional multifactor authentication options," "Desktop Application Passwords," and "Shared Folders with customized permissions." Here is a tip though for LastPass, if you want to upsell, you may want to actually explain what the products are, rather than just the names.
Why? by AmiMoJo · 2016-11-02 02:52 · Score: 4, Interesting

Can someone explain why I would want to have Lastpass hold the keys to my kingdom when I could just use a trusted, open source option like Keepass with a private server or free account on any number of cloud storage services? Browser plug-ins aren't exactly known for their great security.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
1. Re:Why? by ljw1004 · 2016-11-02 03:08 · Score: 1
  
  Can someone explain why I would want to have Lastpass hold the keys to my kingdom when I could just use a trusted, open source option like Keepass with a private server or free account on any number of cloud storage services? Browser plug-ins aren't exactly known for their great security.
  Lastpass (the company) doesn't hold the keys to your kingdom. Their servers only store an encrypted blob that they (the company) can't decrypt. It only ever gets decrypted locally on your machine at the moment you type in your master password.
  Why would you want Lastpass? Because (1) it's really convenient - 99% of the time you want to enter a password it's the password to a web-page, and LastPass is already there; (2) you've heard from lots of security professionals that lastpass security is adequate.
2. Re:Why? by 110010001000 · 2016-11-02 03:11 · Score: 0
  
  "Their servers only store an encrypted blob that they (the company) can't decrypt"
  
  You don't know that. Unless you can see the source you don't know anything about it.
3. Re:Why? by Anonymous Coward · 2016-11-02 03:17 · Score: 0
  
  They are bound by their own policy which they show on their website. Were they to break their own policy for some retarded reason (because why would they?), they'd be legally liable.
  And yes, you can be sure, for example by inspecting packets and seeing for yourself that all your machine is sending is a binary blob.
  How would you even "see the source" of a web service anyway? Did you actually think about what you said, or did you just paste the same braindead stock reply you do every time password managers are discussed?
4. Re:Why? by Anonymous Coward · 2016-11-02 03:18 · Score: 0
  
  "Their servers only store an encrypted blob that they (the company) can't decrypt"
  You don't know that. Unless you can see the source you don't know anything about it.
  You are incapable of inspecting your own TLS traffic to validate what is and is not passed up, I take it?
5. Re:Why? by ljw1004 · 2016-11-02 03:21 · Score: 4, Informative
  
  "Their servers only store an encrypted blob that they (the company) can't decrypt". You don't know that. Unless you can see the source you don't know anything about it.
  Technically true. But let's look at the equivalent Keepass steps:
  1. Download source code for desktop version
  2. Audit it
  3. Compile it locally
  4. Optional: encrypt the binary and store it somewhere in (say) dropbox if you want to avoid steps 1-3 each time in future
  5. Download source code for iOS version (say)
  6. Audit it
  7. Purchase $100/year Apple developer license
  8. Compile it locally
  9. Deploy the binary to your iOS device
  Unless you've gone through steps 1-9 yourself, then the difference between "trusting Keepass" and "trusting Lastpass" are immaterial.
6. Re:Why? by 110010001000 · 2016-11-02 03:26 · Score: 3, Funny
  
  Bound by their own policy? Comical. Is that like "Do no evil"?
7. Re:Why? by 110010001000 · 2016-11-02 03:28 · Score: 1
  
  No it isn't. I trust open source developers a hell of a lot more than I do any closed source company trying to make a buck. Ridiculous.
8. Re:Why? by Anonymous Coward · 2016-11-02 03:30 · Score: 1
  
  Because LastPass is providing convenience for those of us who don't want to be InfoSec sysadmin professionals maintaining a private server as their hobby.
9. Re:Why? by 110010001000 · 2016-11-02 03:31 · Score: 1
  
  Yes. How could I verify "the blob on the server" is the same as what is passed up? If you can't see the source you have no idea what they are doing.
10. Re:Why? by ljw1004 · 2016-11-02 03:33 · Score: 1
  
  No it isn't. I trust open source developers a hell of a lot more than I do any closed source company trying to make a buck. Ridiculous.
  Ah, now you're shifting goalposts. Your first was "you can't *know* it's secure". Now it's down to a personal trust preference. My personal trust preference is that I trust the Lastpass developers more than the Keepass developers.
11. Re:Why? by Anonymous Coward · 2016-11-02 03:35 · Score: 1
  
  And yes, you can be sure, for example by inspecting packets and seeing for yourself that all your machine is sending is a binary blob.
  And you know exactly jack shit about the contents of that blob, or whether it's even truly encrypted or merely obfuscated. Don't go calling other people "braindead" when you don't have the first fucking clue what you're talking about yourself. Their "policy" means nothing, and I very seriously doubt you have the legal knowledge to know exactly how far their liability extends.
12. Re:Why? by idji · 2016-11-02 03:36 · Score: 2
  
  Keepass users are more tech-savvy than Lastpass users. Different customers.
13. Re:Why? by mrlinux11 · 2016-11-02 03:36 · Score: 2
  
  They could encrypt it and send it up. The question is how good is the encryption and the password you used to generate the key. If they use a combination of symmetric key for the bulk encryption and asymmetric key (generated from Password) to encrypt the symmetric key. Then they could encrypt everyone's data with the same symmetric key and encrypt it with the asymmetric key to make it look secure. So now the NSA can get access to everyone's userid and password
14. Re: Why? by Anonymous Coward · 2016-11-02 03:38 · Score: 0
  
  Here you go. It's GPL.
  https://github.com/lastpass/lastpass-cli
  Want the source to the actual extension? It's minified JavaScript, which isn't too hard to read for a determined researcher.
  They used to have a well-commented JavaScript webpage for security researchers that demonstrated authentication and vault decryption, but I wasn't able to find it after about 20 minutes of searching.
15. Re:Why? by 110010001000 · 2016-11-02 03:38 · Score: 1
  
  I'm not shifting anything. You can't know Lastpass is secure. You don't have the source. You have no idea what they are doing. They might be storing your password in plaintext. I also trust open source developers rather than some closed source company. It really isn't that complex to understand.
16. Re: Why? by 110010001000 · 2016-11-02 03:42 · Score: 1
  
  Thanks! Where is the server side code? That is just the interface to LastPass.com.
17. Re:Why? by ljw1004 · 2016-11-02 03:42 · Score: 1
  
