LastPass Makes Password Management Free Across All Of Your PCs, Tablets and Smartphones (cnet.com)

← Back to Stories (view on slashdot.org)

LastPass Makes Password Management Free Across All Of Your PCs, Tablets and Smartphones (cnet.com)

Posted by msmash on Wednesday November 2, 2016 @02:45AM from the free-stuff dept.

LastPass on Wednesday announced that its popular password manager will now be free for all to use. LastPass previously charged a fee of $12 per year to sync passwords across multiple devices, such as a computer, tablet or phone. From a report on CNET: To entice newcomers, the service allowed you to access select features for free on either the web or on a mobile device, but syncing between the two required a premium membership. Not anymore -- that service is now free. LastPass is one of the best known and most trusted password managers. Its main purpose is to store all of your passwords in an encrypted vault in the cloud. The vault can only be opened using a master password that only you know. LastPass doesn't store the master password or have access to it, which means even if its servers were to be breached, your precious passwords would remain encrypted and protected.

138 of 234 comments (clear)

Min score:

Reason:

Sort:

No news at 11 by TimothyHollins · 2016-11-02 02:48 · Score: 3, Insightful

I don't see anything newsworthy here at all. Did some sneaky little marketer pay for someone's lunchy-lunch yesterday?
Bad Slashdot, bad!
A Master Password.... by Bing+Tsher+E · 2016-11-02 02:49 · Score: 1

...that only you transmit up to 'the cloud' anytime you want to use any of your passwords, anywhere.
I know it isn't quite that simple or risky, but it's rather close.
Password Managers, by design, serve the function of reducing your security.
1. Re:A Master Password.... by Jawnn · 2016-11-02 02:51 · Score: 4, Informative
  
  ...that only you transmit up to 'the cloud' anytime you want to use any of your passwords, anywhere.
  I know it isn't quite that simple or risky, but it's rather close.
  Password Managers, by design, serve the function of reducing your security.
  That's not how it works.
2. Re:A Master Password.... by suutar · 2016-11-02 03:02 · Score: 5, Informative
  
  from How It Works:
  Local-Only Encryption
  User data is encrypted and decrypted at the device level. Data stored in the vault is kept secret, even from LastPass.
  Now, you don't have to believe that if you don't want to, but unless you have evidence I'm gonna say you appear to be mistaken in your understanding of how it works.
3. Re:A Master Password.... by silas_moeckel · 2016-11-02 03:04 · Score: 2
  
  Or ya could use keepass across all your devices without using somebody shared hosting.
  
  --
  No sir I dont like it.
4. Re:A Master Password.... by Anubis+IV · 2016-11-02 03:07 · Score: 5, Informative
  
  I don't use LastPass, but they make it abundantly clear that all encryption and decryption is local-only, done on-device, not in the cloud, so that they never have access to the information in your vault. From what I can gather, their cloud is little more than a sync engine between devices, rather than the place from which you access your data.
5. Re:A Master Password.... by hsmith · 2016-11-02 03:25 · Score: 3, Informative
  
  If you have a keylogger installed then none of your passwords you'd be storing are safe anyway. A useless fucking point.
6. Re:A Master Password.... by MightyYar · 2016-11-02 03:33 · Score: 2
  
  Password Managers, by design, serve the function of reducing your security.
  That's too simplistic. They can both increase your security and decrease other aspects at the same time. If they make it feasible to have different login credentials for every site, that will increase your security. Since they also create a single point of failure to your entire kingdom, that will decrease your security.
  Here's my analysis - please point out any logical flaw: if I use the same credentials on many web sites, an attack on a single web site is just as damaging as someone installing a keylogger on my PC/phone. By using a password manager, I can use a different set of credentials for the hundreds of different sites that I use, making me immune to any one of them being hacked. The single point of failure makes it slightly easier for a hacker to gain access to any of those sites, but I'm not sure I lose any security in practical terms because if they have a way to extract my memorized password, they can just wait patiently for me to access the target website, or they can any other passwords that I type for other sites - knowing that there will likely be some overlap.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
7. Re:A Master Password.... by EmeraldBot · 2016-11-02 03:37 · Score: 4, Informative
  
  Oh look at that, a shill posting a boilerplate explanation from his company's own website.
  Unless you have "evidence" to the contrary, I'm gonna say that your opinion is irrelevant because it isn't your own, your corporate pimps handed it down to you and you sucked it up like the good little whore you are.
  This is where we thank the wonders of open-source, so you can freely read the code and see for yourself how it works.
  Not that I suspect, of course, that you ever have done that, ever wanted to do that, or ever will do that. At least I'm the honest whore.
  
  --
  "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
8. Re:A Master Password.... by butzwonker · 2016-11-02 03:39 · Score: 1, Insightful
  
  These kind of "promises" by closed-source software security companies are rather worthless. If they want to, they'll have all your passwords, since they provide the software. Another question is whether they can be legally subpoenaed or forced by a national security letter to get your passwords by somehow modifying the way their software works. Probably not, but this may be a grey zone in the US.
  But the real problem with closed-source software security solutions is that the company can do whatever they want and make their software as buggy as they wish (to save development cost, or out of incompetence), and you'll only ever know if somebody publishes an exploit. Which is what usually happens. Open source forces you to be way less sloppy, because there will always be some "annoying prick"(TM) who actually looks at your source code and points out its flaws.
9. Re:A Master Password.... by boskone · 2016-11-02 03:53 · Score: 1
  
  what were the results when you popped it in the debugger on the last update? Anything interesting? I'm trying to decide on a pass manager because i'm not going to let FB take over, and sites are idiotic with their various rules/etc.
  could sites at least tell you what the password rules are ON THE LOGIN SCREEN so that I can determine which password I likely used?
10. Re:A Master Password.... by Lopton · 2016-11-02 03:56 · Score: 2
  
  This is also not true with default settings from LastPass, by default last pass won't let you login from an unknown device or unknown location, it will send an e-mail to a account you specify and require you to click the link to allow access from the remote location. Also you can secure access like I do with a physical token (Yubikey).
11. Re:A Master Password.... by 110010001000 · 2016-11-02 03:56 · Score: 1
  
  That is only one side of the code (that they are presumably using in their closed source client). Where is the rest?
12. Re:A Master Password.... by LiENUS · 2016-11-02 04:00 · Score: 2, Interesting
  
  Since LastPass is open source whats your complaint?
  https://github.com/lastpass/la...
13. Re:A Master Password.... by 110010001000 · 2016-11-02 04:09 · Score: 1
  
  That is only half of the side of the conversation. Where is the other half?
14. Re:A Master Password.... by Anonymous Coward · 2016-11-02 04:10 · Score: 1
  
