Awesome tool. I started using it after Rage got hacked. Love the fact that I can keep a copy on my usb key too!

Highly recommended!

been using it for a while now, works great

+ Dropbox = awesome

You guys are getting old and lazy...

I use 1Password. I'll give this a look see as well.

I use KeePass too. It's pretty cool.

KeePass is great. stops you from having to use 1 password, or from having a list someone might find. The FeeFox plugin for Firefox is nice as well. You can find it on the KeePass site.

Changed apps. Using LastPass (free version) now.

Any particular reason for the switch? I use KeePass, is there something I should know?

Is LastPass open source like KeePass?

I am also interested as to why you switched.

The frustration I was having w/ KeePass was figuring out how to maintain a single DB, while making it available to multiple system - including my Droid. A password app isn't very useful to me if I'm offsite with, say, a laptop or my phone, and I can't access a site because I neglected to update the database on that particular device.

The solution I found for this was to use Dropbox (referral link lol). There is a Dropbox Droid app as well, so I was good to go. So, if it was working, why the change? Couple of reasons.

Even though it worked it still felt a little clunky using the Dropbox + KeePass solution. Add that I don't like using multiple apps to provide a single solution - especially when security is involved. By using KeePass + Dropbox, I'm relying on both solution's security measures to protect what's arguably one of my most important assets.

The way I stumbled onto LastPass is probably the bigger factor though. I was doing my weekly ritual - listening to SecurityNow! w/ Steve Gibson and Leo Laporte (highly recommended btw), and discovered I'd missed an episode over the summer. Topic? LastPass Security (link). Now, I'm a huge Gibson fan (GRC.com), and value his opinion highly. Listening to him explain LastPass sold me on it (figuratively, since I'm using the free version lol). I recommend you listen to the podcast, but here are the shownote highlights:

LastPass

52:28 - 01:53:00

The Problem

* Since the early UNIX days usernames and passwords have been used to provide security
* Assuming a system is secure and password based then the one vulnerability is guessing a password
* Passwords need to be 'gibberish' and long
* E.g. 'a' is not a good password as it is easy to guess with a dictionary or brute force attack
* 'aa' is still not a good password as there are only 26^2 (676) possible 2 letter passwords which can easily be tried in a short amount of time with a brute force attack
* The longer your password is the stronger it is
* a-z, A-Z, 0-9 and +,- gives us 64 possible characters to use in a password and each character give us 6 bits of password strength as 64 is the same as 2^6
* As you add 1 more character to the password each time you get 64 TIMES (x) more strength


The Solution

* So the problem is you want a long, gibberish password but you dont want to use the same one all the time
* This means you need many long, gibberish passwords that are hard to remember
* What you want is a way to securely manage these passwords and this is what LastPass provides
* It has plugins for many browsers to make it easy to use
* It also works on many mobile devices
* It also can generate bookmarklets which work in any browser
* LastPass can also automatically fill in forms for you and it has a secure vault where you can store notes


Is LastPass Secure ?

* All the encryption is done locally on your own computer
* No one but you ever gets the key to decrypt your data and the creators have gone to great lengths to ensure this
* When you log in your email address and password are joined together although your email address is sanitized slightly by being converted to lower case and having whitespace removed
* A hash is then taken of this string using SHA 256
* This is now your cryptographic key that your system uses to encrypt and decrypt your data
* All the data held by LastPass is encrypted
* To identify yourself to LastPass they add your password to the previous hash they obtained by hashing your password and email address and then hash this string
* This hash is your unique ID
* Then you send your unique ID and username to LastPass to identify you and since this contains your password hashed into it twice, no one can produce this key but you
* So LastPass never gets your cryptographic key
* They never even save your unique ID on their servers
* Instead when you create your account they create a unique 256 bit token to save with your account
* Then when you login they take your unique ID add it to the unique 256 bit token and hash it then this is used to find your data
* LastPass also frequently backs up their database

This is great but what if LastPass goes away ?

* They have a stand alone executable called 'LastPass Pocket' which is a personal database decrypter
* You can export your database in encrypted form and use this program to decrypt the data
* You can export your database in plain text into a CSV file
* Plugins also keep a local copy of this data, and all plugins can export your data

LastPass' additional comments here:

* You don't need Pocket as the extensions for IE, Firefox, Chrome, Safari and every mobile application keep an up to date copy locally which you always have access to even offline
* You can export your data back into IE or Firefox with the plugins


* Steve recommends using 10 character passwords containing upper and lowercase letters and digits
* This is 5.94 binary bits of equivalent strength
* 5.94 * 10 = 59.4 equivalent bits of binary strength
* 2^59.4 = 7.6 X 10^17 possible combinations of passwords


* LastPass is free except for some mobile applications
* LastPass does reserve the right to display adds though although they currently do not
* There is a premium version for $12 a year


* Logging into LastPass is made safe as they support:
o "The Grid" which is a grid of random letters and numbers which you have to then provide samples from to login
o You can kill your grid and generate a new one at any time
* You can also kill any bookmarklets you create
o You can generate your own one time passwords through the web interface and print them out
o They also support multiple Yubi Key's
* You can also set up when you want to authenticate with LastPass
* A premium feature is something called 'Sesame'
o This is a software one time password generator which you download


* You can import data from nearly every other password manager
* Even if they were told by a court to provide a copy of your database it would be encrypted and unreadable by anyone without the key which only you have

http://wiki.twit.tv/wiki/Security_Now_256

The security is amazing. The db is online, and their method makes it completely inaccessible to even themselves (no way to even honor a court order). In fact, I almost hosed myself early on by forgetting an element of my key combined with clearing the OTP from Firefox. If I hadn't been able to remember that key, I'd have had to recreate from scratch ... huge pain since I no longer know any of my plethora of passwords!

Grid multifactor and bookmarklets are clever and useful. KeePass was cool ... LastPass is awesome.

Its free (there is a paid version too), try it out. You can import your KeePass db so no reason not to play w/ it and see what you think.

Interesting. I don't personally have any requirement to access the database from multiple devices or locations, so I have little incentive to switch. Good that there are alternatives though.

Thanks Lupine, I'll have to go for it if I ever decide to get a data plan for my phone. Until then I will be sticking with KeePass.