  You also can't know that your installation of Keepass is secure unless you've done steps 1-9. Have you? If the answer is no for you or anyone you're advising, then you should remove "know it is secure" from your list of arguments.
18. Re:Why? by Anonymous Coward · 2016-11-02 03:43 · Score: 0
  
  Are you too dumb to understand that breaking your own policy immediately makes you a criminal? If the company were to break its own policy regarding this (but they have 0 reasons to), they could be sued by thousands of people and would go under in no time. Unless they're as retarded as you, they follow what they tell everyone they do.
19. Re:Why? by 110010001000 · 2016-11-02 03:44 · Score: 1
  
  Yes I have. It is 100% secure. I have audited the code. So how do you know Lastpass is secure? I await your response.
20. Re:Why? by 110010001000 · 2016-11-02 03:45 · Score: 2
  
  I guess I never realized that breaking a company policy was illegal. Thanks for the tip!
21. Re:Why? by ljw1004 · 2016-11-02 03:49 · Score: 1
  
  I haven't audited the code for Keepass. So my knowledge of the security of Lastpass and Keepass is equal (as it is for almost everyone else). So any advice you give to me or anyone else in my position shouldn't be based on your "knowledge" argument. And anytime you trot out your knowledge argument you should accompany it with the big caveat that it only applies to people who did steps 1-9.
  PS. You said you audited the code. I assume you meant "and I also compiled it locally and I also paid $100/year apple tax (unless you're an android user and you don't share your passwords with any family members who are iOS users) and I deployed all those locally compiled binaries too."
22. Re:Why? by Anonymous Coward · 2016-11-02 03:49 · Score: 0
  
  Ridiculous.
  That is exactly what I think when I see your comments.
23. Re:Why? by 110010001000 · 2016-11-02 03:51 · Score: 1
  
  Correct. I have audited the code and I know it is secure. So basically you have no idea if Lastpass is secure, BUT you COULD find out if Keepass is secure if you audited the publicly available code. With Lastpass you don't have that option. You are basically trusting some company to do the right thing. Good luck with that.
24. Re: Why? by Anonymous Coward · 2016-11-02 04:00 · Score: 0
  
  The encryption/decryption happens locally. It's not just an API client, it actually does the cryptography.
  If you can verify that the vault always leaves your machine encrypted, and that only you have the key (your master password is derived to different keys for encryption and for authentication), then you can verify that LastPass the company doesn't have the ability to decrypt your vault on the server.
  Unless you've read the source for everything starting at the microcode, you have to trust _someone_. The trust boundary you're comfortable with is a matter of opinion.
  For me, I believe LastPass can secure their servers better than I could secure a file server, because I've read the source and didn't see obvious flaws, because they resolve bug disclosures faster than anyone I've seen, and because they have more man-hours to spend on the security than I do.
25. Re: Why? by 110010001000 · 2016-11-02 04:07 · Score: 1
  
  You have no idea if they are running that code in their closed source clients, and you have no idea what is being transmitted to the server. You do have to trust someone, but Internet companies have proven to be untrustworthy.
26. Re:Why? by tepples · 2016-11-02 04:12 · Score: 1
  
  Look up "tort of deceit" and "non-disclosure agreement" and "false advertising". Even if it isn't a crime, it can still be grounds for a civil suit.
27. Re: Why? by Anonymous Coward · 2016-11-02 04:12 · Score: 0
  
  Don't misunderstand me, please. I've prettified and read the source of the JavaScript closed source client, not the open source one. It's small enough that you can get your head around it.
  People smarter than me have done this too.
28. Re:Why? by Anonymous Coward · 2016-11-02 04:13 · Score: 0
  
  I'm calling bullshit. you only started trotting out the fact that you audited the code after getting called out. I've seen enough of your shit posts on this site to know you lie a fair amount.
29. Re: Why? by tepples · 2016-11-02 04:17 · Score: 1
  
  If you can verify that the vault always leaves your machine encrypted
  How is that possible when the GUI half of the LastPass client is not part of the lastpass-cli repository or any other repository owned by the LastPass organization?
30. Re: Why? by Anonymous Coward · 2016-11-02 04:25 · Score: 0
  
  Because the GUI is written in JavaScript, and when you prettify it it ends up being fairly readable as far as minified JavaScript goes.
  Note that I'm not saying the vault always leaves encrypted, I'm just saying that I didn't see any obvious places where it does, and the company also says it doesn't.
31. Re:Why? by Anonymous Coward · 2016-11-02 04:29 · Score: 1
  
  They are bound by their own policy which they show on their website.
  Why do people believe this crap? Companies break their own privacy policies all the time, and nothing happens.
32. Re: Why? by Anonymous Coward · 2016-11-02 04:31 · Score: 0
  
  I didn't see any obvious places where it *doesn't leave encrypted.
33. Re:Why? by Knuckles · 2016-11-02 05:00 · Score: 1
  
  Like you have been told in the other subthread, even if you did audit Keepass this does not help you at all unless you only use selfcompiled binaries. (And did you audit the compiler too?)
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
34. Re: Why? by Anonymous Coward · 2016-11-02 05:06 · Score: 0
  
  Holy fuck. Troll harder, dude!
35. Re:Why? by RandomSurfer314 · 2016-11-02 05:47 · Score: 1
  
  And you're absolutely right in doing so. It's way easier to sweep issues under the carpet when you're closed-source, and every private company that wants to make money will do so if a problem arises and can be fixed silently.
36. Re:Why? by RandomSurfer314 · 2016-11-02 05:49 · Score: 1
  
  False dichotomy. Security is not a simple Yes/No matter. There is no absolute security but you can increase it, e.g. by auditing source code.
37. Re:Why? by Knuckles · 2016-11-02 05:55 · Score: 1
  
  Tell that to the other guy
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
38. Re:Why? by Anonymous Coward · 2016-11-02 06:01 · Score: 0
  
  I'm not shifting anything.
  Oh, yes. You most certainly are. It's convenient for you, of course, but stop trying to deny it. It's blindingly obvious to everyone, with the possible exception of yourself.
  
  You can't know Lastpass is secure. You don't have the source. You have no idea what they are doing.
  Correct.
  
  They might be storing your password in plaintext.
  Unlikely, but possible, yes.
  