  Hmm, that's not quite true: without using a password manager, only the passwords that you type while the keylogger is installed would be unsafe! If you don't log into some account, then a keylogger is not going to log that password and that password will clearly not be compromised. Whereas with a password manager, as soon as your master password is typed, all your passwords are compromised. (Unless you are clever and do some manual obfuscation on your passwords in your password manager...)
  But a password manager still seems a safer bet than other alternatives (e.g. what most people do, lazily using one password everywhere)...
  Like many things in our imperfect universe, there is no perfect solution. :)
15. Re:A Master Password.... by EmeraldBot · 2016-11-02 04:15 · Score: 3, Informative
  
  That is only one side of the code (that they are presumably using in their closed source client). Where is the rest?
  Ermm... This is pretty much a full blown client, which it says right on the giant README. On phones you have a point, but on the desktop you can use this and be guaranteed it's the same client. As for the rest, what does it matter? You see your password is being encrypted, and you can check it's not backdoored. If you trust modern encryption at all, then you know your secrets are safe because there's no way to crack your passwords unless your master password is literally "1234". If you don't trust encryption, well, I'm afraid you're a little out of luck for security then. :)
  
  --
  "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
16. Re:A Master Password.... by DRJlaw · 2016-11-02 04:22 · Score: 1
  
  That's not the complete corresponding source code to everything in the executable.
  If you were as awesome as your paranoia suggests than you wouldn't need source code in addition to the debugger, now would you?
  Step through the program and capture the traffic like a real security researcher. If the obfuscated C contest hasn't already proven that the things that you haven't actually bothered to do with the keepass source code can't save you, nothing will.
17. Re:A Master Password.... by LiENUS · 2016-11-02 04:29 · Score: 1
  
  If the client doesn't send the master password and only sends an encrypted blob,how the hell do you think they manage to decrypt it on the server?
18. Re:A Master Password.... by unixisc · 2016-11-02 04:31 · Score: 1
  
  Except that it is
19. Re:A Master Password.... by Chelloveck · 2016-11-02 04:31 · Score: 1
  
  The nice thing about KeePass is that the database format is documented and the encryption can be done with gnupg. There are other clients available, or write your own. I use my own command-line Python script to read/write the DB on my computers and a third-party client on my phone, with Google Drive to keep them in sync.
  
  --
  Chelloveck
  I give up on debugging. From now on, SIGSEGV is a feature.
20. Re:A Master Password.... by bigfinger76 · 2016-11-02 04:47 · Score: 1
  
  But you will be typing in your master password, which makes everything else moot.
21. Re:A Master Password.... by mlts · 2016-11-02 04:48 · Score: 1
  
  As a compromise, I have started using an app (mSecure) that offers a different encryption key for what is syncs with Dropbox or iClouyd, as it does for the local device. The nice thing about this is that one can use a very long password (32+ characters) for the file that is stashed on the cloud, while having a much shorter key for the app that is sitting on an already encrypted device.
  I don't trust a service that is dedicated to storing passwords. It is an obvious target. Yes, one has an encryption password, but those tend to be relatively short so one can access it on a device without taking too much time. Even if their system is secure, how can one be assured that they don't push out an update that might save the decryption password somewhere else. In a two tier system where the password manager rides atop a cloud provider, it would require an attacker to compromise both the cloud provider account and the password manager in order to get access.
  Ideally, the password manager of choice would be one that would have all endpoints use RSA keys. When adding a new device for access to the password database, its key would be "introduced" by an existing device, and the master decryption key encrypted by the device's public key. For a general purpose Web browser, JavaScript and HTML5 support key generation and use, so for that browser session, a temporary key can be used and "introduced" by another device, perhaps stored locally, or if the user is using a client cert, use that as a means of decryption somehow. Just for recovery's sake, if the user wanted, they could input (or have generated for them) a long recovery string. This can even be done with existing formats. The OpenPGP file format can easily handle multiple keys, be it public keys or symmetric passphrases.
  This way, the password database stored on the cloud provider has no password to be easily brute forced.
22. Re:A Master Password.... by suutar · 2016-11-02 04:57 · Score: 1
  
  yep, that's why I said you can believe it or not, as you choose.
23. Re:A Master Password.... by suutar · 2016-11-02 05:01 · Score: 1
  
  nope, I don't work for them or even use their product. I just read the website. (Though not completely - I did overlook the more applicable quote "Private Master Password: The user’s master password, and the keys used to encrypt and decrypt user data, are never sent to LastPass’ servers, and are never accessible by LastPass.")
24. Re:A Master Password.... by houghi · 2016-11-02 05:06 · Score: 1
  
  When talking about companies and security I do not believe anything. They must give proof, because I have no idea if it is marketing or the developers who tell me that it is encrypted or decrypted on the device level.
  Sure, I might guess that something is done, but perhaps they use a backdoor.
  Please give me a reason why I should trust a company or government when I want something to be kept a secret. Hint: I don't.
  To me believe has no place when it comes to security and trust.
  
  --
  Don't fight for your country, if your country does not fight for you.
25. Re: A Master Password.... by TuballoyThunder · 2016-11-02 05:33 · Score: 3, Insightful
  
  Unless you are making your own CPU, firmware, compilers, personally audit every line of code, etc, I guarantee you that you hit the "I believe" button somewhere along the way.
  Going for absolute security is a great navel-gazing exercise. Pick the security boundary you are comfortable with and realize that you have no control outside the boundary. Hopefully you pick a boundary that fails gracefully.
  I personally do not believe open source is any more secure than closed source in any practical sense.
26. Re:A Master Password.... by RandomSurfer314 · 2016-11-02 05:41 · Score: 1
  
  I'm saying that you shouldn't believe them, based on experience and a vast history of failures of private security companies. That's not "as you choose".
27. Re:A Master Password.... by kevmeister · 2016-11-02 06:21 · Score: 4, Interesting
  
  Calling anyone who disagrees, especially when they point out that you are wrong, a "shill" is just the same as any unsupported BS from a presidential candidate. Null content.
  Several years ago I had the job of evaluating LastPass for $DAY_JOB. I tested it by capturing the data uploaded to the network and confirmed that it was AES encrypted using my password on my system and the data was all encrypted before leaving my system. the master password was never transmitted in any form that I could find. No traffic was generated to/from any other port or location.
  While it is true that things might have changed since then, the server remains open source and you can confirm that it does not ever touch the master password in any form. More importantly, the system is heavily examined on a continuing basis by security researchers and, while vulnerabilities have been found, reported, and fixed, there has never been any question of the master password leaving the client.
  With well over 100 unique, random, long passwords, some only used once or twice a year, I really lack other options than a password vault in a world where accounts might need to be accessed from a desktop, two laptops, and two phones running six OSes (2 VMs and one dual boot).
  
