Keepass missed a trick
Unless the community has delivered a LastPass->Keepass import tool since last month.
I'm currently running Keepass on one machine, as a toe in water, should LastPass go south.
LogMeIn's purchase of LastPass password manager service was not well received by LastPass users. In fact that outrage was sufficient that LastPass quickly shut down comments on its blog. Why the outrage and who is LogMeIn? LogMeIn may be best known as the company that shut down its free remote desktop sharing service with a …
Using a password manager has lots of advantages: portable (depending on how its done), allows for secure passwords, no need to remember a stupid number of things, etc.
However, the one thing that bothers me is that if I use one on a compromised computer (friend's sick PC, cyber cafe in some far flung land, old and unpatched Android phone, etc) than ALL of my passwords are exposed in one go. So what I would like to ask is this: Are there any systems that can be used with an insecure host that only expose a risk of the ONE password being leaked?
I do like the idea of 2FA using some random number fob, etc, to deal with the risk of password exposure, but few sites use that so having it built-in to a password manager would be great. Also I don't know really what sort of 2FA is available, and as stuff gets lost/forgotten due to wrong trousers/etc occasionally, then having a 2nd password in place of a missing fob would be very desirable as well (though obviously that would massively reduce the security of it if used).
Suggestions please fellow commentards?
Are there any systems that can be used with an insecure host that only expose a risk of the ONE password being leaked?
That does not sound feasible even theoretically. Unless you can select a given record in your vault online, which already sounds bad in many ways, or you have separate 2FA for every password. But then you can carry them in your mobile (which you won't connect to the insecure machine, of course)
But if using a dedicated vault for that one password fulfills your requirements, you may want to go that way.
I don't see how that could work, you need to access your password store, however many passwords you want out of it. Once you've typed that password into a compromised host you're toast, all your stored passwords are then available.
You can access KeePass on your phone and do a manual copy / paste onto the bad host. You're only risking one password then, I don't really see any other way.
Another question for the techies: SpiderOak's Android client (last time I looked) fails their zero knowledge bit because it doesn't do local [en|de]cryption. How does Encryptr manage this?
So you want a password storage system that would expose only the single password you're accessing if it's accessed on a compromised system, eh...?
Well, that's rather simple to achieve, actually:
Just use a separate password store with a unique password for each password you want to store. Make sure the password store's password is more complex than the password stored.
Alternately, do not access password stores on any systems that are not known-secure.
"Just use a separate password store with a unique password for each password you want to store."
Eh? That is what the 2FA is for! I.e. to get each stored password you need a different 2FA value to pull it from some database, but the same master password to make the database value usable (of course, the database holder has no knowledge of said master password as the stored stuff was encrypted before they got it). So if used once on a bad machine its only the one (possibly low-importance) account that is compromised.
The question is whether such a system exists out there?
"Alternately, do not access password stores on any systems that are not known-secure."
Please tell me just how you know when a machine is compromised without being able to boot it and scan with various rescue CDs to check?
If you can do this where no one else has, there is a fortune in AV to be made!
@Paul Crawford - I assume any box I do not either own, are not the sole user, or have sufficient knowledge about is its usage is suspect. Thus the only boxes I consider likely secure are my work laptop, my home computers, and smartphone. And these devices should be verified as needed for security and my smartphone is not used for online shopping or banking so there is very limited data exposure. Of the above devices only one is consistently used for shopping and banking.
So a friend's computers, cyber cafe computers, or library computers are not secure by default and must be proven secure before any of my passwords are entered on it.
By limiting the number of machines one uses for these activities one limits how many machines one must prove secure.
Even that is insufficient to demonstrate a machine is not compromised.
There are firmware viruses that reside in BIOS and HDD (and other devices) firmware.
Virus scanners can only detect KNOWN viruses. Therefore even if you have a virus scanner sophisticated enough to also scan the firmware of the devices and the computer itself, it cannot detect a new, unknown 0-day virus.
And, even if it CAN scan the computer's firmware, since the computer's firmware has already loaded, any virus inside that firmware could present phoney firmware to the virus scanner, as it has to use that firmware to scan the firmware. The only way to get around this would be to pull the firmware chip out of the computer and scan it from another computer/device that has the necessary accessories to read the stand-alone firmware chip pulled from the other computer. But then, is the device you are doing the scanning from secure? Is the firmware chip pulled the real firmware in the computer? What about the firmware in other on-board components? PCI bridge chips. Accessory chips like the ASMedia ASM1142 or Intel Alpine Ridge controllers that provide USB3.1/C support on motherboards? They all have firmware embedded in them as well which could conceal viruses that could infect an otherwise clean system.
