LastPass

[yeg780]

Alright, either Sunday or some time this coming week, I would like to do my clean-install of MacOS Sierra on my iMac.

One more question I need to ask about LastPass and 1Password:

If I choose either of these services, what do I have to do? Do I download and activate something and then it just searches my computer for login information and instantly uploads all of it right then and there, or do I have to go through some long procedure to make sure it saves all of my login data? I need to know if my clean install will have to be delayed.

For 1Password, download and add each site/password manually. That's what I did anyway back when I only ever used 2 or 3 passwords. Whenever I got to a site that required a log in, 1Password would ask to save that info for me. Then I'd go and reset that site's password with some long, impossible to remember password that 1Password would generate for me.

For new sites, I'd fill in a username and then use 1Password to generate a password for me.

It seems like a lot of work, and it can be, but I now have every site I belong to, both work and personal, using secure passwords. Last I checked, that's just over 100 sites.

Well worth the time and effort I think.

[BPritchard]

Another vote for Dashlane. Besides passwords, it also keeps information for filling in forms online when ordering items....name,address,credit card and banking,phone numbers.
All information available on all devices and encrypted with one master password. Cost is $19.95 a year if you want to sync between all devices....laptop,phone,tablet,etc.

[bouncing]

Software developer here. I work a lot in security, though I'm neither a networking expert nor a cryptographer.

I for one am gravely hesitant to use anything cloud-based, especially when the client for the cloud is downloaded locally. LastPass was compromised (that we know of) already once.

It's not that I think LastPass, or 1Password, or Dashlane are sloppy. They're just big, fat, juicy targets for hackers and they only need to compromise a service once to get a gold mine of valuable data. Your data.

If I use a cloud-based service, I prefer one application for the password manager and another for cloud storage. Using 1Password with Dropbox sync (instead of 1Password's own cloud sync) is an example of that strategy. You can also use an offline password manager and only store it locally, but then you have to manage your own backups. If you wipe your computers/tablets/phones when you cross any international border (which you should), you also can't easily recover that data like you can with a cloud-based service.

So for my money, use something like 1Password or KeePass, and sync on Dropbox or Google Drive. If 1Password or KeePass is compromised, Dropbox probably won't be. If dropbox is compromised, your vault is still encrypted.

[bltkmt]

I have used Lastpass for six months or so now and love it. Very easy to use and very handy. I previously used KeePass, but much prefer Lastpass.

[katphil]

I have LastPass and it has saved my bacon several times! Not only for passwords, but forms with credit card info that is encrypted, and the "notes" section that lets me save passwords for things that I wouldn't create a log in for (emails, website admin access, etc.). I did pay for a 5 year "subscription", so I don't know how many features I have are because of that, but the "Security Checkup", which runs all my sites against known issues (Yahoo, LinkedIn) and also lets me know the last time I changed the password, is a nice thing to have.

[AGKyle]

Software developer here. I work a lot in security, though I'm neither a networking expert nor a cryptographer.

I for one am gravely hesitant to use anything cloud-based, especially when the client for the cloud is downloaded locally. LastPass was compromised (that we know of) already once.

It's not that I think LastPass, or 1Password, or Dashlane are sloppy. They're just big, fat, juicy targets for hackers and they only need to compromise a service once to get a gold mine of valuable data. Your data.

If I use a cloud-based service, I prefer one application for the password manager and another for cloud storage. Using 1Password with Dropbox sync (instead of 1Password's own cloud sync) is an example of that strategy. You can also use an offline password manager and only store it locally, but then you have to manage your own backups. If you wipe your computers/tablets/phones when you cross any international border (which you should), you also can't easily recover that data like you can with a cloud-based service.

So for my money, use something like 1Password or KeePass, and sync on Dropbox or Google Drive. If 1Password or KeePass is compromised, Dropbox probably won't be. If dropbox is compromised, your vault is still encrypted.

Disclaimer: I work for AgileBits, makers of 1Password. Also fellow Tom Bihn product fan.

With that disclaimer out of the way I wanted to address this particular concern above directly.

Our 1Password.com service holds your encrypted data. However, due to the design of the system we do not hold any secrets that can be used by malicious entities to facilitate brute forcing the keys necessary to decrypt your data. This basically means that nothing we have on our hands will speed up the process of brute forcing anything. Some services will store particular bits of data that may at some point be able to be used to make speed improvements with some clever fiddling.