  I also trust open source developers rather than some closed source company.
  As do I, generally.
  
  It really isn't that complex to understand.
  For you it apparently is. You spout bullshit about what you have supposedly done, but which you haven't actually done. You move the goalposts when your argument no longer holds.
  Basically, and to be blunt, you are a douche.
  In closing: No, you don't know if Keepass is secure or not. You think it is, you want it to be, and it likely is. But you do not know. No, really. You don't.
39. Re:Why? by OfficeLackey · 2016-11-02 06:10 · Score: 1
  
  Because we all have non-technical family and friends with smartphones and laptops using the same lame password for everything. This is a simple and elegant solution to help them be more secure without feeling imposed upon by "software for techies". (Don't bitch, I've used Password Safe and KeePass. They're simple, but....) It's better than nothing.
40. Re:Why? by pissoncutler · 2016-11-02 06:44 · Score: 1
  
  IMHO, KeePass has pretty clunky UI/UX compared to LastPass. Having a seamless browser-integrated experience that supports hardware MFA and works across all the OS's I use allows me to use unique 20+ char passwords (and unique usernames for more secure accounts) on all my logins, and change the passwords frequently.
  I get that everyone has an opinion, but I think the blanket statement "Keepass users are more tech-savvy than Lastpass users" is about as true as "Windows users are more tech-savvy than Mac Users". Every choice in hardware/software has some tradeoffs...
41. Re: Why? by Anonymous Coward · 2016-11-02 07:04 · Score: 0
  
  100% secure? Haha, I'm looking at your "secure" gay porn collection right now.
42. Re:Why? by Anonymous Coward · 2016-11-02 08:43 · Score: 0
  
  1) I doubt you audited the code.
  2) http://security.stackexchange.com/a/15846
  The workings of what the last pass extensions do is fairly easy to verify. The javascript source is available. You can see that the key you enter is never sent to LP. You can see that it does X rounds of Y hashing. You can trace the data that is sent out from your computer. As long as you are certain their encryption algorithms and hashing algorithms do not have flaws, then there is no way for them to recover the original key you typed in.
43. Re:Why? by Anonymous Coward · 2016-11-02 09:12 · Score: 0
  
  It’s not secure because you audited the code. For all we know you don’t know a thing about code.
44. Re:Why? by Anonymous Coward · 2016-11-02 10:32 · Score: 0
  
  Way to not let this devolve into attacks. I enjoyed both points of view. Thanks!
45. Re:Why? by whodunit · 2016-11-02 10:44 · Score: 1
  
  I'd use FreePAVE instead; nicer UI (no damn trees) a search feature that actually works, SQLite database, XSalsa20 instead of AES, yadda yadda. But mainly the search thing.
46. Re:Why? by AmiMoJo · 2016-11-02 10:55 · Score: 1
  
  You don't have to do it yourself. Lots of people have looked at Keepass. Given the choice, I'll take open source over closed. All other things being equal, it's much harder for the NSA/GCHQ to screw with open source software, but Lastpass is vulnerable to legal attacks.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
47. Re:Why? by Fnord666 · 2016-11-02 10:59 · Score: 1
  
  Yes I have. It is 100% secure. I have audited the code. So how do you know Lastpass is secure? I await your response.
  Did you build the version that you are using from the source that you audited, or are you trusting that what you installed has anything to do with the source that you saw?
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
48. Re:Why? by ljw1004 · 2016-11-02 11:10 · Score: 1
  
  You don't have to do it yourself. Lots of people have looked at Keepass
  Okay, you (1) trust those people to have audited the code, (2) trust the website is offering you a download binary built from the code that was audited by those people, (3) trust that no one malicious has snuck in a modified binary.
  I trust the Lastpass employees to have audited their code, and the security professionals who recommend Lastpass. I *know* that I'm getting an authentic lastpass binary because of the way the Google and Apple store works.
  It's all down to a personal question of trust. I respect that you trust the people who looked at Keepass. You should respect that I trust the employees of Lastpass. When we offer people advice, we should both be careful not to give a blanket recommendation like "it's good because it's OSS", but rather a nuanced recommendation "you should balance the convenience to you, your trust of party XYZ, and your trust of party ABC, when choosing between tools 1 and 2".
49. Re:Why? by irrational_design · 2016-11-02 11:24 · Score: 1
  
  Because LastPass just works on Macs and iPhones, while KeePass is a major pain to set up (I tried following a number of tutorials when I tried it, but was never successful, YMMV).
50. Re:Why? by Anonymous Coward · 2016-11-02 11:59 · Score: 1
  
  Correct. I have audited the code and to the best of my knowledge I believe that it is secure.
  FTFY. If, like 99.999% of people, you actually aren't qualified to audit the code then your audit means diddly squat. If, on the other hand you actually are qualified to audit the code, where have you published the results of your audit? It would be very helpful to others if you would publish your results so that they can be more comfortable with KeePass.
51. Re:Why? by Anonymous Coward · 2016-11-02 13:13 · Score: 0
  
  Why is that modded informative?
  The above combines two tired old and wrong arguments:
  - "I am not a programmer" => "Open source is not an advantage", which is a sensible as "I have nothing to say" => "free speech is not important".
  - "I have not personally verified something and can hence not be 100% sure. However, nobody else in the whole world has found anything wrong, but unlike me they might not be perfect."
52. Re:Why? by denbesten · 2016-11-02 15:02 · Score: 1
  I used Keepass for about 5 years. I finally switched a week ago. The driving factor for switching was its better ability to auto-fill, especially on Android (Nougat) and MSIE (required for a few of our company apps). Lastpass's better features:
  
  Lastpass android app fills in passwords; keepassdroid requires copy/paste or switching to the Keepass keyboard momentarily.
  
  Lastpass auto-fills Chrome, Firefox, Explorer and Edge. Keepass only does Chrome and Firefox.
  
  Lastapp auto-fills windows applications, not just web browsers.
  
  Lastpass does its own sync. Keypass requires the use of something similar to One Drive, which required manually fixing occasional replication conflicts..
  
  Keepass's better features:
  
  Keeagent stored my ssh identity in my vault and made it automatically available to putty when I unlocked my vault.
  
  Lastpass does not deal well with the fact that some, but not all of the servers in my own company share common credentials. I end up storing my AD credentials in a dozen entries in lastpass. Keepass's field references worked better.
  
