well, you're unlikely to forget the master password I grant you.....
LogMeIn's purchase of LastPass password manager service was not well received by LastPass users. In fact that outrage was sufficient that LastPass quickly shut down comments on its blog. Why the outrage and who is LogMeIn? LogMeIn may be best known as the company that shut down its free remote desktop sharing service with a …
It makes it hard to access your password from your phone, so why not put them up as a web page, then you can get tot them from anywhere!
Two layers of ROT13 encryption is serious stuff, in some places you could get in trouble for using it...
Joking aside as comedic as it is I store my passwords in a biscuit tin using a one time pad right between the jammy dodgers and the ginger nuts.
Roboform worth a mention
I've used this (paid for) cloud based solution for a while - works on Android, PC (and claims MAC and Linux but never used them). Does what it says on the tin (TM)
Re: Roboform worth a mention
Agree Roboform is a good alternative with good support when needed. Surprised it didn't get a mention in the review.
"Dashlane is just like lastpass"
Except that you don't get synch for free and there's no Linux support.
So.... not really that much like LastPass at all then?
Re: "Dashlane is just like lastpass"
Yeah that also what I noticed about Sticky Password.
Now, El Reg, can we have some recommendations that actually work cross-platform?
How about using a truecrypt container (containing an excel file with your passwords for example) and synchronize it via the cloud? Granted, it will only work with PC's and laptops, but there might be some android app that can handle truecrypt containers.
1Password for me too
AD Sync and Browser Integration
I'm currently looking for a solution to simulate single sign on to a remotely hosted web application which has it's own internal user management and doesn't take any of the usual (SAML/JWT) tokens.
LastPass was on the cards but I'm happy to hear alternatives. Who's used something that validates users with an in-house AD before releasing credentials to the browser?
Why cloud based?
I've tried Keepass, 1Password and some others in the past but settled on LastPass because of the convenience and peace of mind from the zero knowledge setup. In my case, the clincher is that the corporate security policies where I work block access to personal cloud storage providers so using something like Dropbox for sync isn't an option.
I'm a premium subscriber to LastPass so I'll be looking at Dashlane again...
I always use admin/admin
After all, if it's good enough for my router, it's good enough for me.
(AC as I'm a cyber security consultant.)
Re: I always use admin/admin
careful now, you don't want to give away the root/root or we would all be pwned.
Re: I always use admin/admin
(AC as I'm a cyber security consultant.)
No need to be AC. I'm sure cyber security consultants -- and the human kind, as well -- are allowed a few moments of humour now and then.
Is there any advantage to using an external password manager over the one which is delivered with the OS? I use OS X exclusively which has a built-in key chain manager, but I would assume Windows and Linux have something equivalent.
Requirements for a true LastPass replacement
In no particular order:
1) Ease of use.
2) 2FA including Google Authenticator for smartphone use and Yubikey for desktops/laptops/tablets that have a USB port.
3) Cross-platform (Win, Android, iOS, OS X, Linux)
4) Ability to install Chrome extension without administrator privileges on office workstation (Windows environment).
5) At least as secure as LastPass (obviously).
You missed SecureSafe
SecureSafe comes in an app and a web form, and if you stay away from the document features it's basically free.
What puts it above others is IMHO its data inheritance approach: you can set a long password that can be used to access the passwords you store, but only after a waiting period. If you set it, for instance, to a week, you will get a week long messages that someone has activated the inheritance facility, so you can cut off any abuse by simply setting a new password.
It's a brilliant piece of work. Shame they added some upgrade begging to the free app now, but it's IMHO one of the best out there and it has seen some serious auditing.
What about Blur?
Anyone have experience using Blur? I signed up for a lifetime account recently and have been running ti in parallel with LastPass with the eventual thought of migrating. I still primarily use LastPass (for the moment) but Blur seems to be a pretty close compare. https://dnt.abine.com/#dashboard
No love for F-Secure KEY?
I agree that it is quite simplistic, but it does the job.
Re: No love for F-Secure KEY?
I was wondering when someone should mention F-Secure key.
I have been using it for ages and i just love it.
IT is nice and simple and if you pay a bit you get sync too on multiply platforms.
Also i LOVE that they encrypt each entry with a DIFFERENT key, so if you break ONE key you do NOT have ALL the keys. :D
Hardware based password vault (MOOLTIPASS)
Hardware based USB connected password vault with browser plugin and copy paste works as a HID keyboard so no drivers needed and can manually read details if cant connect to the device.
only thing i dont like is the lack of a keyboard and battery so I am also looking at putting lollipop on an xperia mini pro (https://legacyxperia.github.io/) and keypass or other manager that i can get it to type directly in to field using a USB or Bluetooth connection as the android version can act as a HID device. to reduce attack surface I will remove all other parts of the OS that involve not needed functions and apps except what is required for keypass and USB / Bluetooth connectivity.)
For more security on sites that require it I would like to combine this with a 2fa key that is operated with biometrics rather than just a press button so either iris or fingerprint.
Works for me.
clipperz, open source with local store, online, mobile versions etc
Time well wasted to read through the features. Been using since testversions personally.
Some might like 1time passwords for logging in from insecure devices, allows for file and other essential data storage on the cards. (I store encryption keys / authentication keys, screenshots for restoring various services if I ever fuck up the password or need to lock down a compromised account)
Also has things like password gen with options, autolock, copy/paste pw without showing them, 1-key lockdown of account, loads more.
online, local encryption, open source, you can keep offline completely working copies, works with various browsers on various platforms. Mobile version, import/export, one-time passwords for logging in from insecure devices
Sure https is not totally secure, but hey, it's open source so roll your own or use locally only on a mobile device for that purpose only, what ever floats your boat.
Also the open source bit is particularly nice. In security related software.
log me in can fuck off for ever
anything that company does, i will not go any where near or recommend.
they are a cast iron bunch of cunts who should be shot in the face at close range.
the whole lmi free debacle, and the whole lmi paid for debacle following shorty after (my subscription was to go up by 500%, some people were worse off than me), they didnt tell you, removed the "upcoming renewal fee" amount from your account dash board so you couldnt know what they were going to charge you, and then auto charged people. on the forum i was on some people were reporting that they had been auto charged 10's of thousands of dollars, and LMI refused to give it back or cancel the contract even though it was way in excess of what they had paid previously. there was no warning. there was a great thread on lmi's forum about how shit they were being to people, but they have now removed it.
stay clear of this most dastardly of incorporations and anything they do.
bastards. still makes me mad now. (can you tell???!)