Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 08, 2016, 12:16:09 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: LastPass alternatives with two-factor authentication? (including premium LP)  (Read 11320 times)

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 10,329
    • View Profile
    • Donate to Member
LastPass alternatives with two-factor authentication? (including premium LP)
« Reply #25 on: August 25, 2015, 02:46:57 PM »
I'm currently using Enpass (www.enpass.io)

are you using that with any kind of two-factor authentication?


Edit// I took the liberty of changing the thread title to "LastPass alternatives with two-factor authentication? (including premium LP)"
Tom

rjbull

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,927
    • View Profile
    • Donate to Member
Re: LastPass alternatives? (including premium LP)
« Reply #26 on: August 25, 2015, 04:17:36 PM »
I wrote to LastPass support about this and they said it was for their stupid LastPass browser that is also built into the app. I told them the browser was superfluous and that they should separate it into another app if they wanted to include that functionality, because all I wanted from them was to be able to store and retrieve my passwords. They didn't really respond to that.
Isn't the problem that Google won't allow extensions to be added to any Android browser by a third party, so the only way to make logins seamless is for the password program's authors make their own browser with the functionality built in?  At least, that's what I thought from reading Sticky Password's information.

Every so often, the browser extension's auto-form-fill functionality stops working on sites where it has worked for months (or years). The only way I've found to get it to start working again is to delete the "site" and create it again.
I have a vaguely similar problem.  I usually use Sticky Password's floating window.  Occasionally it won't work with Opera for Android.  This appears to be Opera's problem, not SP's, as I also run Clipper+ and find that SP has sent the relevant information to the clipboard.  In other words, Opera temporarily won't accept a paste.  Rebooting doesn't always clear the problem.  However, I also have UC Browser HD as well as Sticky Password's own Sticky Browser, so one or other should work (I hope).

Is there anything out there that provides the convenience of LastPass (secure cloud storage/retrieval) for Android without any of the extra crap?
You'd probably feel SP has too much fluff and horsefeathers as well :)  But you don't have to actually use all of it.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,406
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
I wrote to LastPass support about this and they said it was for their stupid LastPass browser that is also built into the app. I told them the browser was superfluous and that they should separate it into another app if they wanted to include that functionality, because all I wanted from them was to be able to store and retrieve my passwords. They didn't really respond to that.
Isn't the problem that Google won't allow extensions to be added to any Android browser by a third party, so the only way to make logins seamless is for the password program's authors make their own browser with the functionality built in?  At least, that's what I thought from reading Sticky Password's information.

I'm on iOS, and that problem hasn't presented itself- it asked me once, and I said no.  It still works fine.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
I'm currently using Enpass (www.enpass.io)

are you using that with any kind of two-factor authentication?


Edit// I took the liberty of changing the thread title to "LastPass alternatives with two-factor authentication? (including premium LP)"

No. But as no user data is stored on their server (which is only used to sync between devices) would it be all that necessary? The data is encrypted by your device and remains on your device(s) so I don't see where some man-in-the-middle attempt would make any difference. All data is encrypyed and local. You wouldn't even need to decrypt in order to synchronize. It would be a little more work for the local clients  - but EnPass wouldn't need to worry or know about any of the the actual data.

Am I missing something?  :huh:



40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Am I the only person in the world who just remembers all of his passwords, instead of trusting any service (be it online or offline) to store it?

Yes.  :)

Yeah. I think so too.  :P

(Although I do memorize ALL my banking access codes.)

Jibz

  • Developer
  • Joined in 2005
  • ***
  • Posts: 1,126
    • View Profile
    • Donate to Member
I'm currently using Enpass (www.enpass.io)

I haven't tried it (was a bit surprised by having to enter an email and a captcha for a free download), but a quick google suggests it is a password database that does not offer auto-fill like LastPass and others, is this still the case?

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,716
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
I'm currently using Enpass (www.enpass.io)

I haven't tried it (was a bit surprised by having to enter an email and a captcha for a free download), but a quick google suggests it is a password database that does not offer auto-fill like LastPass and others, is this still the case?

I took the liberty of using a mailinator address to get the download: http://mailinator.co.../inbox.jsp?to=enpass

It does offer auto-fill on mobile devices (at least Android) if you use the built-in Enpass browser, but I don't see any sort of browser extension that would do something similar on PCs/Laptops.