  Keepass is much more "do it yourself", Lastpass takes most of the hassle away at a cost of $12/year for some features.
53. Re:Why? by Anubis+IV · 2016-11-02 16:57 · Score: 1
  
  Yes I have. It is 100% secure. I have audited the code.
  Then it looks like you've got some serious 'splain' to do, since some folks have found
  a few issues with your "100% secure" assessment.
  
  So how do you know Lastpass is secure?
  Gee, I don't know. Maybe you could just audit the source code, the same as you claim did for KeePass. LastPass is open source too, after all.
54. Re:Why? by Anonymous Coward · 2016-11-03 01:16 · Score: 1
  
  I don't know how many people there are like me, but while I do develop software and hardware on a daily basis I couldn't effectively audit any code that performs any sort of encryption and prove it was doing anything in particular.
  And that's really the problem here. There just aren't that many people who understand encryption enough to prove that any given code doesn't perform the encryption in such a way that it is easily broken.
  So yeah, I COULD find out if Keepass is secure. And if I worked on that exclusive to any activities that require using something like Keepass then I would probably be safer for longer than if I just used Keepass. So trusting the binary of Keepass that I download is safe based on your recommendation is every bit as valid as trusting LastPass based on some other random dude from the internet.
55. Re:Why? by Anonymous Coward · 2016-11-03 03:57 · Score: 0
  
  Are you too dumb to understand that breaking your own policy immediately makes you a criminal? If the company were to break its own policy regarding this (but they have 0 reasons to), they could be sued by thousands of people and would go under in no time.
  
  To sue, you need some evidence. How are these thousands of people going to prove anything when the company secretly decrypts their private password DB?
56. Re:Why? by Anonymous Coward · 2016-11-03 12:13 · Score: 0
  
  Anything can be grounds for a civil suit. That doesn't mean they would be in any danger of actually losing.
57. Re:Why? by Anonymous Coward · 2016-11-03 12:20 · Score: 0
  
  Then prove that he's lying or shut the fuck up, junior.
Okay, what's the business model then? by Dr.+Crash · 2016-11-02 02:52 · Score: 4, Insightful

Which leaves us with the interesting question of LastPass's business model.
1) Advertising? Knowing every site you visit - AND YOUR PASSWORD?
2) "We have a benefactor". Yeah. Except that maybe that benefactor is the NSA. Or is it the GRU? Or is it the MSS (China's NSA)?
No matter how I slice it, I can't figure out an angle that isn't kinda creepy.
1. Re:Okay, what's the business model then? by Githaron · 2016-11-02 03:17 · Score: 4, Informative
  
  There are still features exclusive to premium and enterprise users: https://lastpass.com/features/
2. Re:Okay, what's the business model then? by Anonymous Coward · 2016-11-02 03:19 · Score: 0
  
  Can't figure out what a company is selling? It's you.
3. Re:Okay, what's the business model then? by Anonymous Coward · 2016-11-02 03:21 · Score: 0
  
  They don't know either - they store the passwords in a form of an encrypted blob, and it is encrypted locally, which means they don't have access to neither the sites you visit (because they're encrypted inside the blob) nor your password (because at no time does it leave your device).
4. Re:Okay, what's the business model then? by Anonymous Coward · 2016-11-02 03:30 · Score: 0
  
  They give the product away for free to normal users. Enterprise users will pay for it to get common accounts, sharing passwords between accounts, and other features.
  It does work pretty well. I can generate a password to a host, then share it to the Group. Everyone has access to the password now using their own accounts without ever having to email the password around. Change it every 30 days, update the lastpass entry, and everyone instantly can use the new pw. This is only available with the ent lic.
  I use mine with a yubikey as 2 factor. You need both my master pw and access to my yubikey to unlock the pw vault.
5. Re:Okay, what's the business model then? by Anonymous Coward · 2016-11-02 03:32 · Score: 1
  
  Can't come up with an original post? Paste an old tired canned response without thinking if it actually applies to the situation. What would they sell? They don't have any information about you, except your login and a collection of encrypted bits that might as well be random.
6. Re:Okay, what's the business model then? by 110010001000 · 2016-11-02 03:37 · Score: 2
  
  "What would they sell? They don't have any information about you, except your login and a collection of encrypted bits that might as well be random."
  
  How do you know that? You don't. There sure are a lot of people here claiming they know how LastPass works. Without the source being open, I wonder how they know that.
7. Re:Okay, what's the business model then? by 110010001000 · 2016-11-02 03:40 · Score: 0
  
  How do you know this? Do you work for Lastpass?
8. Re:Okay, what's the business model then? by Nemyst · 2016-11-02 03:43 · Score: 1
  
  1) They don't know your password. You should read more before commenting
  
  2) Their benefactor is LogMeIn. To them, LastPass is another tool in their arsenal to court corporations, and corporate LastPass usage is not free.
9. Re: Okay, what's the business model then? by cyber-vandal · 2016-11-02 03:45 · Score: 1
  
  Which you can do with Keepass easily enough without having to hand over anything to a third party.
10. Re:Okay, what's the business model then? by Overzeetop · 2016-11-02 03:58 · Score: 1
  
  This, more than anything else, may prompt me to switch. Not that handing my money over is any kind of guarantee of privacy, but if you're giving away nearly your entire product then it means you're making money some other way. And I'm not so sure I trust that "other way" not to be in conflict with my privacy.
  