  --
  Kevin Oberman, Network Engineer, Retired
28. Re:A Master Password.... by tempo36 · 2016-11-02 06:37 · Score: 1
  
  And even if your master password gets keylogged, 2FA is easy to set up on Lastpass (and maybe on other platforms...I only have experience with Lastpass). Keylog my master password as much as you like.
29. Re:A Master Password.... by fph+il+quozientatore · 2016-11-02 06:44 · Score: 1
  
  That's only the command-line client. Is the source for the browser extensions available?
  
  --
  My first program:
  Hell Segmentation fault
30. Re:A Master Password.... by wendyo · 2016-11-02 06:46 · Score: 1
  
  Here you go: https://github.com/lastpass/la...
31. Re:A Master Password.... by Anubis+IV · 2016-11-02 07:59 · Score: 1
  
  As long as LastPass' software is not open-source, you can only hope they are telling the truth. I can put keepass in a debugger and see what it does.
  1) It is open source. The command-line underpinnings are available here on github, and you can easily look at the source for any extension by just navigating to it in your file system and opening the various files. Admittedly, the desktop GUI and cloud backend aren't available, but neither is necessary for verifying that the cloud never receives data it can decrypt, and neither is necessary to use the app.
  2) Given that you said "I can put keepass in a debugger", rather than "I have put keepass in a debugger", it's pretty clear that it's not something you've ever done. Likewise, I'd wager you're like the rest of us and have never confirmed that someone you know and trust has done a security audit of KeePass*, so it's fair to say that you've been placing your trust in blind faith to keep KeePass secure.
  3) Since you're relying on blind faith for security, either you don't actually care about security, even though you may think otherwise, or else "if it's not open source, I don't trust it" has become a form of dogma for you (i.e. "open source" = "stamp of approval"), rather than being the practical means for ensuring better security that it's supposed to be (i.e. "open source" = "now it's up to us to review the code").
  More or less, it's abundantly clear that you didn't look into LastPass at all and that you're not holding KeePass to the same standard you're applying to LastPass, so it's rather disingenuous to suggest that the issues you've raised are any sort of genuine concern you actually have. As it so happens, I strongly agree that open source is a great means for providing enhanced security, but I also recognize that I can't treat it as a religion, so if I'm not reviewing the code or confirming that someone trustworthy is, then it might as well be a closed source black box, for all the good its openness is doing me.
  *I'm not saying KeePass has never had a security audit. I'm expressing my doubt that you ever bothered to check.
  (Disclaimer: As I said in my previous comment, I've got no horse in this race. Both seem like decent apps, so far as I can tell.)
32. Re:A Master Password.... by Anubis+IV · 2016-11-02 08:14 · Score: 1
  
  While it would be incredibly naive for me to share my info with you, an AC, given that I'd have no recourse against you if you abused it, the same is not true for established companies. If I share my credit card number with a retailer or reputable online company in exchange for goods and services, I have recourse against them if they abuse that number or fail to live up to their end of the contract. As such, it's perfectly reasonable for me to do so.
  In this case, LastPass has said that their service includes a particular feature. Should it later be discovered that that wasn't true, their users (which I'll repeat do not include me) have recourse against them. But even if that's not enough for you, as others posted above, LastPass' underpinnings are open source, so feel free to look them over yourself.
33. Re:A Master Password.... by Rick+Schumann · 2016-11-02 08:40 · Score: 1
  
  Personally I'd rather not take any chances about who is and is not telling the truth about what they're doing and just keep my own passwords.
34. Re:A Master Password.... by Anubis+IV · 2016-11-02 10:17 · Score: 1
  
  Before I answer that, answer this to yourself: if it's available, do you have any plans to review the code yourself or check to see if others have, or is this just a case where you'll feel safer knowing the code is available, even though you have no intention of verifying that the feeling has a basis in reality?
  I feel compelled to ask that up front, because if you were actually concerned about whether your password manager's code was trustworthy or whatnot, you'd already know that browser extensions are just packages of web standard files located in the extensions folder for your browser (e.g. instructions for finding Chrome extensions on your system). That's just as true for whatever your current password manager is as it is for this one. It's fine that you didn't know that, but hopefully it tells you something about what you're actually trusting for your security.
  If you're never going to verify that the code is what it claims to be, then having it available isn't doing you any good, other than providing some warm fuzzy feelings. That's a trap that most of us fall into, myself included, and it's something that we as a community need to be shaking each other out of.
35. Re:A Master Password.... by Anubis+IV · 2016-11-02 10:51 · Score: 1
  
  These kind of "promises" by closed-source software security companies are rather worthless. If they want to, they'll have all your passwords
  1) They're open source: https://github.com/LastPass/la...
  2) The only way they "have all your passwords" is as an encrypted blob. See #1 if you want to confirm it for yourself.
  3) Your master password that could decrypt that blob never leaves your system.
  And then there's this discussion about the quality of code in KeyPass, which seems to call into question some of what you said. While your ideas about open source probably work fine as generalizations, they should not be stated as absolutes, since they oftentimes fail in particular instances.
36. Re:A Master Password.... by irrational_design · 2016-11-02 11:22 · Score: 2
  
  Unless you are on the Apple ecosystem, then keepass is a nightmare to set up (YMMV, but that has been my experience). LastPass on the other hand just works.
37. Re:A Master Password.... by silas_moeckel · 2016-11-02 13:13 · Score: 1
  
  No idea how you could find it hard to setup, install and pull in some addons.
  
  --
  No sir I dont like it.
38. Re:A Master Password.... by fph+il+quozientatore · 2016-11-02 21:02 · Score: 1
  
  You know Javascript can be obfuscated, right?
  
  --
  My first program:
  Hell Segmentation fault
39. Re:A Master Password.... by Anubis+IV · 2016-11-03 01:18 · Score: 1
  
  Any piece of code in any language can be obfuscated. Obfuscation is not unique to JavaScript, it'd be just as much of a purely hypothetical concern with any other random piece of open source code, and it doesn't change the fact that the code is available, which was what you were asking.
  You have no reason to believe that they've made any attempt at obfuscating the code, so other than spreading FUD, why mention it? I mean, are you also concerned that the open source code for the CLI component may be written in BF? It could be, for all you know. Have you checked? You might want to raise that as a concern too...
40. Re:A Master Password.... by fph+il+quozientatore · 2016-11-04 03:57 · Score: 1
  
  I am not spreading FUD. I am just asking. I am not the one who is claiming that the source is available. And no, I don't consider the fact that it's a browser extension an automatic guarantee that the source code for every single part of it is available in human-readable form. Because of obfuscation, because there is the possibility of compiling other languages to javascript, and because maybe they did not release the whole toolchain. Moreover, the docs on their site mention a "binary component" of the browser extension, https://helpdesk.lastpass.com/..., which makes things even more confusing for me. I don't see a "clean" github repo for the browser extension as I see one for the CLI.
  
