Ouch
Time to look for alternatives then.. there's an el'reg article that needs a 2020 version!
Remote access, collaboration and password manager provider LogMeIn has been sold to a private equity outfit for $4.3bn. A consortium led by private equity firm Francisco Partners (along with Evergreen, the PE arm of tech activist investor Elliott Management), will pay $86.05 in cash for each LogMeIn share – a 25 per cent …
+1 for KeePass
When you need to supplement KeePass with password management on an Iphone or Mac, then look to KyPass. This is from a different developer, but it uses the same KDBX file format. Would be nice it if was a little slicker on the Mac (UI is a little clunky in places), but its better than the other alternatives for KeePass on Mac (i.e. none)
Yup, the excellent (and FOSS) KeePass in use here. And plenty of splendid plugins to make it do, well, just about anything you need it, really.
"And it's by Bruce Schneier. This may be my new password solution..."
Can't vouch for Iphone but it works great on Android and with windows you only need to learn the following shortcuts on a daily basis:
Ctrl+B = copy Username
Ctrl+C = Copy Password
Ctrl_V to paste into your application/browser as usual
Ctrl+H = Hide or Show passwords on main screen.
Been using it for many years...
"If the file is at all competently encrypted "
Encryption is only worthwhile when solid passwords/passphrases are used. I wonder how many people actually use a serious password for their Key Store....
If you are anything like me, or a lot of others, you will be using the Key Store many times per day, I would hazard a guess that I use it around 20 times per day on a normal day. Because of this , I am not using a 27 letter, upper, lower, special characters, non repeating, non dictionary password. I can only guess how long it would take any of the 3 letter agencies to try a couple of million known passwords and get past by password. I wonder how many other are in exactly the same boat.... Hence my reasoning for not stocking such a thing in the Web/Cloud.
Lets be realistic here. If you are a "person of interest" to any of the 3 (or 4) letter agencies they probably have a whole lot of other ways to get your info without identifying and brute-forcing your password manager:
- Formally demand it of any web service you use (probably works for more than half of them, see PRISM)
- Exploit back doors in to their systems to get it informally (smaller non-PRISM entities)
- Exploit back doors to breach your system
- Send round some goons with rubber hoses for some "advanced cryptography lessons"
Simplest to either get physical access to the system or use any one of the most recent vulnerabilities they have popped up, ones that were never fixed (quite a few out there), or one that the user hasn't seen/installed an update for of which there are usually dozens. I use a very secure distribution and I know there are several outstanding vulnerabilities which haven't been patched at this moment. These things take time to spread.
I use PasswordSafe for the reason that Bruce Schneier was involved in its design and implementation, so I know it's as cryptograpically secure as you can get. That, too, means I am more than aware of the risks of using simply defeated security. I don't do four digit PINs, nor simple passwords for unlocking my password store. Yes, it's a bit of a pain at the beginning but after a while, little thought is required in entering those long sequences. Confusing one tablet for the other is the worst problem I face in unlocking one. Wrong PIN. Not that I would ever "trust" a tablet.
Secondly, if a nation-state is your primary threat actor, give it up. Either you aren't worth their time or you don't have the resources to counter any actions they may take with their billions dollars budgets. That's reality. I know what they can do, I've worked with them professionally before.
[Worse in my case. I have the NDA from hell and with a mere signature, I'm back in uniform and they can bloody do whatever the fuck they want to me.]
I don't understand the down vote, but someone came through and carpet bombed all the 0 down vote messages on this topic, so there you are. Anyway, anything to shake up the mix when it comes to accessing into a cryptographically secure file is something to take advantage of against, at the least, the talented amateurs.
What was once the realm of TLA's, then the realm of Ph.D.'s, becomes soon the realm of the script kiddies not much later. Again, that's reality.
> I don't understand the down vote
Don't worry, somebody is apparently bulk downvoting any mention or thread about Password Safe.
For the record, Password Safe is great. The original, Counterpane version is what brought me to password managers many, many years ago. (Here are my own 2 downvotes coming...)