  --
  Is it just my observation, or are there way too many stupid people in the world?
11. Re:Okay, what's the business model then? by nine-times · 2016-11-02 04:02 · Score: 1
  
  It's advertising. Though to be fair, they don't know your passwords.
12. Re: Okay, what's the business model then? by Anonymous Coward · 2016-11-02 04:21 · Score: 2, Informative
  
  Remember These,
  June 15, 2015 - LastPass Reporting a Security Breach, Including Authentication Hashes and Salts https://it.slashdot.org/story/15/06/15/2143222/lastpass-reporting-a-security-breach-including-authentication-hashes-and-salts
  January 17, 2016 - LastPass Vulnerable To Extremely Simple Phishing Attack https://it.slashdot.org/story/16/01/17/1936211/lastpass-vulnerable-to-extremely-simple-phishing-attack
  July 27, 2016 - LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites https://it.slashdot.org/story/16/07/27/1342205/lastpass-accounts-can-be-completely-compromised-when-users-visit-sites
  Could it be that the business model is incompetence?
  A staunch KeePass user.
13. Re:Okay, what's the business model then? by Last_Available_Usern · 2016-11-02 04:22 · Score: 1
  
  My assessment is their goal is two-pronged. The first is to amass the majority of this market and get even more people to embrace cloud password storage. Secondly, at some point in the future they will roll out a paid "premium" service that will help offset the costs they've been absorbing and move them into profitability. Given the expected low per-user cost I suspect it would have to be a *very* enticing service as to lure enough subscribers to move them into the black. Not sure what they could offer that would be *that* good.
14. Re:Okay, what's the business model then? by Anonymous Coward · 2016-11-02 04:33 · Score: 0
  
  > What would they sell? They don't have any information about you, except your login and a collection of encrypted bits that might as well be random.
  Have you used their add-on? It signs into their servers everytime you start your web-browser. Probably even more frequently. At a minium that's your ip address updated on a semi-regular basis. Your passwords are encrypted, but what about the list of websites you have stored passwords for?
15. Re:Okay, what's the business model then? by Anonymous Coward · 2016-11-02 04:40 · Score: 0
  
  They've admitted in the past that they store the second-level domain (according to the Public Suffix List) so they can show you the favicon for the websites you visit. They also store your login history, some PII, and and can link your account with other services their parent provides. I mean, you did know they were owned and run by LogMeIn and also provide a favorites syncing platform, right?
16. Re: Okay, what's the business model then? by Anonymous Coward · 2016-11-02 06:27 · Score: 0
  
  you're starting to sound a little rabid. Your point is made, anyone who can see your angle and truly understands the consequences sees what you are saying. Don't trust what you can't know.
Freeee! by Anonymous Coward · 2016-11-02 02:53 · Score: 0

And now only LastPass premium doesn't have ads.
useful by Anonymous Coward · 2016-11-02 03:00 · Score: 0

I have difficulty remembering which websites I use the password password1 or password1! or Password1 or Password1!, there are so many alternate password passwords I use, that this app will be handy.
1. Re:useful by Anonymous Coward · 2016-11-02 03:04 · Score: 0
  
  I logged into your account and posted this message under your name!
WHo cares how it works. by Anonymous Coward · 2016-11-02 03:05 · Score: 0

I'm not trusting some company with my passwords.
People are too trustworthy. And if LastPass gets hacked and all those passwords get stolen, LastPass will just say "oops!" and "oh well" and their customers will be scrambling to clean up the mess. Six months later, everyone forgets.
1. Re:WHo cares how it works. by Anonymous Coward · 2016-11-02 03:26 · Score: 3, Informative
  
  They can't get stolen because they're encrypted. They could as well be public, because they're of no use to anyone who doesn't know the master password.
2. Re:WHo cares how it works. by Anonymous Coward · 2016-11-02 04:21 · Score: 0
  
  If you have 20 passwords, they're useless to someone who doesn't know all 20 of them. Using a password manager decreases the work necessary to retrieve 20 passwords by a factor of 20 in such a case.
3. Re: WHo cares how it works. by Anonymous Coward · 2016-11-02 04:25 · Score: 0
  
  If you only need to remember one password, you can make it harder to guess. Three times as long, more complex etc. which will not make it any easier at all to guess the 20 passwords.
4. Re:Who cares how it works. by unixisc · 2016-11-02 04:29 · Score: 0
  
  The first part of what your wrote makes sense, but the latter part doesn't. If I store my password to one of my financial accounts, then those being public would be devastating. Anyone who knows a login to one of them can go in, draw out however much he likes, and disappear. His not knowing the master password wouldn't have hurt him if he manages to know what's inside.
5. Re: WHo cares how it works. by Anonymous Coward · 2016-11-02 04:32 · Score: 0
  
  and if only one of those 20 sites doesn't salt+hash that password, then what?
6. Re: WHo cares how it works. by dnorman · 2016-11-02 04:39 · Score: 5, Informative
  
  each site has a unique, computer-generated password. which is stored in encrypted form and only decrypted by you when you need to retrieve that single password. if one of the 20 sites doesn't store their password properly in their database, only that password will be compromised and the other 19 are safe. This is much better than using a single super-secure-nobody-could-possibly-guess-it password for all sites.
  
  --
  
  It is pitch dark. You are likely to be eaten by a grue.
7. Re: Who cares how it works. by Anonymous Coward · 2016-11-02 04:45 · Score: 0
  
  That's why all of the password data is encrypted using the master password.
8. Re: WHo cares how it works. by Anonymous Coward · 2016-11-02 04:48 · Score: 0
  
  each site has a unique, computer-generated password. which is stored in encrypted form and only decrypted by you when you need to retrieve that single password. if one of the 20 sites doesn't store their password properly in their database, only that password will be compromised and the other 19 are safe. This is much better than using a single super-secure-nobody-could-possibly-guess-it password for all sites.
  right, the idiot is was responding too said he could have one real complex password instead of 20 unique ones (like a password manager model) and be safer
  i was pointing out why that was dumb - you agreed with me :)
9. Re: WHo cares how it works. by mlts · 2016-11-02 04:53 · Score: 1
  
  If I need one password, I'd like to use some form of 2FA with it, be it a key residing on a device + a PIN, a password + keyfile, or similar. Something to ward off a brute force attack.
  I do this with my TrueCrypt/VeraCrypt volumes when storing those offsite. They get encrypted with a password and a keyfile, with the keyfile stashed in a secure location. This way, if the offsite account is compromised, an attacker has to deal with the entire 256-bit keyspace, as brute-forcing passwords is not an option.
10. Re: WHo cares how it works. by Anonymous Coward · 2016-11-02 05:45 · Score: 0
  
  LastPass supports 2FA via Google Authenticator
11. Re: WHo cares how it works. by dnorman · 2016-11-02 10:06 · Score: 2
  
  wait. people agree with each other on the internet? what the hell just happened? ;-)
  
  --
  
  It is pitch dark. You are likely to be eaten by a grue.
Re:Biometrics are still vulnerable by Anonymous Coward · 2016-11-02 03:14 · Score: 1

