LastPass alternatives with two-factor authentication? (including premium LP)

[tomos]

Prompted by the breach at Lastpass (LastPass hacked), I'm looking for a safe alternative to the free version of Lastpass.
(I'm thinking mainly for desktop & Windows.)

One alternative is to go premium with Lastpass ($12 per annum) and get a Yubikey

Lastpass's summary of how Yubikey works

Enabling the YubiKey with LastPass

Once you have your YubiKey, enabling it with LastPass only takes a few steps:
Login to LastPass and open the LastPass Icon > My LastPass Vault > Settings > Multifactor Options tab.
Select the YubiKey option.
Insert the YubiKey device into a USB port on your computer.
Focus your cursor on the “YubiKey #1” field.
Press the button on the YubiKey device.
A long string of dots should appear in the YubiKey #1 field.
Change the “YubiKey Authentication” status to “Enabled”, and press the Update button.
Enter your LastPass master password and press Confirm.
YubiKey is now enabled for your LastPass account.

One problem is that they offer four different Yubikey versions - and the comparison page is all double-ductch to me:
https://www.yubico.c...ts/yubikey-hardware/

So, interested in thoughts on Lastpass *and* also other options that might be safer to use than the free Lastpass.

[Jibz]

2FA is the only way to make access to a cloud based password solution reasonably safe. You still have to trust them to store your data safely on their side.

The other option is to use a local solution. Some of those (1password, StickyPassword) can even sync over Wi-Fi only.

[tomos]

Thanks Jibz

The other option is to use a local solution. Some of those (1password, StickyPassword) can even sync over Wi-Fi only.

-Jibz (June 16, 2015, 06:22 AM)

not sure what exactly you mean by "can even sync over Wi-Fi only". Is it that it can sync passwords stored locally with ones online?
[edit] I see it will sync the encrypted passwords between devices. IIUC this is what LastPass does as well - but I presume that each would store my master password in their databases. Where the two factor authentication comes in again I guess. [/edit]


I had done a search but managed to miss the recent Windows thread from rjbull ...
Newer password keepers/form-fillers - anyone using Dashlane or 1Password?
[edit] :-/ even more embarrassed to see I posted in it :-) [/edit]

[wraith808]

Prompted by the breach at Lastpass (LastPass hacked), I'm looking for a safe alternative to the free version of Lastpass.
(I'm thinking mainly for desktop & Windows.)

One alternative is to go premium with Lastpass ($12 per annum) and get a YubikeyOne problem is that they offer four different Yubikey versions - and the comparison page is all double-ductch to me:
https://www.yubico.c...ts/yubikey-hardware/

So, interested in thoughts on Lastpass *and* also other options that might be safer to use than the free Lastpass.

-tomos (June 16, 2015, 05:54 AM)

You can enable 2-factor even on Lastpass free.  Use Microsoft or Google's authenticator and you're good to go.  I have LP free while I'm evaluating it, and that's what I'm using.

[tomos]

Thanks wraith, will check that out.

ah yeah, I'm working from desktop here:
there doesnt seem to be a version of Google's (or MS's) authenticator for windows - well not for Win.7 at any rate.
I came across recommendations for WinAuth (Windows Authenticator) - https://github.com/winauth/winauth
might try that out.
https://winauth.com/

[wraith808]

Thanks wraith, will check that out.

ah yeah, I'm working from desktop here:
there doesnt seem to be a version of Google's (or MS's) authenticator for windows - well not for Win.7 at any rate.
I came across recommendations for WinAuth (Windows Authenticator) - https://github.com/winauth/winauth
might try that out.
https://winauth.com/

-tomos (June 16, 2015, 10:46 AM)

You don't have a mobile at all?  You should be able to install that on your mobile... and your mobile phone becomes your 'key'.

[xtabber]

I personally don't use an online password system, but if I did, LastPass is actually the one I would use. At least they were smart enough to see relatively quickly that their security had been breached and the methods they use to encrypt user data seem as strong as anyone else out there.