  --
  My first program:
  Hell Segmentation fault
41. Re:A Master Password.... by Shikaku · 2016-11-04 05:54 · Score: 1
  
  I want money for liking a company too. LastPass is good, now where's my check LastPass?
42. Re:A Master Password.... by wwphx · 2016-11-06 03:40 · Score: 1
  
  Seconded for mSecure. I've been using it since I switched from a Palm Pilot to an iPod Touch back around '08 or so. Palm had a very nice third party encrypted note pad program, but Palm self-destructed and that's all to be said about that. While I consider the interface for mSecure just a tiny bit clunky, I am quite fond of the program and I recommend it to anyone who uses the iOS infrastructure. It's not free, but it was well worth the money.
  
  --
  When you sympathize with stupidity, you start thinking like an idiot.
43. Re:A Master Password.... by mlts · 2016-11-06 11:30 · Score: 1
  
  I also like the fact that mSecure doesn't have to have its own website for syncing one's devices. LastPass gets me a tad leery with some of the features, be it allowing someone to access your password stash, easy password resets, and other items. If LP can reset my password via 2FA, then a bad guy can do the same. With mSecure, if I lose my sync password or endpoint passwords, there is no recovering the data other than brute force, and that's how I prefer it.
Your master password is still vulnerable by HBI · 2016-11-02 02:49 · Score: 1

This is where a hardware token or some kind of biometrics could be beneficial, in combination with the password manager.

--
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
1. Re:Your master password is still vulnerable by Lopton · 2016-11-02 03:57 · Score: 2
  
  Lastpass Premium integrates with the Yubikey.
2. Re:Your master password is still vulnerable by nicolaiplum · 2016-11-02 03:57 · Score: 1
  
  Laspass Premium supports Yubikey.
  (I have no connection with lastpass other than being a customer)
  
  --
  "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
3. Re:Your master password is still vulnerable by HBI · 2016-11-02 04:17 · Score: 1
  
  I know a lot of products are supporting the Yubikeys. That would be a good option.
  
  --
  HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Still charging for two factor support by Froze · 2016-11-02 02:50 · Score: 1, Interesting

Which is why I still don't use it. If they really wanted to bolster security then MFA should really be standard, IMHO.
I will just leave this here...
http://keepass.info/help/kb/yu...

--
-- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
1. Re:Still charging for two factor support by portnoy · 2016-11-02 03:05 · Score: 2
  
  According to their website, a number of forms of 2FA are available free. The free options largely involve either one-time verification codes like Google Authenticator or push notifications to your smart phone. Premium is required for Yubico, Sesame, and windows fingerprint recognition.
This service is brought to you by NSA by ugen · 2016-11-02 02:51 · Score: 1, Funny

Because someone's got to pay for it.
Why? by AmiMoJo · 2016-11-02 02:52 · Score: 4, Interesting

Can someone explain why I would want to have Lastpass hold the keys to my kingdom when I could just use a trusted, open source option like Keepass with a private server or free account on any number of cloud storage services? Browser plug-ins aren't exactly known for their great security.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
1. Re:Why? by ljw1004 · 2016-11-02 03:08 · Score: 1
  
  Can someone explain why I would want to have Lastpass hold the keys to my kingdom when I could just use a trusted, open source option like Keepass with a private server or free account on any number of cloud storage services? Browser plug-ins aren't exactly known for their great security.
  Lastpass (the company) doesn't hold the keys to your kingdom. Their servers only store an encrypted blob that they (the company) can't decrypt. It only ever gets decrypted locally on your machine at the moment you type in your master password.
  Why would you want Lastpass? Because (1) it's really convenient - 99% of the time you want to enter a password it's the password to a web-page, and LastPass is already there; (2) you've heard from lots of security professionals that lastpass security is adequate.
2. Re:Why? by ljw1004 · 2016-11-02 03:21 · Score: 4, Informative
  
  "Their servers only store an encrypted blob that they (the company) can't decrypt". You don't know that. Unless you can see the source you don't know anything about it.
  Technically true. But let's look at the equivalent Keepass steps:
  1. Download source code for desktop version
  2. Audit it
  3. Compile it locally
  4. Optional: encrypt the binary and store it somewhere in (say) dropbox if you want to avoid steps 1-3 each time in future
  5. Download source code for iOS version (say)
  6. Audit it
  7. Purchase $100/year Apple developer license
  8. Compile it locally
  9. Deploy the binary to your iOS device
  Unless you've gone through steps 1-9 yourself, then the difference between "trusting Keepass" and "trusting Lastpass" are immaterial.
3. Re:Why? by 110010001000 · 2016-11-02 03:26 · Score: 3, Funny
  
  Bound by their own policy? Comical. Is that like "Do no evil"?
4. Re:Why? by 110010001000 · 2016-11-02 03:28 · Score: 1
  
  No it isn't. I trust open source developers a hell of a lot more than I do any closed source company trying to make a buck. Ridiculous.
5. Re:Why? by Anonymous Coward · 2016-11-02 03:30 · Score: 1
  
  Because LastPass is providing convenience for those of us who don't want to be InfoSec sysadmin professionals maintaining a private server as their hobby.
6. Re:Why? by 110010001000 · 2016-11-02 03:31 · Score: 1
  
  Yes. How could I verify "the blob on the server" is the same as what is passed up? If you can't see the source you have no idea what they are doing.
7. Re:Why? by ljw1004 · 2016-11-02 03:33 · Score: 1
  
  No it isn't. I trust open source developers a hell of a lot more than I do any closed source company trying to make a buck. Ridiculous.
  Ah, now you're shifting goalposts. Your first was "you can't *know* it's secure". Now it's down to a personal trust preference. My personal trust preference is that I trust the Lastpass developers more than the Keepass developers.
8. Re:Why? by Anonymous Coward · 2016-11-02 03:35 · Score: 1
  
  And yes, you can be sure, for example by inspecting packets and seeing for yourself that all your machine is sending is a binary blob.
  And you know exactly jack shit about the contents of that blob, or whether it's even truly encrypted or merely obfuscated. Don't go calling other people "braindead" when you don't have the first fucking clue what you're talking about yourself. Their "policy" means nothing, and I very seriously doubt you have the legal knowledge to know exactly how far their liability extends.
9. Re:Why? by idji · 2016-11-02 03:36 · Score: 2
  
  Keepass users are more tech-savvy than Lastpass users. Different customers.
10. Re:Why? by mrlinux11 · 2016-11-02 03:36 · Score: 2
  
  They could encrypt it and send it up. The question is how good is the encryption and the password you used to generate the key. If they use a combination of symmetric key for the bulk encryption and asymmetric key (generated from Password) to encrypt the symmetric key. Then they could encrypt everyone's data with the same symmetric key and encrypt it with the asymmetric key to make it look secure. So now the NSA can get access to everyone's userid and password
11. Re:Why? by 110010001000 · 2016-11-02 03:38 · Score: 1
  