This will not stop someone from 3D printing your fingerprint, or wearing a mask that looks exactly like you or even simply holding up a photograph of you. Biometrics are extremely insecure.
Revenue source by Anonymous Coward · 2016-11-02 03:17 · Score: 0

What is their revenue source then? If they aren't charging anything, are there gonna be ads, thus is it going to negate what they're trying to do for privacy? Or how are they going to make money to keep them going?
1. Re:Revenue source by Anonymous Coward · 2016-11-02 03:43 · Score: 0
  
  What is their revenue source then? If they aren't charging anything, are there gonna be ads, thus is it going to negate what they're trying to do for privacy? Or how are they going to make money to keep them going?
  They have additional features for their $1 a month plan. The article just says that one of the previous premium features, syncing between devices, is now free. They also have an Enterprise option for companies to use that costs money
2. Re:Revenue source by Anonymous Coward · 2016-11-02 03:58 · Score: 0
  
  What is their revenue source then? If they aren't charging anything, are there gonna be ads, thus is it going to negate what they're trying to do for privacy? Or how are they going to make money to keep them going?
  They are charging for enterprisey features
3. Re: Revenue source by Anonymous Coward · 2016-11-02 12:42 · Score: 0
  
  According to the article on the subject on Engadget, there will indeed be ads. However, LastPass' site and Play Store page don't day anything about it yet.
Syncing via the web is stupid... by Anonymous Coward · 2016-11-02 03:26 · Score: 0

Use a flashdrive to back up the password database. Keepass has apps for every OS.
1. Re:Syncing via the web is stupid... by tepples · 2016-11-02 04:22 · Score: 1
  
  Provided the device's operating system can even mount a flash drive in a manner that KeePass can see. PCs can, but a lot of "mobile" devices* cannot. The Android operating system on Nexus 7 devices, for example, can use many USB devices through an OTG cable but not a flash drive.
  * Defined as devices running a smartphone-derived operating environment, namely stock Android and iOS.
have people been paying for that by Anonymous Coward · 2016-11-02 03:28 · Score: 0

keepass with cloud solutions is the same thing the file itself is encrypted and depending on what cloud service you use it can be too to different degrees so why switch? keepass is used and imported by many programs and all platform that ive seen.
1. Re:have people been paying for that by Knuckles · 2016-11-02 03:59 · Score: 1
  
  keepass with cloud solutions is the same thing the file itself is encrypted and depending on what cloud service you use it can be too to different degrees so why switch? keepass is used and imported by many programs and all platform that ive seen.
  You don't have to switch but I sure as hell am not going to explain a keepass solution to my mum.
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
2. Re:have people been paying for that by Anonymous Coward · 2016-11-02 06:29 · Score: 0
  
  I did, and she loves it. 80 years old, give or take, Mac user, has trouble understanding the difference between a web interface presented by Firefox versus something running locally accessing her local filesystem. She's a little unclear on why modifying an entry in KeePassX doesn't automatically change the password with her bank or email provider. But it beats the hell out of a half dozen pieces of paper and sticky notes with every square inch occupied. Tech support filial piety, simplified.
Android app still charging a fee by kcwebmonkey · 2016-11-02 03:31 · Score: 1

Unless they haven't updated the Android app, it's still showing this as a premium feature. I've installed it and it says "Your LastPass Premium trial will expire in 60 days". I would think if it was truly free now then I wouldn't be seeing this message.
1. Re:Android app still charging a fee by Anonymous Coward · 2016-11-02 04:03 · Score: 0
  
  There is still a Premium plan but some features that were only in Premium or Enterprise are now free. lastpass.com/features
Re:Biometrics are still vulnerable by Nemyst · 2016-11-02 03:40 · Score: 1

Biometrics can be insecure if you're being specifically targeted. The most common security breaches for regular users come from phishing, hacks or vulnerabilities in software, and those are non-targeted most of the time and would be significantly hampered by biometrics, since the hackers don't know you and don't specifically care about you.

Also, you're seemingly assuming that today's biometrics are as good as it gets, which is rather myopic. Fingerprinting will move on to finger vein matching, face recognition will include depth perception and infrared matching, iris scanning will get more popular, etc. It's like saying passwords will always be insecure because 6-character passwords are.
Re:Biometrics are still vulnerable by Stormy+Dragon · 2016-11-02 03:45 · Score: 1

The other big problem with biometrics is that once a breach does occur, you can't change to a new set of fingerprints, eyes, etc.
Conversely, if you're in some sort of accident, you now have no way to access any of your accounts.
Biometrics? by Overzeetop · 2016-11-02 03:48 · Score: 1

You mean like requiring that you log into your device (laptop, phone) with a fingerprint, an iris scan, or facial recognition in order to even open the Lastpass program - at which point you then have to put in your master password? Yeah, I think modern hardware can accommodate your request. It's not set up to be used that way, but the effective result is the same.

--
Is it just my observation, or are there way too many stupid people in the world?
1. Re:Biometrics? by tepples · 2016-11-02 04:09 · Score: 1
  
  If your biometrics are compromised, how can they be revoked and reissued without harming you?
2. Re:Biometrics? by Jumperalex · 2016-11-02 14:33 · Score: 1
  
  It is a known problem, that for which there is a lot of research going on. If you're really curious, and need to spend some time not working ;-), go on a google journey using "biometric template revocation".
  
  --
  If you can't be good, be good at it!
Re:Biometrics are still vulnerable by Anonymous Coward · 2016-11-02 03:51 · Score: 1

Conversely, if you're in some sort of accident, you now have no way to access any of your accounts.
That's why I use my dick print instead of my finger print. If I'm in "some sort of accident" life isn't worth living at that point.
Is it sad that my first thought was... by PortHaven · 2016-11-02 03:52 · Score: 1

Oh, so the NSA is paying them to make it free in exchange for a backdoor. So that the NSA can access the passwords of anyone who uses LastPass.
1. Re:Is it sad that my first thought was... by 110010001000 · 2016-11-02 03:54 · Score: 1
  
  The thing is: you never know. They could be doing the right thing now, but maybe they aren't. Or maybe the company changes ownership or gets threatened by some agency or needs some "alternative" revenue stream. You would never know because you can't know exactly what they are doing.
2. Re:Is it sad that my first thought was... by Anonymous Coward · 2016-11-02 03:56 · Score: 0
  