It is simply not possible to prove a computer is not affected by some sort of virus/malware unless you personally created every chip, every trace, wrote every line of code (including that of the compilers and libraries) that is or will ever be run on that computer.
"Even that is insufficient to demonstrate a machine is not compromised".
True enough. Perfect security is not possible. Everyone knows that who knows anything about security. But security good enough for a specific application can be designed.
As stated above, any system not under my full control, any system which's filesystem can be accessed without me present, etc. is suspect. With regular audits of the cold data to check for past infections, telltales to check for suspicious activity and so on. This is more than good enough *for*me*.
Now, does that mean nation-state intelligence services cannot access my data...? Probably not. But on the other hand, they'd only have to ask. Honestly, I'd feel a bit flattered, give them full-access and subtly highlight where my CV is stored...
As for malware in BIOSes and firmwares, I personally don't buy *that* particular yarn: if you think about it, what do said pieces of code have access to, anyway? Encrypted data in my case, that's what. Besides, where would they take it? Is it reasonable to assume the existence of code that can fit inside a few KiB of storage without impacting the functionality of the code that's supposed to already be in there and *still* be able to flawlessly subvert every single possible combination of HW and SW out there? Or even many of them? For Bob's sake, simple firmwares following a well-documented standard break on an OS upgrade! Check what happened with HyperX Predator PCIe SSDs and the Windows 10 upgrade, as an example. And let's not forget that my storage systems are several orders of magnitude faster than my already-saturated Internet connection. Or is the firmware supposed to be intelligent enough to pick only the interesting data...? I forgot; is this a firmware, or a supercomputer-on-a-chip...?
Anyway, if one decides to go down the rabbit-hole of full paranoia, where do they draw the line? How do *you* know that They cannot read/control your mind using satellites in orbit or whatever...? Got your tinfoil hat handy, have you? Or maybe it's the *tinfoil* through which they read minds!! The possibilities are endless, really, if feasibility and adherence to the laws of physics are not a concern.
I agree with eldakka above - unless you've built the whole thing you don't know if it's secure. I don't see any exceptions to the laws of physics where the bad guy installs a HDD driver that skips a few sectors but still boots normally (bad code could be any size), gens a keylogger and screen scaper in memory and phones home. Yes, bad guy has to know exact make, model, etc. of hardware but they seem to have plenty of time on their hands.
This whole conversation does bring up an interesting point - some of my passwords are worth hiding and some aren't. Take my uid/password login to El Reg for instance. Would I feel comfortable logging into this website to post a comment from a library pc? The pc in the business office of a hotel? What would I be losing if my El Reg password were stolen? What if I'm using one of these 'one password to own all passwords' systems and the main password gets compromised because I'm compelled to write this comment here? I'm not offering any alternative to the problem. (I keep all my passwords on paper - 4 sheets typed in 9pt font. Ya, that's a great idea.) Just looking for other points of view.
"Unless you've built the whole thing you don't know if it's secure".
But I have! What did you think I meant by "full control"...? ;-)
You do have an excellent point regarding the need to have different levels of security. It's the sensible thing to do, really. Or so I think. May I suggest separate password stores for different levels of security, instead of a "one password to rule them all" approach? You can of course store the lower level store passwords in the most-secure store, so you don't lose access to even the less important passwords for more than a reasonable amount of time. If your life is complex enough, you may even have a hierarchy of password stores.
As to feeling so compelled to write a comment *right*now* that you would compromise security... Well, if you feel that way about security, then my advice to you is not to work in any field where it really matters... :-D
LastPass supports 2FA for logging in. Therefore even if your master password became known on a compromised computer, access to your account would still be impossible without your number generator. Unless of course you left auto login enabled but can't imagine anyone would do that on any computer that isn't their own.
Use your phone (synched by Dropbox) for password lookup in keepass if you don't trust a computer. You'll have to type the password the good old fashioned way, but that's not too bad if you chose reasonable passwords. I usually edit the suggested 'random' passwords in keepass to remove the most exotic special characters and to create more readable character sequences - makes a world of difference when you encounter language specific keyboards.
Be ready to pay LastPass ... which I do
Given that the "free" genie is out of the bottle, what proportion of the LastPass user base will pay? Most won't, so will LogMeIn continue to support it for the few that will pay?
And that's before the decisions are taken about code consolidation by LogMeIn. Maybe LastPass will be the best product, will be supported, and the nearest LogMeIn products will be canned. Even if LastPass is the survivor product, the track record of acquired software is poor, since the decision to buy is invariably corporate and financial, not technical and capability based. The new owner rarely keeps the original architects and coders, so they don't know what is under the bonnet, they are only interested in milking the acquired user base to achieve the financials of the acquisition business case.