If the user is incompetent enough to still be using a weak password for the password manager, then all your suggestions are moot. Such a person is likley to have bad security everywhere, so storing it locally won't be any more secure for them.
Storing it in the cloud encrypted with a strong password, which multiple levels of back/redundency is fine for the rest of us who do not want to risk a local disk failure and losing all our data.
I'd recommend using a pass phrase instead of a password. For example, you will probably find that you can type a phrase like "I wonder how many other are in exactly the same boat" pretty quickly, because it is English words spelt correctly and you are probably good at typing that kind of thing. You will get quicker by practising it 20 times a day. You can even type it easily on a mobile phone or device without punctuation keys. At 11 words it probably has around 121 bits of entropy; maybe less because it is (almost) grammatically correct, but still not bad and better than what you are currently using by the sound of it. By all means make it longer, and/or throw in a few obscure words that wouldn't be found in a 2048-word dictionary. Don't use a line from a song or book.
This would be good advice for online passwords, too, but those often have silly length restrictions. For a password database there won't be such restrictions, and you really do want something strong.
I like Sticky as well, in part because they support a wide range of browsers. Their plugins work with Pale Moon and Comodo Dragon, for example. The app is pretty configurable; you can enable or disable integration with non-browser applications, for example. (You can always have it copy credentials to the clipboard - the integration just lets it insert directly into input controls.) And it offers cloud-based encrypted synchronization,1 synchronization over your local network, or no synchronization at all, depending on your preference.
They also donate a portion of their profits to saving manatees. I don't especially care about manatees, to be honest, but I like that because it ought to annoy some of the people who annoy me.
1I have no problem with cloud-based synchronization with proper encryption and a decent key. (I use a long but easy-to-remember passphrase as the master key.) I don't think highly of threat models which consist of "oh lawks everything with 'cloud' in the name is automatically an unacceptable risk!". That's cargo-cult security. Get a real threat model.
I've moved from LastPass to Bitwarden. Lastpass have upped prices year after year and provided very little by way of enhanced user experience as a result - which might explain why they're making such substantial profit by revenue. It felt very dated when I moved in April.
Bitwarden is less than 1/3rd of the price for premium, offers a solid set of features and has a noticeably nicer UI (IMHO). Self hosting is obviously a bonus, but I'm happy to have them host for me.
I've suggested a number of friends (mostly technical) move from lastpass to bitwarden, and they've all been happy.
Not just a password manager, but we use PasswordState from Click Studios
It integrates with Active Directory, and as well as password management it allows you to start SSH or RDP sessions from within the browser so that staff can connect to a resource without ever knowing the credentials. It also rigorously audits and logs every change made, and every access to information made by any user.
No connection, just a happy customer.
For some reason my gut always had me avoid LastPass sadly.
I've always been partial to KeePass. So if you're looking for a new home I recommend it! You can use many methods to sync with Android and your computer.
Latest version of KeePassXC for Linux has impressed me a lot, because I can finally ditch gnome-keyring for evolution. (It allows to select a group of PWs to act as system keyring, so KeePass stores evolutions passwords, not gnome-keyring)
Then there's the auto unlock and add SSH keys to ssh-agent when unlocking the pw database, and automatically removes them from the agent (lock them) when DB is locked or closed which is also super useful.
Overall makes my life a lot easier...
I only run a smallish site and I have hundreds of passwords for the services I have set up. There is no way I can remember them all at 12 characters and properly random.
Even using passphrases for them all is not going to help in that manner and still with some services not properly allowing spaces or certain characters.
Remember too that this is after having to remember all my personal passwords (which I do just use my memory for) for all my services.
I have been bitten by using <Mypassword>@Amazon before, it doesn't work in this day and age.
I have the memory of a bloke, so at most I can remember 4 complex passwords.
I only have my personal email password and a seperate password for work, seperate password managers for both and seperate passwords for the password managers. If I need access to something I can't remember the password for I just do a password reset.