  Ha! We (NSA) already have your passwords. Nothing to worry about though, as you're not particularly interesting to us.
3. Re:Is it sad that my first thought was... by Anonymous Coward · 2016-11-02 05:40 · Score: 0
  
  ... you're not particularly interesting to us.
  ... so far.
And who should I trust? by Overzeetop · 2016-11-02 03:56 · Score: 1

Even I I could view the source, I still wouldn't know that. I don't do cryptography or programming for a living at the level which would allow me to review the code for vulnerabilities, which puts me in with about 99.999%* of the general population. I can't verify keepass either. So I can either trust that their business model and livelihoods are based on some level of security, or I can base my trust of, say, keepass on some random set of internet users I've never met, have never seen the credientials of, and have nothing to lose if they happen to have missed a backdoor in the code during their perusal of the source.
Neither seem all that certain, tbh. I mean, TrueCrypt was open source, and rock solid. Until the day we all found out it was compromised and insecure.
*I wonder if there are even 70,000 people on earth who could effectively evaluate the entire source for vulnerabilities in their spare time, including every upgrade and change. The number may be quite a bit smaller.

--
Is it just my observation, or are there way too many stupid people in the world?
1. Re:And who should I trust? by 110010001000 · 2016-11-02 04:02 · Score: 1
  
  So you could trust a corporation, who employs people you have never met, or seen the credentials of, who wants to make money somehow off of storing your passwords, or you could trust some open source developers, or yourself if you learned enough to take a look at the source. The point is with open source you at least have the OPTION of the latter. Whether you take that option or not is up to you, but I don't trust companies. They have proven to be untrustworthy.
2. Re:And who should I trust? by Anonymous Coward · 2016-11-02 04:40 · Score: 0
  
  Except, you braindead dumbfuck, you can see the source, and it has been linked dozens of times here, and it is demonstrable that all they do is store an encrypted blob, and do not have the ability to decrypt it, because your master password does not leave your device, and all encryption is done locally. Get it through your thick skull already you illiterate manboon. They CAN'T see your passwords and websites, because it's both mathematically impossible, and legally forbidden by their own policy, and primarily, because they have NO reason to even attempt to do so.
3. Re:And who should I trust? by Cro+Magnon · 2016-11-02 05:59 · Score: 1
  
  Open Source doesn't guarantee that the source will be audited. However, closed source does guarantee that the source WON'T be audited by anyone outside the company. Open is no silver bullet, but it's better than closed.
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Time to become suspicous by stikves · 2016-11-02 03:58 · Score: 1

When LastPass was bought out by LogMeIn, I was worried that they would discontinue the service, however this seems even worse. Because in general if you're not the customer, you're the product. And in this case you're the product with all passwords stored on the cloud.
It might be time to move on to KeePass. Then again the mobile versions are not 100% from the source. So even that is a tough decision.
1. Re:Time to become suspicous by Anonymous Coward · 2016-11-02 04:09 · Score: 0
  
  Totally agree.
  I personally use 1Password + Dropbox. Seems good with client-side encryption and then using a separate cloud host (dropbox).
2. Re:Time to become suspicous by Anonymous Coward · 2016-11-02 04:27 · Score: 0
  
  Who the fuck is buying into this total bullshit of "if it's free, you're not the customer, you're the product"?
  That is just asinine. I worked on a decent sized open source project for nearly a decade, everything was free aside from some premium support services people could pay for. The users of our product were never viewed as "products". Just people wanting to use the software we were creating and supporting.
3. Re:Time to become suspicous by Anonymous Coward · 2016-11-02 06:02 · Score: 0
  
  The fact that you were working for them doesn't mean you've fully grasped their business model. The goal of these projects is obviously to lure people from free to premium with all kinds of tactics, ranging from so-so over false promises to dubious.
Re: Biometrics are still vulnerable by rantrantrant · 2016-11-02 04:01 · Score: 0

Agreed. Also consider that any information that can be digitized can be copied/forged. Using anything that you can't change whenever you suspect a password breach is idiotic.
Businesses. by Anonymous Coward · 2016-11-02 04:10 · Score: 0

Businesses:
https://lastpass.com/enterprise/enterprise-pricing/
No longer need developer license to run own builds by tepples · 2016-11-02 04:15 · Score: 1

Purchase $100/year Apple developer license
That's no longer required since Xcode 7 if you're not distributing your apps, but a $150/year* sufficiently recent Mac is required, unless the computer that you already use for other things happens to be a sufficiently recent Mac.
* Estimate based on dividing the price of a Mac mini by its expected four-year update life.
Puhleaze by s.petry · 2016-11-02 04:16 · Score: 1

We all know the legal game of plausible deniability. "We didn't know Bob and Mary were skimming keys." ends any legal challenge you pose for violating their policy. Hell, that works for breaking actual laws nowadays.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Free software means freedom to hire someone by tepples · 2016-11-02 04:18 · Score: 1

The point is that with free software, anybody interested in evaluating a particular application can hire one of those 70,000 to perform and publish an audit.
1. Re:Free software means freedom to hire someone by Knuckles · 2016-11-02 05:03 · Score: 1
  
  How do I know I can trust the auditor. It's not that different from trusting Lastpass at some point
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
2. Re:Free software means freedom to hire someone by tepples · 2016-11-02 05:37 · Score: 1
  
  How do you know you can trust your own eyes? You think that's air you're breathing now?
3. Re:Free software means freedom to hire someone by RandomSurfer314 · 2016-11-02 05:55 · Score: 1
  
  The auditor has a vital business interest in finding bugs and making them public to you, whereas the maker of the proprietary software has a vital interest in keeping any bugs secret from you and fixing them silently whenever it pleases him or he has the time.
4. Re:Free software means freedom to hire someone by Knuckles · 2016-11-02 05:55 · Score: 1
  
  Which is kind of my point?
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
5. Re:Free software means freedom to hire someone by Knuckles · 2016-11-02 06:16 · Score: 1
  