  I'm not shifting anything. You can't know Lastpass is secure. You don't have the source. You have no idea what they are doing. They might be storing your password in plaintext. I also trust open source developers rather than some closed source company. It really isn't that complex to understand.
12. Re: Why? by 110010001000 · 2016-11-02 03:42 · Score: 1
  
  Thanks! Where is the server side code? That is just the interface to LastPass.com.
13. Re:Why? by ljw1004 · 2016-11-02 03:42 · Score: 1
  
  You also can't know that your installation of Keepass is secure unless you've done steps 1-9. Have you? If the answer is no for you or anyone you're advising, then you should remove "know it is secure" from your list of arguments.
14. Re:Why? by 110010001000 · 2016-11-02 03:44 · Score: 1
  
  Yes I have. It is 100% secure. I have audited the code. So how do you know Lastpass is secure? I await your response.
15. Re:Why? by 110010001000 · 2016-11-02 03:45 · Score: 2
  
  I guess I never realized that breaking a company policy was illegal. Thanks for the tip!
16. Re:Why? by ljw1004 · 2016-11-02 03:49 · Score: 1
  
  I haven't audited the code for Keepass. So my knowledge of the security of Lastpass and Keepass is equal (as it is for almost everyone else). So any advice you give to me or anyone else in my position shouldn't be based on your "knowledge" argument. And anytime you trot out your knowledge argument you should accompany it with the big caveat that it only applies to people who did steps 1-9.
  PS. You said you audited the code. I assume you meant "and I also compiled it locally and I also paid $100/year apple tax (unless you're an android user and you don't share your passwords with any family members who are iOS users) and I deployed all those locally compiled binaries too."
17. Re:Why? by 110010001000 · 2016-11-02 03:51 · Score: 1
  
  Correct. I have audited the code and I know it is secure. So basically you have no idea if Lastpass is secure, BUT you COULD find out if Keepass is secure if you audited the publicly available code. With Lastpass you don't have that option. You are basically trusting some company to do the right thing. Good luck with that.
18. Re: Why? by 110010001000 · 2016-11-02 04:07 · Score: 1
  
  You have no idea if they are running that code in their closed source clients, and you have no idea what is being transmitted to the server. You do have to trust someone, but Internet companies have proven to be untrustworthy.
19. Re:Why? by tepples · 2016-11-02 04:12 · Score: 1
  
  Look up "tort of deceit" and "non-disclosure agreement" and "false advertising". Even if it isn't a crime, it can still be grounds for a civil suit.
20. Re: Why? by tepples · 2016-11-02 04:17 · Score: 1
  
  If you can verify that the vault always leaves your machine encrypted
  How is that possible when the GUI half of the LastPass client is not part of the lastpass-cli repository or any other repository owned by the LastPass organization?
21. Re:Why? by Anonymous Coward · 2016-11-02 04:29 · Score: 1
  
  They are bound by their own policy which they show on their website.
  Why do people believe this crap? Companies break their own privacy policies all the time, and nothing happens.
22. Re:Why? by Knuckles · 2016-11-02 05:00 · Score: 1
  
  Like you have been told in the other subthread, even if you did audit Keepass this does not help you at all unless you only use selfcompiled binaries. (And did you audit the compiler too?)
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
23. Re:Why? by RandomSurfer314 · 2016-11-02 05:47 · Score: 1
  
  And you're absolutely right in doing so. It's way easier to sweep issues under the carpet when you're closed-source, and every private company that wants to make money will do so if a problem arises and can be fixed silently.
24. Re:Why? by RandomSurfer314 · 2016-11-02 05:49 · Score: 1
  
  False dichotomy. Security is not a simple Yes/No matter. There is no absolute security but you can increase it, e.g. by auditing source code.
25. Re:Why? by Knuckles · 2016-11-02 05:55 · Score: 1
  
  Tell that to the other guy
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
26. Re:Why? by OfficeLackey · 2016-11-02 06:10 · Score: 1
  
  Because we all have non-technical family and friends with smartphones and laptops using the same lame password for everything. This is a simple and elegant solution to help them be more secure without feeling imposed upon by "software for techies". (Don't bitch, I've used Password Safe and KeePass. They're simple, but....) It's better than nothing.
27. Re:Why? by pissoncutler · 2016-11-02 06:44 · Score: 1
  
  IMHO, KeePass has pretty clunky UI/UX compared to LastPass. Having a seamless browser-integrated experience that supports hardware MFA and works across all the OS's I use allows me to use unique 20+ char passwords (and unique usernames for more secure accounts) on all my logins, and change the passwords frequently.
  I get that everyone has an opinion, but I think the blanket statement "Keepass users are more tech-savvy than Lastpass users" is about as true as "Windows users are more tech-savvy than Mac Users". Every choice in hardware/software has some tradeoffs...
28. Re:Why? by whodunit · 2016-11-02 10:44 · Score: 1
  
  I'd use FreePAVE instead; nicer UI (no damn trees) a search feature that actually works, SQLite database, XSalsa20 instead of AES, yadda yadda. But mainly the search thing.
29. Re:Why? by AmiMoJo · 2016-11-02 10:55 · Score: 1
  
  You don't have to do it yourself. Lots of people have looked at Keepass. Given the choice, I'll take open source over closed. All other things being equal, it's much harder for the NSA/GCHQ to screw with open source software, but Lastpass is vulnerable to legal attacks.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
30. Re:Why? by Fnord666 · 2016-11-02 10:59 · Score: 1
  
  Yes I have. It is 100% secure. I have audited the code. So how do you know Lastpass is secure? I await your response.
  Did you build the version that you are using from the source that you audited, or are you trusting that what you installed has anything to do with the source that you saw?
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
31. Re:Why? by ljw1004 · 2016-11-02 11:10 · Score: 1
  
  You don't have to do it yourself. Lots of people have looked at Keepass
  Okay, you (1) trust those people to have audited the code, (2) trust the website is offering you a download binary built from the code that was audited by those people, (3) trust that no one malicious has snuck in a modified binary.
  I trust the Lastpass employees to have audited their code, and the security professionals who recommend Lastpass. I *know* that I'm getting an authentic lastpass binary because of the way the Google and Apple store works.
  It's all down to a personal question of trust. I respect that you trust the people who looked at Keepass. You should respect that I trust the employees of Lastpass. When we offer people advice, we should both be careful not to give a blanket recommendation like "it's good because it's OSS", but rather a nuanced recommendation "you should balance the convenience to you, your trust of party XYZ, and your trust of party ABC, when choosing between tools 1 and 2".
32. Re:Why? by irrational_design · 2016-11-02 11:24 · Score: 1
  