I'm liking Enpass thus far. Thanks 40hz!


wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,406
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Thanks Deo, for that information.  Without a browser extension, I won't be trying it.  I use mine a lot to have my passwords available to my wife, and she's not really technical.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,716
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Thanks Deo, for that information.  Without a browser extension, I won't be trying it.  I use mine a lot to have my passwords available to my wife, and she's not really technical.

It can import from LastPass. So you can continue to use LastPass in your browser on your desktop, and just use Enpass on your mobile device, if you'd like.

LastPass is $12/year on mobile. Enpass is a one-time $10 purchase.


wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,406
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Thanks Deo, for that information.  Without a browser extension, I won't be trying it.  I use mine a lot to have my passwords available to my wife, and she's not really technical.

It can import from LastPass. So you can continue to use LastPass in your browser on your desktop, and just use Enpass on your mobile device, if you'd like.

LastPass is $12/year on mobile. Enpass is a one-time $10 purchase.

Why would I do that?  Seems like two vectors instead of just one.  And two places to keep passwords updated, unless I continually import.  And no way to go back from an update in Enpass to Lasspass.  But thanks for the suggestion.

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 10,329
    • View Profile
    • Donate to Member
I'm currently using Enpass (www.enpass.io)

are you using that with any kind of two-factor authentication?


Edit// I took the liberty of changing the thread title to "LastPass alternatives with two-factor authentication? (including premium LP)"

No. But as no user data is stored on their server (which is only used to sync between devices) would it be all that necessary? The data is encrypted by your device and remains on your device(s) so I don't see where some man-in-the-middle attempt would make any difference. All data is encrypyed and local. You wouldn't even need to decrypt in order to synchronize. It would be a little more work for the local clients  - but EnPass wouldn't need to worry or know about any of the the actual data.

Am I missing something?  :huh:
well,
as you know, I'm no expert. But the idea that all anyone needs is one password and then they have access *all* my passwords, and more - I find that pretty scary.
Tom

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,286
    • View Profile
    • Miles Ahead Software
    • Donate to Member
I'm currently using Enpass (www.enpass.io)

are you using that with any kind of two-factor authentication?


Edit// I took the liberty of changing the thread title to "LastPass alternatives with two-factor authentication? (including premium LP)"

No. But as no user data is stored on their server (which is only used to sync between devices) would it be all that necessary? The data is encrypted by your device and remains on your device(s) so I don't see where some man-in-the-middle attempt would make any difference. All data is encrypyed and local. You wouldn't even need to decrypt in order to synchronize. It would be a little more work for the local clients  - but EnPass wouldn't need to worry or know about any of the the actual data.

Am I missing something?  :huh:
well,
as you know, I'm no expert. But the idea that all anyone needs is one password and then they have access *all* my passwords, and more - I find that pretty scary.

We are on our way to Gattaca


40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
I'm currently using Enpass (www.enpass.io)

are you using that with any kind of two-factor authentication?


Edit// I took the liberty of changing the thread title to "LastPass alternatives with two-factor authentication? (including premium LP)"

No. But as no user data is stored on their server (which is only used to sync between devices) would it be all that necessary? The data is encrypted by your device and remains on your device(s) so I don't see where some man-in-the-middle attempt would make any difference. All data is encrypyed and local. You wouldn't even need to decrypt in order to synchronize. It would be a little more work for the local clients  - but EnPass wouldn't need to worry or know about any of the the actual data.

Am I missing something?  :huh:
well,
as you know, I'm no expert. But the idea that all anyone needs is one password and then they have access *all* my passwords, and more - I find that pretty scary.



Me too. (And I'm no expert either. ;D) Which is why I memorize passwords to critical things such as my bank accounts etc.

But even with that, the passwords in my password manager are not the actual passwords. They're merely memory joggers for the actual passwords. You'd need to know how my "system" (which is pretty idiosyncratic as I'll be the first to admit) works.

Not that it matters. Experts generally agree passwords are better than nothing but far from secure with today's computer resources and state of number theory. Passwords are risk mitigation rather than risk elimination tools.

Unfortunately, nobody is quite sure what to replace passwords with. So passwords it is for now.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
I'm currently using Enpass (www.enpass.io)

I haven't tried it (was a bit surprised by having to enter an email and a captcha for a free download), but a quick google suggests it is a password database that does not offer auto-fill like LastPass and others, is this still the case?


It's limited as far as autofill goes.  They keep promising additional browser plug-ins RSN. But we're still waiting.