Not to offend, but that is absurd. I have over 500 different UID/PW combinations in my password manager. Most of them are 15+ character randomized complex passwords. At work we have an in-house password manager with nearly that many more for equipment, applications, and support websites. Trying to remember all of those would be impossible unless you had eidetic memory (which I do not). And suggesting using the same password for multiple sites is begging for trouble. There is no way I'm going to use the same password for Papa John's and my bank. And my employer won't let me set all of the admin passwords to "IL0veH@mburg3rs!". I've asked.
"Why not simply remember your passwords?"
I have a few dozen dozen long, randomly generated passwords for various things (ignoring web site logins, etc.). While I certainly remember the three I use the most, it's beyond my ability to remember them all. A password vault (or a written list of the passwords, but vaults are encrypted) is a necessity.
That said, I wouldn't use any that communicate over the network.
... because having a password for each of the 100+ sites (not including ones I use for work) is more than burdensome, and even if one does what you are suggesting, it's bad practice, because when one of the sites you use gets hacked and the passwords dumped to the internet, your root is now compromised along with the method for salting it.
It may be a pain in the buttocks at times, but a password manager program is an essential in these enlightened times.
I keep encrypted documents on an encrypted drive on my computer containing all my passwords (100+), all of which are excessively long and complex and beyond my ability to remember. All of which get backed up regularly to encrypted media in my own possession. No cloud backups for me. I don't need to trust any third parties. It may take me a few seconds longer for me to get at the passwords for my bank etc, but so what?
For older relatives who would struggle with a password manager (or even copy/paste), I sometimes recommend a notebook with the passwords written down.
Although it's vulnerable to getting lost or stolen, it is completely secure against hacking.
Of course, you still have to worry about phishing...
For many years, I kept my passwords written down. Two copies, even -- one in my wallet and one in my home safe.
I've never understood the problem with this. Sure, it's an attack vector -- but writing them down meant that I could use more secure passwords, so it seems to me that, on balance, it led to greater security. And if my wallet was ever lost or stolen, I still had the backup list so I could go through and change all the passwords.
I don't write them down on paper anymore, though. I use the modern equivalent -- a standalone password manager on a portable device.
I don't write them down on paper anymore, though. I use the modern equivalent -- a standalone password manager on a portable device.
I *used* to have that (GNU-Keyring on a PalmOS device) which even synced to JPilot on my home computer. Unfortunately any PalmOS devices I still have are long since dead, sync no longer works under Linux (and was a severe PITA to get working even when it was still current), but at least I still have the local backup in JPilot.
"You mean the monitor with the webcam and the mirror on the wall behind you?"
Oh no, I have a web cam and there is a mirror behind me. I must move the post-it notes.
Darn, too many to go on the bottom of the keyboard and it's hard to type them in with the keyboard upside down.
Time for plan C...
My first contract was at HMRC and one of the users' password was "Compaq" as that's what was on the monitor bezel right in front of him.....
I hope that his monitor didn't get swapped out for an Iiyama as he'd never have worked out whether it was a lower-case L or an "I".
(If you're reading this Les, hang your head in shame....;-))
I can one-up you on that: what one business, now defunct (for completely unrelated reasons if you must know) used for multiple decades for absolutely all passwords on anything was several simple combinations of its own name and a random brand name they had on a large batch of mouse pads acquired at some point in the past. To the best of my knowledge, they were never ever compromised. Not defending the practice, mind you - I'm saying all this amidst some heavy Picard-facepalming in a "what can one get away with" sense...
Place I used to work, we always had a login on client systems, and it was always the same: Username was our company name, password was the MD's first name, backwards. All four letters of it. And that was better than most of the users' passwords.. Not a massive problem when the was no external access, but some sites wanted remote support, so we'd hang a modem on the server. Anybody who dialed in immediately got a welcome screen that, among other things, indicated who had supplied the system...
But this was simpler times.. When I left we were just putting in internet connectivity, with vpn to get access. That allowed better passwords..
It's not a terrible idea, it's just a poor implementation.
For a while my main password was based on the lyrics to a song, from an album that I could see from my desk. Song lyrics are good because most people can remember them quite well, and they can be arbitrarily long. If I was a bit hazy, I'd look up, see the album cover, think of the song, and be able to reconstruct my password.