  Because LastPass just works on Macs and iPhones, while KeePass is a major pain to set up (I tried following a number of tutorials when I tried it, but was never successful, YMMV).
33. Re:Why? by Anonymous Coward · 2016-11-02 11:59 · Score: 1
  
  Correct. I have audited the code and to the best of my knowledge I believe that it is secure.
  FTFY. If, like 99.999% of people, you actually aren't qualified to audit the code then your audit means diddly squat. If, on the other hand you actually are qualified to audit the code, where have you published the results of your audit? It would be very helpful to others if you would publish your results so that they can be more comfortable with KeePass.
34. Re:Why? by denbesten · 2016-11-02 15:02 · Score: 1
  I used Keepass for about 5 years. I finally switched a week ago. The driving factor for switching was its better ability to auto-fill, especially on Android (Nougat) and MSIE (required for a few of our company apps). Lastpass's better features:
  
  Lastpass android app fills in passwords; keepassdroid requires copy/paste or switching to the Keepass keyboard momentarily.
  
  Lastpass auto-fills Chrome, Firefox, Explorer and Edge. Keepass only does Chrome and Firefox.
  
  Lastapp auto-fills windows applications, not just web browsers.
  
  Lastpass does its own sync. Keypass requires the use of something similar to One Drive, which required manually fixing occasional replication conflicts..
  
  Keepass's better features:
  
  Keeagent stored my ssh identity in my vault and made it automatically available to putty when I unlocked my vault.
  
  Lastpass does not deal well with the fact that some, but not all of the servers in my own company share common credentials. I end up storing my AD credentials in a dozen entries in lastpass. Keepass's field references worked better.
  
  Keepass is much more "do it yourself", Lastpass takes most of the hassle away at a cost of $12/year for some features.
35. Re:Why? by Anubis+IV · 2016-11-02 16:57 · Score: 1
  
  Yes I have. It is 100% secure. I have audited the code.
  Then it looks like you've got some serious 'splain' to do, since some folks have found
  a few issues with your "100% secure" assessment.
  
  So how do you know Lastpass is secure?
  Gee, I don't know. Maybe you could just audit the source code, the same as you claim did for KeePass. LastPass is open source too, after all.
36. Re:Why? by Anonymous Coward · 2016-11-03 01:16 · Score: 1
  
  I don't know how many people there are like me, but while I do develop software and hardware on a daily basis I couldn't effectively audit any code that performs any sort of encryption and prove it was doing anything in particular.
  And that's really the problem here. There just aren't that many people who understand encryption enough to prove that any given code doesn't perform the encryption in such a way that it is easily broken.
  So yeah, I COULD find out if Keepass is secure. And if I worked on that exclusive to any activities that require using something like Keepass then I would probably be safer for longer than if I just used Keepass. So trusting the binary of Keepass that I download is safe based on your recommendation is every bit as valid as trusting LastPass based on some other random dude from the internet.
Okay, what's the business model then? by Dr.+Crash · 2016-11-02 02:52 · Score: 4, Insightful

Which leaves us with the interesting question of LastPass's business model.
1) Advertising? Knowing every site you visit - AND YOUR PASSWORD?
2) "We have a benefactor". Yeah. Except that maybe that benefactor is the NSA. Or is it the GRU? Or is it the MSS (China's NSA)?
No matter how I slice it, I can't figure out an angle that isn't kinda creepy.
1. Re:Okay, what's the business model then? by Githaron · 2016-11-02 03:17 · Score: 4, Informative
  
  There are still features exclusive to premium and enterprise users: https://lastpass.com/features/
2. Re:Okay, what's the business model then? by Anonymous Coward · 2016-11-02 03:32 · Score: 1
  
  Can't come up with an original post? Paste an old tired canned response without thinking if it actually applies to the situation. What would they sell? They don't have any information about you, except your login and a collection of encrypted bits that might as well be random.
3. Re:Okay, what's the business model then? by 110010001000 · 2016-11-02 03:37 · Score: 2
  
  "What would they sell? They don't have any information about you, except your login and a collection of encrypted bits that might as well be random."
  
  How do you know that? You don't. There sure are a lot of people here claiming they know how LastPass works. Without the source being open, I wonder how they know that.
4. Re:Okay, what's the business model then? by Nemyst · 2016-11-02 03:43 · Score: 1
  
  1) They don't know your password. You should read more before commenting
  
  2) Their benefactor is LogMeIn. To them, LastPass is another tool in their arsenal to court corporations, and corporate LastPass usage is not free.
5. Re: Okay, what's the business model then? by cyber-vandal · 2016-11-02 03:45 · Score: 1
  
  Which you can do with Keepass easily enough without having to hand over anything to a third party.
6. Re:Okay, what's the business model then? by Overzeetop · 2016-11-02 03:58 · Score: 1
  
  This, more than anything else, may prompt me to switch. Not that handing my money over is any kind of guarantee of privacy, but if you're giving away nearly your entire product then it means you're making money some other way. And I'm not so sure I trust that "other way" not to be in conflict with my privacy.
  
  --
  Is it just my observation, or are there way too many stupid people in the world?
7. Re:Okay, what's the business model then? by nine-times · 2016-11-02 04:02 · Score: 1
  
  It's advertising. Though to be fair, they don't know your passwords.
8. Re: Okay, what's the business model then? by Anonymous Coward · 2016-11-02 04:21 · Score: 2, Informative
  
  Remember These,
  June 15, 2015 - LastPass Reporting a Security Breach, Including Authentication Hashes and Salts https://it.slashdot.org/story/15/06/15/2143222/lastpass-reporting-a-security-breach-including-authentication-hashes-and-salts
  January 17, 2016 - LastPass Vulnerable To Extremely Simple Phishing Attack https://it.slashdot.org/story/16/01/17/1936211/lastpass-vulnerable-to-extremely-simple-phishing-attack
  July 27, 2016 - LastPass Accounts Can Be 'Completely Compromised' When Users Visit Sites https://it.slashdot.org/story/16/07/27/1342205/lastpass-accounts-can-be-completely-compromised-when-users-visit-sites
  Could it be that the business model is incompetence?
  A staunch KeePass user.
9. Re:Okay, what's the business model then? by Last_Available_Usern · 2016-11-02 04:22 · Score: 1
  
  My assessment is their goal is two-pronged. The first is to amass the majority of this market and get even more people to embrace cloud password storage. Secondly, at some point in the future they will roll out a paid "premium" service that will help offset the costs they've been absorbing and move them into profitability. Given the expected low per-user cost I suspect it would have to be a *very* enticing service as to lure enough subscribers to move them into the black. Not sure what they could offer that would be *that* good.
Re:Biometrics are still vulnerable by Anonymous Coward · 2016-11-02 03:14 · Score: 1