That however, isn't a showstopper for me because I never use autofill since it's a security weakspot. Besides, the "passwords" you'll find in my EnPass database aren't the actual passwords anyway.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,406
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Unfortunately, nobody is quite sure what to replace passwords with. So passwords it is for now.

I'm actually starting to use Enigmaze.  

Quote
Enigmaze is a Premium Hardcover Notebook Specifically Designed to Quickly Create and Store Strong Passwords.

enigmaze.png

enigmaze features.jpgLastPass alternatives with two-factor authentication? (including premium LP)


I backed it in the Kickstarter.  But that doesn't solve my problem with sharing with my wife, so I don't use it for all of them (of course, 2 factor has that problem too- but with lastpass, I authenticate once and am done).  It's now on Amazon if you're interested.

cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 982
    • View Profile
    • Donate to Member
Isn't the problem that Google won't allow extensions to be added to any Android browser by a third party, so the only way to make logins seamless is for the password program's authors make their own browser with the functionality built in?  At least, that's what I thought from reading Sticky Password's information.
Perhaps I've misunderstood you, but I thought I should mention that I use LastPass on both the PaleMoon browser for Android and the Dolphin browser for Android.  Dolphin has a LastPass for Dolphin extension.  I'm not sure what PaleMoon does, but I know LP has worked on the Android version of the browser.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,716
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
I'm actually starting to use Enigmaze.

So basically, it's time to go back to using PasswordCard?


4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,474
    • View Profile
    • Donate to Member
I'm actually starting to use Enigmaze.

So basically, it's time to go back to using PasswordCard?

That's what I use, eight PasswordCards, same symbol/colour on each but different directions, and for longer passwords I just combine two cards.

After I've entered the passwords a few times I've generally memorised them.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,406
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
I don't get how you use that for multiple sites?  And you just have to remember where the password is?  I like the Enigmaze idea better with a diary and UV light and you can trace any path, though that is an interesting idea I'd not seen.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
I'm actually starting to use Enigmaze.

So basically, it's time to go back to using PasswordCard?

Why not? It's still a handy method to employ.

FWIW I use a variation on that methodology for access to my client's servers with their 20+ character admin passwords. Extremely secure - and it gets the job done.

@Wraith - nice find!  That Enigmaze book is pretty cool.

rjbull

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,927
    • View Profile
    • Donate to Member
Isn't the problem that Google won't allow extensions to be added to any Android browser by a third party [...]
Perhaps I've misunderstood you, but I thought I should mention that I use LastPass on both the PaleMoon browser for Android and the Dolphin browser for Android.  Dolphin has a LastPass for Dolphin extension.

Sorry - 'twas I that misunderstood.  I thought Google's terms banned any third party from adding extensions to any browser.  It turns out Google aren't quite so Draconian, only banning extensions for their own Chrome.  Sticky Password's team tell me it has an extension giving automated logins to Android Firefox.  Similar things are still in the works for Dolphin and UCWeb, so currently Lastpass is ahead.

As an aside, I still wonder which Android browser is "best."  With Window Opera now based on Chrome, presumably Android Opera is too; who knows how much data it's sending to Google?  UC Browser makes DC look strange (haven't tried it yet with the DC New Look).  A year or so back, I saw a very favourable review in a UK magazine for Maxthon, but recent reviews in the App Store complain bitterly about a drastically changed UI that removes tabs.  Reviews for Firefox in the App Store complain it's a resource hog.  In fact, nearly everything in the App Store seems to garner incredibly mixed reviews. 

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,474
    • View Profile
    • Donate to Member
I don't get how you use that for multiple sites?  And you just have to remember where the password is?  I like the Enigmaze idea better with a diary and UV light and you can trace any path, though that is an interesting idea I'd not seen.

Not sure whether you were referring to how I use them or not but as an example here's two cards, (like I said, I use eight):

card1.pngLastPass alternatives with two-factor authentication? (including premium LP) card2.pngLastPass alternatives with two-factor authentication? (including premium LP)

Say I choose for my reference Yellow + Sun, without getting too fancy, that gives me six 8+ character passwords on the first, five on the second.

Generally, I'll use the same password, (and an unrelated username to 'normal' sites), across low-grade sites, ie. any site that it doesn't matter if someone logs in as me and screws it up because, quite honestly, I couldn't care less, (I use a throw away Gmail address for these anyway).