(Either type the whole lyric out as text ("imabelivericouldntleaveherifitried"), or use some sort of substitution (eg 'I' becomes 1). Lines from books/plays/films etc. could also work, just don't make it too obvious (ie, if you're a Star Wars fan, don't crib the obvious lines).)
For a while my main password was based on the lyrics to a song, from an album that I could see from my desk.
Anime series titles, using their Japanese titles in 'romaji'. Mixed case, substitute numbers for letters as needed. Additionally, the hiragana for 'no' (an equivalent of the English preposition "of") looks similar to the "@" character, "ku" looks similar to the ">" character. So mix those in where possible.
Or you can just use your favourite "ships" for a passphrase.
Well, I must admit I did something similar about 20 years ago, by choosing a serial number I could glimpse through the front grille of a minibar-sized SGI server besides me (CPU module serial IIRC).
The rationale was that everybody accessing that server locally needed to know that password, but we didn't want to write it down either. Also losing it wasn't an option, so the barely visible serial number was perfect: Long, letters and numbers, easy to remember, and tied to the machine. Note that server wasn't connected to the Internet and the data it contained was very important to us, but not worth stealing.
> I used the ISBN number of a book that I kept near the computer
Well that sounds like a fairly secure password to me. Mostly because, even if somebody guessed that this book contained the password, he needed to guess it was the ISBN number (as opposed to any other piece of text in that book, which most likely contained a lot).
So your password was hidden in plain sight, and the difficulty wasn't in getting the information, but in finding the right information. The greatest danger was the lucky guess.
My first contract was at HMRC and one of the users' password was "Compaq" as that's what was on the monitor bezel right in front of him.....
One test lab, where the corporate image we used on the machines feeding test scripts to the big systems required passwords, we used the serial number clearly printed on t he front of the systems.
Fine if it suits you.
Me, I couldn't live without the convenience of my PM which lets me organize my entries as I wish and retrieves them very fast, has auto-type, allows me to change passwords with the same rules as the previous one, can work offline but also allows me to sync across all my devices...
LastPass is actually a little rubbish on exporting passwords and form data...
The best way to ensure you export your passwords complete with all the special characters is to download LastPass Pocket (4.0.0 was current as of 17-Sep-2019) - not currently listed on the LastPass website but available from reputable file sharing sites.
Useful resources:
https://help.bitwarden.com/article/import-from-lastpass/
https://support.logmeininc.com/lastpass/help/lastpass-via-usb-lp060004
I had a look at password managers too but could not bring myself to pay for one. I use Chrome and I know it's probably not the safest but its not like google are just handing the keys over to people.
What I dont understand is whats the difference between Chrome and say lastpass? KeePass is local only? But then how do you get passwords when logging into your phone say?
>I had a look at password managers too but could not bring myself to pay for one.
Well Lastpass Free will provide you with all the functionality of Chrome and some.
>What I dont understand is whats the difference between Chrome and say lastpass?
The Chrome password manager will only work in Chrome - so if you are happy to only use Chrome across all your devices then not a problem, if however you want to also use say Firefox or Yandex then you'll need products like Lastpass. Likewise, if you are wanting to use the password manager outside of the browser.
>KeePass is local only? But then how do you get passwords when logging into your phone say?
The choice is either use a networked password manager such as Chrome or Lastpass for which you can install clients across all of your devices and leave it to sync all your devices, or use KeePass and configure up your own device sync. mechanism.
Another one bites the dust in a couple of years. Vulture crapalists are not interested in building the company as that costs money up front. So look for LastPass to wither on the vine and slowly be forgotten as competitors over take them. They will probably linger for awhile until they are executed.
I look forward to it turning into the Bonzi Buddy of password managers.
As a corporate user, have been gradually more annoyed with LastPass.
They seem to be deprecating useful features and replacing them with new features that don't work. (See their new SSO replacement for SAML and its total lack of CLI access and that the "SSO Apps" are not in your Vault, like everything else, so you can't search for them from the plugin button.)