No, time to bail out, IMHO.
Be ready to pay LastPass ...
Depends, currently the price of LastPass Premium isn't bad (12 USD/ ~8 GBP pa) and includes useful functionality. A concern over LogMeIn's ownership is that they do what they did with LogMeIn and radically change the pricing model - a LogMeIn Pro for Individuals subscription is 109 GPB pa.
My last company uses Zoho Vault and it's got some really, really annoying limitations - such as not being able to use most punctuation in the "Title" field of secrets among other usability problems. And it's integrated rather halfassedly with the other Zoho Products so there's compatibility problems and "I can't figure out how to remove this person from our "Company" profile so I can re-add them to Zoho Vault fix whatever the issue is" sort of issues.
As far as encryption and security, who knows - but if you ever have a problem, good luck getting support, as that is equally atrocious.
I use 1Password. I switched to it after needing something friendlier for a coworker on a project. It's been pretty good and the support is fantastic (the owner's really responsive).
Go to website so LastPass triggers the shared password fill. Press go so the box is filled. Press F12 (in Firefox). Search for "password". Delete the word password. Bingo, the hidden password in the password box is now regular text in a regular text box.
Moral: technology won't save you if you share passwords with those you don't trust.
Expensive, but there is a free Metro version (in alpha) for WIndows RT / Phone, as well as Windows / Mac / iOS / Android versions. No Linux client but 1Password Anywhere covers that.
Syncs with Dropbox, Onedrive and iCloud, or your own systems if you want to.
Finally - can import LastPass pretty well.
I use both. Ironically I switched my primary vault from 1P to LP last year after I grew tired of forking out for version upgrades, but I am glad I have it in reserve. Old versions beyond 3 still work fine.
Big fan as well of 1Password, very handy on both OS X and iOS I've found.
Some of my friends boggle at the idea of paying £7 for an iOS app. This still goes to show how passwords and security in general is considered by the general public who aren't in IT. I try to use physical security analogies to get the point across.
Unfortunately I've still had a few friends who have had ebay/forums/email/other hacked and then come back to may saying "Umm... what was that app you said I should use?"
Within days of the LastPass announcement, I took a look at AgileBits website and saw that 1Password was discounted by 40% so I jumped in and purchased the Windows/Mac bundle for what worked out at less than £30. The iOS app was also discounted so after migrating my LastPass data I'm now a happy 1Password user. You have the option of synching between devices via cloud services such as Dropbox or you can use your WiFi/network to sync between PCs, Macs and iOS devices, which is arguably more secure than useing The Cloud.
Can't believe it only got one small mention.
Cloud or on-premise, there's a free (express) version and quite frankly, it's bloody awesome! It is focused around the enterprise, and for a single person it's probably way overkill, but if you've got more than a couple of people in a business or security focused business I honestly think it's the best out there.
We sort of used KeePass but it just wasn't scalable enough or have enough management features. (Although as a personal vault it's a great product)
Great support, features coming out of your ears (RDP and PuTTY launchers, works with SSH, Telnet, Web forms, Oracle and SQL Db's, ESXi) and is very, very flexible.
I particularly like the password changing features (our high security clients have their admin passwords change daily by Secret Server, forcing people to use it and the RDP launcher to gain access). Just requires a single "agent" installed somewhere on the remote site.
Reporting, 2FA, even screen recording / keystroke recording if you get the really expensive version.
Can't recommend it enough. (Yes, I've just deployed it in the last couple of months after evaluating a few different options). No affiliation with the vendor.
The article gives Sticky Password short shrift. It's actually pretty close to LastPass in features and usability, and its browser integration is light-years beyond KeePass.
For those who distrust cloud storage, Sticky Password gives you the option to use your own private storage (server, NAS, etc.) to sync between devices. If you choose that option during setup, your passwords never go into the public cloud.
For those who are OK using zero-knowledge cloud sync (like LastPass and most others), SP offers that as well. LastPass (and AFAIK Dashlane) do not have a private cloud sync option at all.
Thus, you can use SP in accordance with your own paranoia level. Get this: if you just want to use SP Free on a single machine, you don't even have to create a SP web account.
The free version of Sticky Password is fully functional except for the sync feature. You have to buy Premium to use sync, regardless of which method you choose. (You do get Premium features for free for the first 30 days.) Import and Export are included in the free tier.
SP Premium is $20/yr, and there are frequent deals to be had. I paid $10 through one promo, then extended it for another year for free with a Black Friday promo; so yes, that's 2 yrs of Premium for $10.