For more important sites, (that still don't have direct monetary links, eg. DC), I'll use an individual 8+ character password off one of the cards.

For my VPS' and banks, I use a combination of two of the 8+ character passwords off two of the cards, ie. a 16+ character password, plus TFA.

Shopping sites generally get a combination of two passwords.

For my Gmail addresses I mainly use the same password plus TFA except for two that are used for banking, they have a 28 character passphrases plus TFA.

Also, the number of sites I visit is probably depressingly low compared to other net denizens, so after I've used the various passwords a few times, they've generally stuck in my mind.

The normal way you'd use these cards is you'd only have one and for each site you'd choose a symbol/colour combination but I found that harder to memorise since I then have to associate the arbitrary symbol/colour with a website, then remember which direction to read the password.

So, someone has to choose which one, (or two), of the eight cards I'm using, which symbol/colour I might be starting from, which direction I might be going, and how far along that line I might be traveling.

The eight images are encrypted on my phone, stored online (so I can access from elsewhere), and also a printed out version, using PocketMod, that's the same size as a credit card.
« Last Edit: August 31, 2015, 05:08:15 AM by 4wd »

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,845
    • View Profile
    • Donate to Member
Re: LastPass alternatives with two-factor authentication? (including premium LP)
« Reply #47 on: September 05, 2015, 06:36:37 PM »
Another reason for things along the lines of Enigmaze?

Quote
Security experts constantly tell users not to reuse passwords on multiple accounts, but the message often falls on deaf ears. Now, officials at Mozilla are finding that advanced users don’t always follow that advice either after discovering that an attacker was able to compromise a Bugzilla user’s account by using a password taken from a data breach on a separate site.

via https://threatpost.c...ability-data/114552/

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,406
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: LastPass alternatives with two-factor authentication? (including premium LP)
« Reply #48 on: September 05, 2015, 09:34:55 PM »
I don't get how you use that for multiple sites?  And you just have to remember where the password is?  I like the Enigmaze idea better with a diary and UV light and you can trace any path, though that is an interesting idea I'd not seen.

Not sure whether you were referring to how I use them or not but as an example here's two cards, (like I said, I use eight):

[ Invalid Attachment ] [ Invalid Attachment ]

Say I choose for my reference Yellow + Sun, without getting too fancy, that gives me six 8+ character passwords on the first, five on the second.

Generally, I'll use the same password, (and an unrelated username to 'normal' sites), across low-grade sites, ie. any site that it doesn't matter if someone logs in as me and screws it up because, quite honestly, I couldn't care less, (I use a throw away Gmail address for these anyway).

For more important sites, (that still don't have direct monetary links, eg. DC), I'll use an individual 8+ character password off one of the cards.

For my VPS' and banks, I use a combination of two of the 8+ character passwords off two of the cards, ie. a 16+ character password, plus TFA.

Shopping sites generally get a combination of two passwords.

For my Gmail addresses I mainly use the same password plus TFA except for two that are used for banking, they have a 28 character passphrases plus TFA.

Also, the number of sites I visit is probably depressingly low compared to other net denizens, so after I've used the various passwords a few times, they've generally stuck in my mind.

The normal way you'd use these cards is you'd only have one and for each site you'd choose a symbol/colour combination but I found that harder to memorise since I then have to associate the arbitrary symbol/colour with a website, then remember which direction to read the password.

So, someone has to choose which one, (or two), of the eight cards I'm using, which symbol/colour I might be starting from, which direction I might be going, and how far along that line I might be traveling.

The eight images are encrypted on my phone, stored online (so I can access from elsewhere), and also a printed out version, using PocketMod, that's the same size as a credit card.


Pretty cool!  Thanks for sharing!

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,474
    • View Profile
    • Donate to Member
Re: LastPass alternatives with two-factor authentication? (including premium LP)
« Reply #49 on: September 05, 2015, 10:06:23 PM »
Pretty cool!  Thanks for sharing!

You're welcome.

I forgot to mention, any user/password for a site that does not have some form of monetary link, (eg. DC, etc), I have Pale Moon store the details and a master password set, (not taken from PasswordCards).

Details for banks, VPNs, online stores, etc (anything to do with CC details, finances, etc) are not saved anywhere - the password may be derived from the cards eventually but the login username/ID is not stored anywhere electronic or physical.

I keep meaning to transition all the Pale Moon stored logins to KeePass but ... procrastination and all that.