Combined with our use of 2 Secret Key Derivation (2SKD) we've made our servers a far less interesting target. See our Secret Key documentation for an idea of how this works. To simplify this into something anyone can understand though, as this is a bag forum, not a security forum If someone were to get your data from our servers. They would have to guess both your Master Password and your Secret Key. Use a weak Master Password? The Secret Key is incredibly strong and will still make brute forcing their way to your data incredibly difficult. With a very strong Master Password and the Secret Key it's effectively impossible with modern hardware. Certainly not impossible, but most definitely expensive.

The important thing to keep in mind with this is that most people's data is important to them, but it's not necessarily important to other people so we get extra paranoid thinking everyone wants our data when our data isn't all that valuable, it's just valuable to us. I'll use myself as an example. I work really hard for my paycheck and like a lot of you do a lot of online banking these days. I trust 1Password with my bank passwords because it's secure and I help write it so I know how it works. But I also know that I am a small target. I am not worth millions upon millions of dollars. But I do know the math behind how difficult it is to break into my 1Password.com account and anyone attempting it will end up costing more money than they'll get out of me. I am not a good target if their goal is to make money off me. Most malicious attackers know this as well. They want easy targets that if they get nothing from it the cost was extremely minimal to them. Basically they profit in volume. To get volume they need easy targets. 1Password.com users are not easy targets.

Most attacks that we would expect to be against our user data would be highly specific and targeted to users who would be targets anyway. They wouldn't attack our servers, they'd go after the user's devices as those are going to be significantly weaker, potentially easier to get, and significantly less costly.

If you're being chased by a tiger, you don't have to outrun the tiger, you just have to outrun the slowest person. By using a password manager and more specifically 1Password, you're outrunning the slowest people. Those people not using a password manager that reuse passwords, write it on sticky notes, built on their pets name and year of birth or something like that. You're so far ahead of these people that you're generally not at risk unless you do something incredibly wrong. The easiest target will be those people not using password managers and there are so many of them out there that you're already doing yourself a major favor by using a password manager and updating your passwords to all be unique and strong.

I hope that helps, but if you're at all on the technical side and want to know more about how 1Password.com stories and secures your data you can read about it in our white paper. I'm happy to answer any questions as well.

Kyle

AgileBits (Security Team / iOS and Mac developer)

[bouncing]

I hope that helps, but if you're at all on the technical side and want to know more about how 1Password.com stories and secures your data you can read about it in our white paper. I'm happy to answer any questions as well.

Kyle

AgileBits (Security Team / iOS and Mac developer)

Hey thanks for reaching out Kyle.

I guess my real concern with 1Password's encryption based, as opposed to authentication-based solution, is that encryption implementations are seldom perfect. Even the venerable OpenSSL and OpenPGP projects have had major vulnerabilities in the past.

I really like 1Password and I do use it, but I think if you're really serious about security, your best bet is to not *just* rely on encryption, but also, rely on authentication and server security. Personally I still use 1Password's Wifi Sync, and then when I'm crossing a border, I put my vault in the cloud.

Having said that, 1Password's Emergency Kit system is pretty appealing and I like what you did there with the family setup. It's clever -- maybe I'm just paranoid about putting all my eggs in one basket.

Anyway, cheers! 1Password and Tom Bihn have this in common, I think: People prefer paying for high quality things, instead of looking for whatever's cheapest/free.

[bbcamp]

I use eWallet on both my mac, iPad, phone and PC, and have ever since I first bought it for the Palm Pilot. (yeah, Palm Pilot)
It stores the passwords locally, which for me means Dropbox, so that I can manually sync across devices.

[ceb]

Software developer here. I work a lot in security, though I'm neither a networking expert nor a cryptographer.

I for one am gravely hesitant to use anything cloud-based, especially when the client for the cloud is downloaded locally. LastPass was compromised (that we know of) already once.

It's not that I think LastPass, or 1Password, or Dashlane are sloppy. They're just big, fat, juicy targets for hackers and they only need to compromise a service once to get a gold mine of valuable data. Your data.