Importing my 200+ passwords into SP from LastPass worked fine. Some tweaking was required, mostly because (1) SP uses one entry to handle multiple logins for the same site, vs multiple entries in Lastpass; and (2) my LastPass folders were not mapped to SP folders. Not a big deal.
The SP Android version is kind of annoying, but it works. The same can be said of LastPass. MacOS X and iOS are supported, but I don't own Apple products so I can't comment on them.
I had bad experiences with both free and paid LogMeIn tiers, and I will never use their products again. I began researching other password managers the day that they acquired LastPass.
Dashlane was too pricey, so I ruled it out. After evaluating KeePass, RoboForm, Sticky Password, Zoho, and Norton, I settled on SP. I'm happy with the choice, and I encourage you to try it.
Was happy with LastPass but switched to KeePass a year ago once I discovered KeePass2Android on the Play store which would let me use my database on my phones for free (rather than having to pay for LastPass Premium to do so). There are also KeePass add-ons/extensions for Chrome and Firefox (though I just use the keyboard shortcuts and KP's baked-in Auto-Type functionality instead).
LogMeIn is a good company to get bought by, but considering what they did with LogMeIn Free, I wouldn't hold my breath as a LastPass user that the service will indefinitely continue with a Free product. Besides that, I also like the notion of being able to control where my password database is, and the ability to have it be a local-only (and not cloud-based) solution.
I am quite surprised that no one mentions the Gran'daddy of them all: PwSafe. It uses a local database (which you sync yourself) and has been around a long time. It is open, and free, so there are many different clients available which can read and write the PwSafe database format.
I have used PwSafe (both with the original client and several other clients) for a long time. What do these other (local, not cloud) apps do that PwSafe clients don't? Which of them are open source?
"KeePass may be slightly confusing for newcomers since there are two variants, KeePass and KeePass X"
No. There is one official version of KeePass, and it's called KeePass. All others are either ports or rewrites.
Specifically with KeePassX, its claim to fame is cross platform support, but it doesn't support KeePass v2 databases (with some worthy features I use), and it doesn't support plugins either. And, if you use auto-type, that only works under linux, as KeePassX appears to be entirely slanted towards Linux only - regardless of the cross platform tag.
Depending on what you want, regular KeePass working under Mono for Linux might be better. Or not, there are options.
I used to use Roboform (local version), which I found quite useable. However, since Microsoft's retrocompromises to Windows 7, I'm switching over to Linux Mint and had to find an alternative as Siber Systems haven't done a full local client for Linux. I chose KeePass, and apart from a bit of a painful job of ETL with the Roboform data and converting it to a format that KeePass could import, I've had few issues with KeePass. So +1 for KeePass and its KeeFox Firefox extension for me.
i didn't like the idea of any software holding my passwords so i got this
it's a hardware keygen, that you add a secret word to (something you know +something you have)
I've got the mark1 and the writing is tiny which can be annoying though.
"For its part, LastPass says its business model is not changing and that the service will remain essentially as-is under its new owners."
As the author notes, most companies that get purchased say much the same thing. But even if the "business model" and the service itself doesn't change, that says nothing about whether the service level will stay "as is".
The article talks about possible alternatives, but it never mentions how the cryptography works and whether the services / products are totally secure.
The advantage of LastPass, for example, is that it has been externally audited and shown to be secure. The article didn't mention anything about how the different products handle security and cryptography.
I'm not saying that any of the alternatives are bad or compromised, but without that very important information, I wouldn't jump ship to one of the other tools.
Another satisfied 1Password user here. Has all the features I want, desktop and mobile. Haven't paid much for upgrades over the years, definitely not that much for an app I use so much every day.
@sproot: Same question for me about SpiderOak. Zero-k using desktop app but not on mobile app? I've asked a couple of times about it and their response has always been they're working on it. On the other hand they are very up front about it and I wonder if other services are not.
Although I'm a big cloud fan, I've concluded after thinking a byte, I want more control of my passwords file.
So after looking around for alternatives, ended up with enPass. There is no browser integration but I can live without that.
I wanted true multi platform coverage, ability to sync to OneDrive, Dropbox, etc, in addition to local storage. A good password generator and simple, fuss free, operation. I didn't mind paying as the licensing it's pretty straight forward: You pay once and then the license sits on the file, not the app, meaning that you can use it from your mobile, desktop, laptop, etc. Sync works super well and there isn't really anything I can complain. It has a few additional features that I haven't tried, such as password sharing. Migration was simple just by exporting from LastPass and importing into enPass.
