Potent LastPass exploit underscores the dark side of password managers

[Chiefcrowe]

https://arstechnica.com/security/20...nderscores-the-dark-side-of-password-managers

 

[ch33zw1z]

Thanks for the link. I use Safe-in-Cloud without the browser extension, but still....it's scurry.

 

[John Connor]

Keepass for life. I seem to remember LastPass having previous issues as well.

 

[Ichinisan]

Didn't click the link, but I've always felt that an online password manager is a target for hackers.

I have a complex base password I can remember with some parts where I dynamically substitute some characters. I only have to remember which characters I chose for that particular site/service. If I have to write it down, I don't need to write down the entire password. Just the chosen substitutions, which I can obfuscate.

 

[Ajay]

I'm getting tired of making secure passwords and keeping them in a small notepad, so I've been considering Dashlane and Lastpass which seem to be the most highly rated. I was leaning toward Dashlane and this incident (the second for lastpass) will probably solidify my decision.

 

[Ichinisan]

I'm getting tired of making secure passwords and keeping them in a small notepad, so I've been considering Dashlane and Lastpass which seem to be the most highly rated. I was leaning toward Dashlane and this incident (the second for lastpass) will probably solidify my decision.

Dashlane's ads made it seem like copycat shovelware.

 

[Ajay]

Dashlane's ads made it seem like copycat shovelware.

Even the paid version?

 

[Ichinisan]

Even the paid version?

I dunno. While visiting my mother I saw ads on Fox News. It seemed like those ones where they advertise "mylife dot com" to elderly people who might not know about Facebook or whatever.

 

[John Connor]

Even the paid version?

Use Keepass and be done with it dude.

 

[Ajay]

Use Keepass and be done with it dude.

Doesn't seem to be a good solution for IOS.

 

[ch33zw1z]

Check out safe in cloud

 

[pcslookout]

Check out safe in cloud

Keepass is still safer.

 

[ch33zw1z]

Keepass is still safer.

Please, continue...

 

[bononos]

The security of keepass can only be as safe as the security of the OS. There are a few hacking tools that can extract passwords like keefarce and probably other password managers.

 

[ch33zw1z]

Thanks bono, that's a good observation.

What I'd like to see is some detailed responses why people support what they do.

I preferred SiC for these reasons:

- doesn't get stored on their side
- 256 bit encryption
- Even if you mobile device isn't encrypted, the DB on the phone still is encrypted
- ease of use, $5 to sync from desktop to cloud to mobile
- can use quite a few different cloud sync solutions (i am storing my DB on google drive)

 

[ch33zw1z]

anyone else?

seriously, identifying strengths and weaknesses from our experience is a good thing.

 

[sourceninja]

...

 

[Ajay]

I don't have a problem with lastpass, I have a problem with anything that automatically fills in my user/pass. I have this disabled. So if you can spoof the URL and fish me, that's my fault not the fault of my password manager.

Interesting point. Had thought to see how password managers deal with spoofing. But, I will pick up something - keeping a pocket notebook filled with usernames and passwords isn't fun and isn't conducive to changing password as often as I should.

 

[lxskllr]

Thanks bono, that's a good observation.

What I'd like to see is some detailed responses why people support what they do.

I preferred SiC for these reasons:

- doesn't get stored on their side
- 256 bit encryption
- Even if you mobile device isn't encrypted, the DB on the phone still is encrypted
- ease of use, $5 to sync from desktop to cloud to mobile
- can use quite a few different cloud sync solutions (i am storing my DB on google drive)

I use Keepass variants because they're libre software, and on every platform I expect to be on. I keep my database backed up on mega/spideroak, and I can boot to a live cd on a foreign machine, access my passwords, then leave without a trace.

 

[ch33zw1z]

Cool, thanks. How do you like spideroak? Been looking at that for a while..

 

[lxskllr]

Cool, thanks. How do you like spideroak? Been looking at that for a while..

I'm just using their free tier(2gb iirc), and it works well. It's never been unavailable when I needed it. Sensitive files I gpg encrypt before upload.

I also use mega, primarily for work files. I trust mega less, but their free tier is much more generous(50gb). I don't tend to trust "cloud" computing in general, but it's sometimes useful. I'm always cognizant of what I'm moving through the net and adjust my behavior/service use accordingly.

 

[John Connor]

I use Keypass all the time and I use my own "cloud."

 

[ch33zw1z]

Cool John, feel free to elaborate and comment on why this is more or less secure than alternatives

 

[sandorski]

Pen/Paper is safer. Only a handful of people are likely to have potential access with it, in comparison to millions.

 

[Chiefcrowe]

That is probably true but where would be the best place to store it? and what if you need access from outside your house?

Pen/Paper is safer. Only a handful of people are likely to have potential access with it, in comparison to millions.