If I use a cloud-based service, I prefer one application for the password manager and another for cloud storage. Using 1Password with Dropbox sync (instead of 1Password's own cloud sync) is an example of that strategy. You can also use an offline password manager and only store it locally, but then you have to manage your own backups. If you wipe your computers/tablets/phones when you cross any international border (which you should), you also can't easily recover that data like you can with a cloud-based service.

So for my money, use something like 1Password or KeePass, and sync on Dropbox or Google Drive. If 1Password or KeePass is compromised, Dropbox probably won't be. If dropbox is compromised, your vault is still encrypted.

Very good advice. I'm doing something similar with Roboform - a password program that I've been using for many, many years.

A password program is vital these days. With the number of websites requiring a login, we would otherwise re-use passwords - a very bad practice.

Equally bad is using the password memory functions built into browsers - these are incredibly dangerous,

[carl0]

@MtnMan...

<< If I choose either of these services, what do I have to do? Do I download and activate something and then it just searches my computer for login information and instantly uploads all of it right then and there >>

I don't think this is how it works, I think you'll need to initially give the service your passwords one by one. (Caveat: I don't use either, but I'm a computer security guy, and if that worked as you've described, it would be a really bad thing...)

I use KeePassX on my mac, it's similar but it runs locally instead of on a website.

If you're using a web-based password service, my recommendation would be to make sure you strengthen the "master password" you use to login to LastPass, etc, by setting up Multifactor/Two-factor Authentication (I think lastpass offers it, not sure of 1password does, based on some quick seaching...), like linking it to google authenticator. For any of these password management services, if someone gets your PW, you're done, they've got everything.

Setting up a "passphrase" (like a 25 character combination based on random words) is good, and minimizes the likelihood of someone just guessing your PW, but if you are targeted and fall for a phishing attack and you're fooled into entering that credential, you're done.

[Lani]

I use a combination of LastPass and two-factor authentication. If the site allows me to use a code generator, I use an app called Authy that generates a one-time token instead of having something texted to me. I use 2FA for things like PayPal so people can't steal my password and use it because they aren't authorized without the second temporary code.

Both LastPass and 1Password are very reliable. They are coded differently on the back end that the encryption happens slightly differently, but they are both very good.

Whatever you do, do NOT use SplashID. That is also a password system, but it is very sneaky. If you use the free version, you are able to update your files, but it does not sync up to the cloud. However IF you sign up for their paid version, then let the paid version expire, you can never return to the free version. It just LOCKS the version you have, so that you cannot change any of the information! I won't go so far as to call it ransomware, but I think it's pretty horrendous and poor customer service to pull this kind of stunt.

I had years of passwords in SplashID. Thank goodness I can at least view my records. I'm slowly moving all my passwords over to LastPass.

[chungliwen]

I'm a 1Password user too, the old school version with a non-1Password.com storage. I'm kind of tempted to go for the 1Password.com online service, but am really feeling the subscription fatigue, and also the security implications of doing so.

Previously was using KeePassX.

[DubbySmurf]

Does anyone just use Apple’s built in password security? It functions how I imagine 1Password of LastPass work, but I don’t know enough about either of them to comment on security between them and Apple’s.

[bouncing]

Does anyone just use Apple’s built in password security? It functions how I imagine 1Password of LastPass work, but I don’t know enough about either of them to comment on security between them and Apple’s.

Similar, certainly.

The big advantage of iCloud Keychain is that, obviously, it's well-integrated into your Mac and iPhone.

The big disadvantage is that, IMO, Apple doesn't have an amazing track record on encryption or security. There have been multiple concerns and vulnerabilities with how iMessage encrypts its messages. MacOS's security is just plain bad. iCloud has suffered several high-profile intrusions. And in general, Apple tends to have corporate attention deficit disorder -- they work on something (like iCloud) for one release, then stop updating it.

You also get flat-out more features with 1Password. It can store OTP tokens if you want. It stores credit cards, software licenses, wifi passwords, and more. Just secure notes. You know exactly when the vault is locked and unlocked. You can share vaults with friends. And its "emergency kit" is extremely well-thought-out.

Plus, 1Password is cross-platform.

IMO, the only real advantage iCloud Keychain has is integration with Safari on iOS. Other than that, I think 1Password is the clear winner.

[ceb]

Any password manager is better than none.
It must be easy to use or you won't use it.
The password managers built into browsers are useless and dangerous
Look at the security track record of the manager you are considering
Use one of the top rated managers