Even I'm using Enpass Password Manager from a long time & i'm really satisfied with this App. The Browser Extension works really great on my Windows PC. it has got a true multi-platform coverage.
Easily syncs my data to various devices using my cloud account. The best part is Enpass for desktops is Free. No charges. Although i'm using it on my mobiles for which i've paid some reasonable amount but atleast they don't have that subscription kind of thing. I like their pay once use forever theme for mobile platforms. Overall, the best password manager in my opinion.
I'm currently looking for a solution to simulate single sign on to a remotely hosted web application which has it's own internal user management and doesn't take any of the usual (SAML/JWT) tokens.
LastPass was on the cards but I'm happy to hear alternatives. Who's used something that validates users with an in-house AD before releasing credentials to the browser?
I've tried Keepass, 1Password and some others in the past but settled on LastPass because of the convenience and peace of mind from the zero knowledge setup. In my case, the clincher is that the corporate security policies where I work block access to personal cloud storage providers so using something like Dropbox for sync isn't an option.
I'm a premium subscriber to LastPass so I'll be looking at Dashlane again...
In no particular order:
1) Ease of use.
2) 2FA including Google Authenticator for smartphone use and Yubikey for desktops/laptops/tablets that have a USB port.
3) Cross-platform (Win, Android, iOS, OS X, Linux)
4) Ability to install Chrome extension without administrator privileges on office workstation (Windows environment).
5) At least as secure as LastPass (obviously).
SecureSafe comes in an app and a web form, and if you stay away from the document features it's basically free.
What puts it above others is IMHO its data inheritance approach: you can set a long password that can be used to access the passwords you store, but only after a waiting period. If you set it, for instance, to a week, you will get a week long messages that someone has activated the inheritance facility, so you can cut off any abuse by simply setting a new password.
It's a brilliant piece of work. Shame they added some upgrade begging to the free app now, but it's IMHO one of the best out there and it has seen some serious auditing.
Anyone have experience using Blur? I signed up for a lifetime account recently and have been running ti in parallel with LastPass with the eventual thought of migrating. I still primarily use LastPass (for the moment) but Blur seems to be a pretty close compare. https://dnt.abine.com/#dashboard
I was wondering when someone should mention F-Secure key.
I have been using it for ages and i just love it.
IT is nice and simple and if you pay a bit you get sync too on multiply platforms.
Also i LOVE that they encrypt each entry with a DIFFERENT key, so if you break ONE key you do NOT have ALL the keys. :D
Hardware based USB connected password vault with browser plugin and copy paste works as a HID keyboard so no drivers needed and can manually read details if cant connect to the device.
only thing i dont like is the lack of a keyboard and battery so I am also looking at putting lollipop on an xperia mini pro (https://legacyxperia.github.io/) and keypass or other manager that i can get it to type directly in to field using a USB or Bluetooth connection as the android version can act as a HID device. to reduce attack surface I will remove all other parts of the OS that involve not needed functions and apps except what is required for keypass and USB / Bluetooth connectivity.)
For more security on sites that require it I would like to combine this with a 2fa key that is operated with biometrics rather than just a press button so either iris or fingerprint.
online, local encryption, open source, you can keep offline completely working copies, works with various browsers on various platforms. Mobile version, import/export, one-time passwords for logging in from insecure devices
Sure https is not totally secure, but hey, it's open source so roll your own or use locally only on a mobile device for that purpose only, what ever floats your boat.
Also the open source bit is particularly nice. In security related software.
Time well wasted to read through the features. Been using since testversions personally.
Some might like 1time passwords for logging in from insecure devices, allows for file and other essential data storage on the cards. (I store encryption keys / authentication keys, screenshots for restoring various services if I ever fuck up the password or need to lock down a compromised account)
Also has things like password gen with options, autolock, copy/paste pw without showing them, 1-key lockdown of account, loads more.
anything that company does, i will not go any where near or recommend.
they are a cast iron bunch of cunts who should be shot in the face at close range.
the whole lmi free debacle, and the whole lmi paid for debacle following shorty after (my subscription was to go up by 500%, some people were worse off than me), they didnt tell you, removed the "upcoming renewal fee" amount from your account dash board so you couldnt know what they were going to charge you, and then auto charged people. on the forum i was on some people were reporting that they had been auto charged 10's of thousands of dollars, and LMI refused to give it back or cancel the contract even though it was way in excess of what they had paid previously. there was no warning. there was a great thread on lmi's forum about how shit they were being to people, but they have now removed it.
stay clear of this most dastardly of incorporations and anything they do.
bastards. still makes me mad now. (can you tell???!)
Biting the hand that feeds IT © 1998–2019