  Who is "the auditor" here? I was talking to some random slashdot poster who claimed to have audited the keepass source code without providing any credentials or link to a result. He has no business interest at all, and as was pointed out to him this does not help 99.999..% of the people choosing a password solution. The source of the Lastpass browser extension and cli client has as much of a claim to being properly audited, though granted not the mobile apps - but do we have an unbroken chain of trust for the Keepass apps?
  At some point you are going to trust someone. You are right that here are more and less smart ways to do this, but there are strong arguments for Lastpass for real-world use cases, and the other poster's claims do not help. There is no perfect solution, but Lastpass is better than none at all which is what the Keepass solution amounts to for many people, and having read the Keepass source is not a solution in itself either
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
6. Re:Free software means freedom to hire someone by Knuckles · 2016-11-02 06:19 · Score: 1
  
  Oops, sorry about my other post, I was thinking that this belonged in the other subthread :)
  About the auditor in the current context, i.e., "anybody interested in evaluating a particular application can hire one of those 70,000 to perform and publish an audit." - no, not anybody can, this is bullshit. If my mother needs to evaluate a solution without help I believe she is better off getting a Lastpass account rather than trying to find the individuals capable of a proper audit of an open source solution
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
A day late and $12 short by Anonymous Coward · 2016-11-02 04:21 · Score: 0

Of course I just renewed and paid $12 yesterday.
Data breach in 9.. 8. 7.. by sTERNKERN · 2016-11-02 04:43 · Score: 0

I do not see how it would end well.
Re:Fuck you! by Anonymous Coward · 2016-11-02 04:56 · Score: 2, Insightful

Yep. KeePass is open source and stores your password database locally (or remotely via something like WebDAV). Another alternative is to use a password hasher that regenerates all of your passwords based on a master password so that there is no stored database to be potentially compromised at all.
There is no reason to trust LastPass or any other proprietary, third party solution with your most valuable data. Also, didn't LastPass recently get hacked?
Keepass Is Not Hard At All by Anonymous Coward · 2016-11-02 05:47 · Score: 0

I don't understand why people are making it sound like using keepass is so hard to use. I also don't understand why people are so insistent upon syncing files over a network connection to be stored on an untrusted machine. Even if the data is encrypted, why transmit that data over the network? (E.g. Kerberos doesn't transmit passwords over the net.) Sneaker net is pretty secure. I use keepass on my desktop, laptop, phone, and work computer. Sometimes I have to copy my database. In case the people here on slashdot need some tech help, here is my code, GPLed of course.
#!/bin/sh
cp keepass.kdbx /mnt/thumdrive
Feel free to audit that code and report back here about NSA backdoors.
This is a solved problem by Dasher42 · 2016-11-02 05:49 · Score: 1

For me, KeepassX compiled with Qt 4 or 5 does the job. I store its encrypted wallets on the cloud. Linux, Android, Windows, and Mac all work with it. What's LastPass got that I should be interested in?
1. Re:This is a solved problem by Sneftel · 2016-11-02 06:15 · Score: 1
  
  Not a ton. LastPass has better 2FA support, and you might prefer one UI to the other, but ultimately the two solutions are pretty similar in approach.
  
  --
  The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
Free? It cost $8 on the Humble Bundle by Nyder · 2016-11-02 05:53 · Score: 1

https://www.humblebundle.com/l...
Last Pass is part of the "LifeHackers" Humble Bundle. Cost just under $8 for it (and others).
Guess that's okay because it's charity right?
But the $1 for Directory Opus is a great deal.

--
Be seeing you...
1. Re:Free? It cost $8 on the Humble Bundle by Anonymous Coward · 2016-11-02 06:29 · Score: 0
  
  That's the premium version, you fucking retard.
That's great by hackel · 2016-11-02 06:25 · Score: 0

I'll continue to encourage this for grandma and other family members that need an easy solution, but to anyone who really cares about privacy and security, a proprietary, closed-source, cloud-based solution is simply not an option. I have used and enjoyed KeyPass (and KeePassX) for years. They are fully open source, and, along with KeeFox and Keepass2Android, very well-integrated solutions. They use high cryptography, and you can achieve the cloud storage benefit if you want by storing your files on a Google Drive, Dropbox, etc. Highly recommended for anyone with the skills to use it over something like LastPass.
Why CNET? by alexru · 2016-11-02 06:36 · Score: 2

Why is this going to fking CNET instead of the LastPass blog? Here is the actual article https://blog.lastpass.com/2016...
Re:Fuck you! by MrNiceguy_KS · 2016-11-02 07:12 · Score: 4, Insightful

Yep. KeePass is open source and stores your password database locally (or remotely via something like WebDAV). Another alternative is to use a password hasher that regenerates all of your passwords based on a master password so that there is no stored database to be potentially compromised at all.
There is no reason to trust LastPass or any other proprietary, third party solution with your most valuable data. Also, didn't LastPass recently get hacked?
And if you want to sync passwords across devices, just keep the KeePass database in a cloud storage account. In the event that your cloud account is breached, the database is still encrypted

--
Redundancy is good And also good.
Re:Fuck you! by Anonymous Coward · 2016-11-02 07:58 · Score: 0

(or remotely via something like WebDAV)
My solution by Anonymous Coward · 2016-11-02 09:27 · Score: 0

I use a combination of Keepass, Cryptomator, and Google Drive.
All of my clients have google drive, cryptomator, and Keepass and they all access the same keepass data file that is encrypted via cryptomator on google drive. The key for me is that all of the packages are available on a wide variety of clients: iPhone, Windows, Mac, Android, etc.
I prefer Roboform because ... by NuttyBee · 2016-11-02 11:31 · Score: 1

I can put their portable app on my thumbdrive, plug it into a Windows PC, (e.g. my work PC) and it plugs itself into to Firefox/Iexplore. When I remove the drive, the application disappears. Nothing is left on the work PC.
That alone is worth $20/yr to me.
confused by superwiz · 2016-11-02 12:18 · Score: 1

How's the whole concept different from keeping an encrypted file with all the credentials stored in a dropbox folder?

--
Any guest worker system is indistinguishable from indentured servitude.
Mumbo jumbo by Anonymous Coward · 2016-11-02 14:23 · Score: 0

"Encrypted vault in the cloud"? Do people even hear the words that come out of their mouths any more?
1. Re:Mumbo jumbo by KozmoStevnNaut · 2016-11-02 21:04 · Score: 1
  
  Thanks to the wonders of browser extensions, I read it as ""Encrypted vault in the butt".
  And no one is sticking their hands in my butt. At least not until we've gone on at least 4 or 5 dates. Let me tell ya, German girls are freaky.
  
  --
  Eat the rich.