LastPass vs. KeePass

41

Comments

+ Add a Comment
avatar

tehhusky

Actually. For Firefox, there is a plugin called KeeFox. It's a plugin to KeePass which allows you to access your passwords. It automatically fills out passwords and username and with a single click allows you to log into a site.

You can do this one of two ways. Adding a URL to the KeeFox tab that is added to KeePass, or you can let KeeFox add the password automaticly.

It's quick simple and efficient if you are the only one who uses that computer, or has a password protected account for the machine.

avatar

Caroline2001

"Intuitive Password" is another one which should be considered. it's an online password manager that compatible with all devices without installation, you can access your password database at anytime, anywhere using any Internet connection.

avatar

corbit

Round 3 is also won by KeePass, because it can Auto-Fill not only Website forms but also any other Windows application's dialogue (FTP clients for example)
LastPass isn't able to do such things!

avatar

daveknapp

In my case I prefer KeyPass. Our corporation blocks access to Dropbox and most other cloud file sharing sites out of security concerns. With KeyPass there is no blocking and therefore the browser based logins work perfectly. I have used it for several years. Another good program is RoboForm. Not free, but works very well. I would have liked to see a comparison with all three of these.

avatar

Incognito

I've been using both for many years. Admittedly I use LastPass more often because of the browser integration and automatically filling in usernames / passwords. But I still use KeePass just in case something happens to LastPass (go out of business, etc). That has come in handy once when the LastPass servers were down and I couldn't log in and had to fall back on KeePass to log into websites. They're both top notch in my book.

avatar

Isewake

Twice with Keepass I had a corrupt database message and couldn't open my database. Good thing I had my passwords also backed up in an Excel file. No more Keepass for me.

avatar

Incognito

Seems odd... I've been using KeePass since 2004 and have never had any issues with it.

avatar

ddimick

"But our loyalties still lie with KeePass Password Safe, for its open-source nature, free smartphone app, and universal access when stored in Dropbox."

This is safe because Dropbox has never been compromised.

Oh wait a minute, they do get cracked. On an annual basis for several years running.

avatar

WilliamAngelo

KeePass for me. I don't want to depend and hope on an internet connection to access my passwords.

avatar

Eoraptor

so... you don't want to need an internet connection to use internet passwords on the internet? are you using quantum tunneling to connect directly to other computers then; because otherwise you already need the internet connection, regardless of passwords.

I understand the impulse not to want to trust your data to a third party machine, but as far as the internet goes, having passwords stored locally is no more secure than having them stored on a third party site. they are still going to be transmitted out into the big wide world the moment you click submit on any web page anywhere in recorded history and will still be subject to whatever security schema that website or service is using on their end.

avatar

wolfing

you don't want to depend on an internet connection to access passwords for your online accounts??? Unless you use it to store passwords for a secret society hideout, I don't see the problem.

avatar

FatOldGuy

LOL

avatar

Grimsly

Some pros of LastPass not mentioned.

1) LastPass supports multifactor authentication with YubiKey and Google Authenticator?

2) There are browser bookmarks for for auto fill and log on for all mobile platforms that do not require a premium subscription making LastPass FREE for mobile devices.

3) The database can be stored and used offline forever so if the business disappears one day your passwords don't

4) All of your data can be accessed through a website from any browser without the need for the plugin and one time passwords can be used in public or non trusted situations so your master password is protected.

5) LastPass supports many different types of data beyond passwords; Notes, Form fields, Credit Cards and Bank Accounts.

6) The data stored in your vault can easily be shared with other users of LastPass with the option of letting the user view the password or not. Any share can also be revoked, deleting from the users vault.

7) All of this work is done in JavaScript which can be un-obfuscated and reviewed if someone wished. I know that it isn't the same as open source but still a way to peek at the code to confirm the company's claims of security.