This will not stop someone from 3D printing your fingerprint, or wearing a mask that looks exactly like you or even simply holding up a photograph of you. Biometrics are extremely insecure.
Re:WHo cares how it works. by Anonymous Coward · 2016-11-02 03:26 · Score: 3, Informative

They can't get stolen because they're encrypted. They could as well be public, because they're of no use to anyone who doesn't know the master password.
Android app still charging a fee by kcwebmonkey · 2016-11-02 03:31 · Score: 1

Unless they haven't updated the Android app, it's still showing this as a premium feature. I've installed it and it says "Your LastPass Premium trial will expire in 60 days". I would think if it was truly free now then I wouldn't be seeing this message.
Re:Biometrics are still vulnerable by Nemyst · 2016-11-02 03:40 · Score: 1

Biometrics can be insecure if you're being specifically targeted. The most common security breaches for regular users come from phishing, hacks or vulnerabilities in software, and those are non-targeted most of the time and would be significantly hampered by biometrics, since the hackers don't know you and don't specifically care about you.

Also, you're seemingly assuming that today's biometrics are as good as it gets, which is rather myopic. Fingerprinting will move on to finger vein matching, face recognition will include depth perception and infrared matching, iris scanning will get more popular, etc. It's like saying passwords will always be insecure because 6-character passwords are.
Re:Biometrics are still vulnerable by Stormy+Dragon · 2016-11-02 03:45 · Score: 1

The other big problem with biometrics is that once a breach does occur, you can't change to a new set of fingerprints, eyes, etc.
Conversely, if you're in some sort of accident, you now have no way to access any of your accounts.
Biometrics? by Overzeetop · 2016-11-02 03:48 · Score: 1

You mean like requiring that you log into your device (laptop, phone) with a fingerprint, an iris scan, or facial recognition in order to even open the Lastpass program - at which point you then have to put in your master password? Yeah, I think modern hardware can accommodate your request. It's not set up to be used that way, but the effective result is the same.

--
Is it just my observation, or are there way too many stupid people in the world?
1. Re:Biometrics? by tepples · 2016-11-02 04:09 · Score: 1
  
  If your biometrics are compromised, how can they be revoked and reissued without harming you?
2. Re:Biometrics? by Jumperalex · 2016-11-02 14:33 · Score: 1
  
  It is a known problem, that for which there is a lot of research going on. If you're really curious, and need to spend some time not working ;-), go on a google journey using "biometric template revocation".
  
  --
  If you can't be good, be good at it!
Re:Biometrics are still vulnerable by Anonymous Coward · 2016-11-02 03:51 · Score: 1

Conversely, if you're in some sort of accident, you now have no way to access any of your accounts.
That's why I use my dick print instead of my finger print. If I'm in "some sort of accident" life isn't worth living at that point.
Is it sad that my first thought was... by PortHaven · 2016-11-02 03:52 · Score: 1

Oh, so the NSA is paying them to make it free in exchange for a backdoor. So that the NSA can access the passwords of anyone who uses LastPass.
1. Re:Is it sad that my first thought was... by 110010001000 · 2016-11-02 03:54 · Score: 1
  
  The thing is: you never know. They could be doing the right thing now, but maybe they aren't. Or maybe the company changes ownership or gets threatened by some agency or needs some "alternative" revenue stream. You would never know because you can't know exactly what they are doing.
And who should I trust? by Overzeetop · 2016-11-02 03:56 · Score: 1

Even I I could view the source, I still wouldn't know that. I don't do cryptography or programming for a living at the level which would allow me to review the code for vulnerabilities, which puts me in with about 99.999%* of the general population. I can't verify keepass either. So I can either trust that their business model and livelihoods are based on some level of security, or I can base my trust of, say, keepass on some random set of internet users I've never met, have never seen the credientials of, and have nothing to lose if they happen to have missed a backdoor in the code during their perusal of the source.
Neither seem all that certain, tbh. I mean, TrueCrypt was open source, and rock solid. Until the day we all found out it was compromised and insecure.
*I wonder if there are even 70,000 people on earth who could effectively evaluate the entire source for vulnerabilities in their spare time, including every upgrade and change. The number may be quite a bit smaller.

--
Is it just my observation, or are there way too many stupid people in the world?
1. Re:And who should I trust? by 110010001000 · 2016-11-02 04:02 · Score: 1
  
  So you could trust a corporation, who employs people you have never met, or seen the credentials of, who wants to make money somehow off of storing your passwords, or you could trust some open source developers, or yourself if you learned enough to take a look at the source. The point is with open source you at least have the OPTION of the latter. Whether you take that option or not is up to you, but I don't trust companies. They have proven to be untrustworthy.
2. Re:And who should I trust? by Cro+Magnon · 2016-11-02 05:59 · Score: 1
  
  Open Source doesn't guarantee that the source will be audited. However, closed source does guarantee that the source WON'T be audited by anyone outside the company. Open is no silver bullet, but it's better than closed.
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Time to become suspicous by stikves · 2016-11-02 03:58 · Score: 1

When LastPass was bought out by LogMeIn, I was worried that they would discontinue the service, however this seems even worse. Because in general if you're not the customer, you're the product. And in this case you're the product with all passwords stored on the cloud.
It might be time to move on to KeePass. Then again the mobile versions are not 100% from the source. So even that is a tough decision.
Re:have people been paying for that by Knuckles · 2016-11-02 03:59 · Score: 1

keepass with cloud solutions is the same thing the file itself is encrypted and depending on what cloud service you use it can be too to different degrees so why switch? keepass is used and imported by many programs and all platform that ive seen.
You don't have to switch but I sure as hell am not going to explain a keepass solution to my mum.

--
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
No longer need developer license to run own builds by tepples · 2016-11-02 04:15 · Score: 1

Purchase $100/year Apple developer license
That's no longer required since Xcode 7 if you're not distributing your apps, but a $150/year* sufficiently recent Mac is required, unless the computer that you already use for other things happens to be a sufficiently recent Mac.
* Estimate based on dividing the price of a Mac mini by its expected four-year update life.
Puhleaze by s.petry · 2016-11-02 04:16 · Score: 1

We all know the legal game of plausible deniability. "We didn't know Bob and Mary were skimming keys." ends any legal challenge you pose for violating their policy. Hell, that works for breaking actual laws nowadays.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Free software means freedom to hire someone by tepples · 2016-11-02 04:18 · Score: 1

The point is that with free software, anybody interested in evaluating a particular application can hire one of those 70,000 to perform and publish an audit.
1. Re:Free software means freedom to hire someone by Knuckles · 2016-11-02 05:03 · Score: 1
  
  How do I know I can trust the auditor. It's not that different from trusting Lastpass at some point
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
2. Re:Free software means freedom to hire someone by tepples · 2016-11-02 05:37 · Score: 1
  