I am looking for something that does SAML SSO and can do AWS CLI login. As well as sharing passwords between the team. (so that next time something goes wrong, we aren't stuck waiting for the one person that has the root/admin password to come back from leave)
Anyone know if DashLane can do it?? (Particularly the AWS CLI SAML login!!)
Theoretically they could change the encryption algorithm to one that has a back-door and re-encrypt your vault next time you type in the password, and you'd never know.
In reality, my hunch is that the risk is low - the bigger a company is, the more concerned it tends to be about internet security and obeying the law, but in the world of password management it pays to be a bit paranoid (especially as there have been demonstrated attempts of governments trying to interfere with encryption), and many would argue that unless it's open source, you can't rely on it. I certainly have some sympathy with that view.
So the preferred solution is to use a password manager making random strong passwords. So far so simple. Synced between all of your devices. Fine.
But how do you handle, for example, typing your Netflix password into the TV?
Or joint passwords ( eg: the Morrisons account, we both add things to it, we both need the password ) ?
To both of those questions, if the answer is "Read it out: upper case X, upper case I ( or is that an L? ) four, seven, ampersand, no that's the thing that looks like a musical note, yes that one, then a pound, caret, no you're thinking of a tilde, a caret is like a pointy hat. " Then no thanks.
My Netflix password is one of the very few that is not as secure, so I can input it in the TV quite easily. I don't care if someone finds it, all they can do is watch things for free and I'll probably notice based on new recommendations. Anything else (password change, payment card change..), I'll be notified and can reverse.
For joint accounts, you can use a separate database that contains all joint accounts and for which you both know the master password. You keep all the other stuff in your private database.
When the last LastPass scare was going on, I looked at all the El Reg recommended alternatives (starting with KeePass) and none of them seemed to be able to import the standard LastPass export of it's database. At which point plan switcheroo rather stalled.
Personally I try to reduce my reliance on LastPass by having 2FA up the backside for everything I can - starting with all email accounts. Even if my password safe was to be found unencrypted (which LastPass say is impossible) it's only of so much use.
I guess 2020 could be the year I sort out the 500+ accounts I seem to have acquired over the years into the 50 or so that I actually use.
If you are worried about your data in LastPass or the cloud - then read this article https://www.forbes.com/sites/thomasbrewster/2019/04/10/what-happened-when-the-dea-demanded-passwords-from-lastpass/
It seems 90% of the people in this thread - and the writer of this article - did not do their homework or know anything about how AES-256 bit encryption works... shame that the industry is dominated by people who do not understand the basic principles of encryption and cryptography.
Saying that open source is better is just ridiculous. Most people compile opensource in compilers that have in-built backdoors added to the code they are compiling for crypto mining or other ransomware and adware. 95% of the people do not check their compiler or code and therefore all of you using OpenSource software just because "its better" are way off the real world of security products. Good luck!
tl;dr Citations needed
"It seems 90% of the people in this thread...[do not] know anything about how AES-256 bit encryption works...do not understand the basic principles of encryption and cryptography."
Many cryptographic weaknesses in software are in flawed implementation, not poor choice of encryption algorithm. We don't know exactly how LastPass implements encryption, nor how their future updates will implement it. I think that caution and skepticism are healthy in this situation, Why do you think they indicate gross ignorance of the subject?
"Saying that open source is better is just ridiculous. Most people compile opensource in compilers that have in-built backdoors"
Well, open source lets us see exactly how the product implements encryption. Skilled people can identify weaknesses in the code or spot dubious dependencies. Plebs like me can read what the clever folks have found. We can also notice if the vendor suddenly replaces parts of their encryption with Folger's Crystals, so we know to run for the hills.
Which compilers do you know are back-doored?
I believe he refers to the "Trusting Trust" problem where one cannot be sure a compiler isn't slipping code in behind the source's back, although there are mitigations against this (such as compiling a compiler multiple times against multiple compilers--a secret code modification is more likely to get detected in such a criss-cross).