I have not tried Keypass and I make no claims that it doesn't have these features. Just wanted to point out some of the ways I use LastPass daily and have for years.

avatar

HeroOfCanton

KeePass also does #5 at least in part, but I agree that certain features/considerations were seemingly left out in the name of bias or ignorance. I expect better, MaxPC. KeePass has certain obvious security advantages for the ultra-paranoid, but it also seems like more work for the DIY crowd. You have to composite a complete solution from all these different parts, whereas LastPass just works.

avatar

ZX9RDan89

Dashlane! Sure, it is pricey if you go premium. But it does everything KP and LP do and more.

avatar

reutnes

I'd just like to point out that you can secure LastPass with 2factor authentication software such as Google Authenticator on smartphones. You can also install regular firefox plugin on Firefox's android browser no problem and it works perfectly without shelling out for their app.

I tried KeePass but I found it annoying to migrate to and actually use. I like that it could work in programs that aren't web browsers, but syncing to android is a chore and I could never get the browser extensions working just right.

avatar

CaptainFabulous

I dunno, I just have Chrome store my usernames and passwords and automatically sync them across all devices, including my phone. Works well enough for me.

I used to use LastPass ages ago. I stopped at the time because it severely slowed down web browsing.

avatar

flooglehorn

It is completely unfair to give a nod to KeePass when you have to use an external program (i.e. Dropbox) to give it cross platform/cross device functionality when the competing program has that functionality built in. Additionally, while yes, lastpass is closed source, their processes and encryption technology has been vetted by MANY security analysts and has been proven to be vastly superior to keepass considering that you would not be able to brute force their password database file from an unattended computer as their database gets wiped from the machine when you exit the browser (should you choose that option). Where as KeePass RELIES on a locally stored database that is always there, therefore that reliance makes it less secure. Add in the Dropbox attack vector, now you can lose your master database two different ways. Yes, Lastpass requires a database, but through some clever hashing, your identity is not even known to lastpass. Add in 2 factor authentication and I really don't see how you could be more secure using lastpass. Try doing some more research before blindly following your favorite program. Plus, check this video out as you might be surprised at how good lastpass REALLY is! http://warriortimes.com/2010/09/24/lastpass-veted-by-steve-gibson-of-grc/

avatar

Cy-Kill

Well, you've just lost all crediability!:

http://allthatiswrong.wordpress.com/2009/10/11/steve-gibson-is-a-fraud/

http://www.vmyths.com/resource.cfm_id=59&page=1

http://attrition.org/errata/charlatan/steve_gibson/

avatar

flooglehorn

I've lost all credibility (learn to spell!) because a few people have a vendetta against Steve Gibson? I'm not going to defend any of those overblown hate sites accusing Steve Gibson of the exact same thing they are doing, however, whoever wrote those articles clearly never listen to his podcast or read his site. He humbly corrects himself when he is wrong, and is a very intelligent speaker. He may not be everyone's flavor but its very short sited to dismiss him so easily like that. I could have quoted anyone in the security field and surely someone somewhere has written an article about how that person in the devil incarnate. Grow up.

avatar

wolfing

Round 4 is actually wrong. It mentions that to access your Lastpass passwords on a mobile device you have to pay, that is false. You pay for the app so that you get the easier functionality of browser autofill, but without paying for any app it's basically as convenient as having to access Dropbox like the other one, basically, you can use the mobile's browser to log in into your Lastpass account and access your vault there.

avatar

HeroOfCanton

Yeah, I love how KeePass's solution involves installing the program to the machine or using the USB portable version (which you then need to keep synced with your Dropbox). All this as opposed to logging in to a web portal. I never got KeePassDroid to do autofill for me when I used it (though that was years ago), so they're on equal footing there. What a joke...

avatar

Eoraptor

It seems to me that the contest is a wash and fair to say both programs have their advantages and disadvantages, and so that neither one could be recommended for every user.

The fifth point "longevity" seems only added to give the authors' preferred program the win. it assumes that being open-source conveys some sort of magical software immortality on KeePass which LastPass lacks, as though it won't be rendered obsolete by future breakthroughs in encryption or computing horsepower, or that someone will ~always~ continue development on it and in some way these things are not true of LastPass.

the fact that the author and editors have a "loyalty" to one product shows me that they had no interest in a fair comparison at all. particularly when one of keepass's "benefits" is that you can plug it into drop box. Well if I don't use drop box that's not a benefit is it?

next time, please try a bit harder to be a reporter and less biased to "what you already use"

avatar

icebox1701

Two more points I'd like to add:

- with the passifox plugin keepass gets much better browser integration
- with LastPass I'd have to trust a commercial entity that they don't lie when they say it's secure, that they don't have a master key, etc.

avatar

Eoraptor

you realize that claiming keepass is somehow more secure than lastpass simply because it's open source is a fallacy?

with KeePass you're still in the same boat. You're still largely trusting that it really uses the level and type of encryption it's advertised as using, and that the program does not have any back doors or master encryption keys coded into it (nor has someone cracked it since the source code is floating around out there). And unless you hold one or more PhD's in cryptography, programming, or advanced mathematics, I doubt you an assert that certainty any more about keepass than you can about lastpass.

The only difference is you're choosing between a for-profit company's trust or a group of individual programmers' trust. (or at least, the trust of the person running the code repository.)

avatar

jbitzer

Do you understand open source? It means you can look at the source code and see for yourself what encryption it uses.

Here's the link to the source code.

Feel free to find backdoors.

http://downloads.sourceforge.net/keepass/KeePass-1.26-Src.zip

avatar

Eoraptor

Yes, I understand what open source means just fine.
do you understand that just because you can read programing code doesn't mean that you're qualified to say that you know how the other functions such as the public private key generation, or the math powering the crypto algorithms work or if they have been in some way compromised. (unless you have a lot of other independent sources to compare them against that you also already trust to backstop differences)

At the end of the day you're still relying on someone's word that the damned thing does what it says it does unless you have all that knowledge across all the disciplines, at which point why not build your own anyway and not bother with either solution. I can look at a text book on internal combustion engines all day long; that doesn't mean I can tell you whether or not your fiesta is about to blow a head gasket unless I also know about the materials used in that engine, it's maintenance schedule, etc.

Saying that open source is inherently safer is like saying the cloud is better for business, it's a buzzword smoke screen; and it's just a different methodology to achieve the same goal with pretty much the same tools. and at the end of the day it actually works pretty much the same, it's all down to which party you trust more.

avatar

jbitzer

I'll go ahead and trust the party that puts the source out there for all the people who love to comb over that stuff and point out flaws publicly rather than the company that says "it's our secret and you can't see it"

You know I have the formula to turn lead into gold, but I can't show it to anyone because you know proprietary information, just take my word on it.

avatar

ckeck

1Password, that's all I have to say about that...

avatar

legionera

Hey MAXPC, isohunt shut down recently, won't you cover that news?

avatar

Biceps

Since they stopped hiring Brad Chacos to write great articles for them, MaxPC really hasn't covered much in the way of controversial PC news or the many meaningful current events surrounding cyber security. The fact that they are still recommending people keep their passwords in Dropbox, which has a documented back door for the NSA shows whose side they are on.

I got rid of my membership to MaxPC and visit the site rarely now unless I need a review on a monitor or power supply. If you want current events or intelligent commentary, go to Ars Technica. You won't find it here anymore.

avatar

lordfirefox

I'm sticking with LastPass I don't care what MaxPC is loyal to. I don't need 15 different password managers because having one is enough.

avatar

Mikey109105

I'm with lordfirefox on this one. Sticking with LastPass myself, no matter what MPC says.

avatar

Eoraptor

Ditto this, particularly since I also have Xmarks, so I can have my bookmarks across any device, on any browser, as well as my lastpass passwords and filled forms. paying $20 a year for that is well worth it to me, open source be damned.

avatar

FatOldGuy

Same, loyalties be damned!

avatar

siramic

Same loyalties here, LastPass along with Xmarks, and Pocket (Read it Later), my favorite 3.

avatar

Jeffredo

Yep, Lastpass has served me well for about three years now. Not going anywhere.

avatar

FatOldGuy

Loyalties? since when is a head to head about loyalty? shouldn't it be about an unbiased comparison?

avatar

praetor_alpha

What if your Dropbox password is randomized, and you need to get in Dropbox to retrieve your Dropbox password?

Just some food for thought.

avatar

icebox1701

Your dropbox files are still in the Dropbox folder of the machines that sync it, you can still open it :)

avatar

pastorbob

Sorta like locking your keys in the car. :-)