  How do you know you can trust your own eyes? You think that's air you're breathing now?
3. Re:Free software means freedom to hire someone by RandomSurfer314 · 2016-11-02 05:55 · Score: 1
  
  The auditor has a vital business interest in finding bugs and making them public to you, whereas the maker of the proprietary software has a vital interest in keeping any bugs secret from you and fixing them silently whenever it pleases him or he has the time.
4. Re:Free software means freedom to hire someone by Knuckles · 2016-11-02 05:55 · Score: 1
  
  Which is kind of my point?
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
5. Re:Free software means freedom to hire someone by Knuckles · 2016-11-02 06:16 · Score: 1
  
  Who is "the auditor" here? I was talking to some random slashdot poster who claimed to have audited the keepass source code without providing any credentials or link to a result. He has no business interest at all, and as was pointed out to him this does not help 99.999..% of the people choosing a password solution. The source of the Lastpass browser extension and cli client has as much of a claim to being properly audited, though granted not the mobile apps - but do we have an unbroken chain of trust for the Keepass apps?
  At some point you are going to trust someone. You are right that here are more and less smart ways to do this, but there are strong arguments for Lastpass for real-world use cases, and the other poster's claims do not help. There is no perfect solution, but Lastpass is better than none at all which is what the Keepass solution amounts to for many people, and having read the Keepass source is not a solution in itself either
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
6. Re:Free software means freedom to hire someone by Knuckles · 2016-11-02 06:19 · Score: 1
  
  Oops, sorry about my other post, I was thinking that this belonged in the other subthread :)
  About the auditor in the current context, i.e., "anybody interested in evaluating a particular application can hire one of those 70,000 to perform and publish an audit." - no, not anybody can, this is bullshit. If my mother needs to evaluate a solution without help I believe she is better off getting a Lastpass account rather than trying to find the individuals capable of a proper audit of an open source solution
  
  --
  "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
Re:Syncing via the web is stupid... by tepples · 2016-11-02 04:22 · Score: 1

Provided the device's operating system can even mount a flash drive in a manner that KeePass can see. PCs can, but a lot of "mobile" devices* cannot. The Android operating system on Nexus 7 devices, for example, can use many USB devices through an OTG cable but not a flash drive.
* Defined as devices running a smartphone-derived operating environment, namely stock Android and iOS.
Re:Slashvertisement by IRGlover · 2016-11-02 04:36 · Score: 2

I particularly like them because the comments then provide information about better, usually open source alternatives. So they are essentially paying to have their competitors promoted instead of their products.
Re: WHo cares how it works. by dnorman · 2016-11-02 04:39 · Score: 5, Informative

each site has a unique, computer-generated password. which is stored in encrypted form and only decrypted by you when you need to retrieve that single password. if one of the 20 sites doesn't store their password properly in their database, only that password will be compromised and the other 19 are safe. This is much better than using a single super-secure-nobody-could-possibly-guess-it password for all sites.

--

It is pitch dark. You are likely to be eaten by a grue.
Re: WHo cares how it works. by mlts · 2016-11-02 04:53 · Score: 1

If I need one password, I'd like to use some form of 2FA with it, be it a key residing on a device + a PIN, a password + keyfile, or similar. Something to ward off a brute force attack.
I do this with my TrueCrypt/VeraCrypt volumes when storing those offsite. They get encrypted with a password and a keyfile, with the keyfile stashed in a secure location. This way, if the offsite account is compromised, an attacker has to deal with the entire 256-bit keyspace, as brute-forcing passwords is not an option.
Re:Fuck you! by Anonymous Coward · 2016-11-02 04:56 · Score: 2, Insightful

Yep. KeePass is open source and stores your password database locally (or remotely via something like WebDAV). Another alternative is to use a password hasher that regenerates all of your passwords based on a master password so that there is no stored database to be potentially compromised at all.
There is no reason to trust LastPass or any other proprietary, third party solution with your most valuable data. Also, didn't LastPass recently get hacked?
This is a solved problem by Dasher42 · 2016-11-02 05:49 · Score: 1

For me, KeepassX compiled with Qt 4 or 5 does the job. I store its encrypted wallets on the cloud. Linux, Android, Windows, and Mac all work with it. What's LastPass got that I should be interested in?
1. Re:This is a solved problem by Sneftel · 2016-11-02 06:15 · Score: 1
  
  Not a ton. LastPass has better 2FA support, and you might prefer one UI to the other, but ultimately the two solutions are pretty similar in approach.
  
  --
  The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
Free? It cost $8 on the Humble Bundle by Nyder · 2016-11-02 05:53 · Score: 1

https://www.humblebundle.com/l...
Last Pass is part of the "LifeHackers" Humble Bundle. Cost just under $8 for it (and others).
Guess that's okay because it's charity right?
But the $1 for Directory Opus is a great deal.

--
Be seeing you...
Why CNET? by alexru · 2016-11-02 06:36 · Score: 2

Why is this going to fking CNET instead of the LastPass blog? Here is the actual article https://blog.lastpass.com/2016...
Re:Fuck you! by MrNiceguy_KS · 2016-11-02 07:12 · Score: 4, Insightful

Yep. KeePass is open source and stores your password database locally (or remotely via something like WebDAV). Another alternative is to use a password hasher that regenerates all of your passwords based on a master password so that there is no stored database to be potentially compromised at all.
There is no reason to trust LastPass or any other proprietary, third party solution with your most valuable data. Also, didn't LastPass recently get hacked?
And if you want to sync passwords across devices, just keep the KeePass database in a cloud storage account. In the event that your cloud account is breached, the database is still encrypted

--
Redundancy is good And also good.
Re: WHo cares how it works. by dnorman · 2016-11-02 10:06 · Score: 2

wait. people agree with each other on the internet? what the hell just happened? ;-)

--

It is pitch dark. You are likely to be eaten by a grue.
I prefer Roboform because ... by NuttyBee · 2016-11-02 11:31 · Score: 1

I can put their portable app on my thumbdrive, plug it into a Windows PC, (e.g. my work PC) and it plugs itself into to Firefox/Iexplore. When I remove the drive, the application disappears. Nothing is left on the work PC.
That alone is worth $20/yr to me.
confused by superwiz · 2016-11-02 12:18 · Score: 1

How's the whole concept different from keeping an encrypted file with all the credentials stored in a dropbox folder?

--
Any guest worker system is indistinguishable from indentured servitude.
Re:Mumbo jumbo by KozmoStevnNaut · 2016-11-02 21:04 · Score: 1

Thanks to the wonders of browser extensions, I read it as ""Encrypted vault in the butt".
And no one is sticking their hands in my butt. At least not until we've gone on at least 4 or 5 dates. Let me tell ya, German girls are freaky.

--
Eat the rich.