Anything connected to the Internet is going to be vulnerable to hacking.  Someone capable of hacking into Kasperksy Labs internal network clearly has the knowhow to hack into just about anyone else's network too.  Kaspersky believes that only a state actor (think NSA or their equivalents in China, Russia or Israel) could have mounted the attack on them, but once you have a proof of concept, it won't take long to trickle down to clever hackers in private practice.

I keep my passwords locally in an encrypted database (eWallet), along with a lot of other private information I need to look up from time to time.  But I also distinguish between types of passwords needed for different sites.  I use the same passwords for a lot of sites of similar nature where I have nothing to lose if it is discovered - think subscriptions, forums, etc.  They are easy for me to remember but long enough to challenge the weekend hacker. For anything that might involve money, I use separate and more secure passwords.  The important thing is to make them long, not to use weird combinations that you can't reproduce or enter by hand.

An online password manager provides a certain amount of convenience, and probably enough security for most casual use.  I just don't think I would trust one with anything really critical.

[tomos]

Thanks wraith, will check that out.

ah yeah, I'm working from desktop here:
there doesnt seem to be a version of Google's (or MS's) authenticator for windows - well not for Win.7 at any rate.
I came across recommendations for WinAuth (Windows Authenticator) - https://github.com/winauth/winauth
might try that out.
https://winauth.com/

-tomos (June 16, 2015, 10:46 AM)

You don't have a mobile at all?  You should be able to install that on your mobile... and your mobile phone becomes your 'key'.

-wraith808 (June 16, 2015, 11:15 AM)

ah okay, I hadn't understood the concept. (Thanks.)

[app103]

You could try KeePass, and require both a password AND a keyfile to access your database. You would store your keyfile on a small capacity USB flash drive, so that it could work similar to a Yubikey.

This could also allow you to more safely store a backup of your database on a cloud storage service, such as dropbox, as long as you don't also store a copy of your keyfile there.

Backing up your keyfile would be best done by using multiple flash drives, storing your backups locked away some place safe. (good use for some of those cheap small capacity flash drives that are not useful for much else, often given away as promotional items)

As long as a copy of the keyfile is not stored on the same system as the application or the database, you should be ok.

[KynloStephen66515]

Am I the only person in the world who just remembers all of his passwords, instead of trusting any service (be it online or offline) to store it?

[tomos]

Thanks app, xtabber.

Am I the only person in the world who just remembers all of his passwords, instead of trusting any service (be it online or offline) to store it?

-Stephen66515 (June 16, 2015, 01:46 PM)

how many

[MilesAhead]

Am I the only person in the world who just remembers all of his passwords, instead of trusting any service (be it online or offline) to store it?

-Stephen66515 (June 16, 2015, 01:46 PM)

Yes. 

[rgdot]

Am I the only person in the world who just remembers all of his passwords, instead of trusting any service (be it online or offline) to store it?

-Stephen66515 (June 16, 2015, 01:46 PM)

I remember most if not all too, but in the world needing complex passwords that shouldn't be the way if it discourages you from having passwords like dsae$^TFV11d

[KynloStephen66515]

Most of my passwords are pretty complex, I've just always made a point of remembering them (Although I've always been good with remembering things like this...but useless at remembering peoples names/birthdays haha)

[wraith808]

Am I the only person in the world who just remembers all of his passwords, instead of trusting any service (be it online or offline) to store it?

-Stephen66515 (June 16, 2015, 01:46 PM)

I used to... but using a password manager has enabled me to have a lot of different passwords rather than just variations on the same few.

[Deozaan]

Just keep using LastPass (with two-factor authentication). They're "doing it right."

But don't take my word for it. Steve Gibson knows a lot more about encryption and security than I do. Here what he has to say about LastPass:

Check it out starting at ~53 minutes for a basic description of the importance of long, varied passwords.

For the question of whether or not you can trust LastPass, check out ~72m44s (1:12:44).

[app103]

Am I the only person in the world who just remembers all of his passwords, instead of trusting any service (be it online or offline) to store it?

-Stephen66515 (June 16, 2015, 01:46 PM)

If you had nearly 400 different passwords, most of which look like they were randomly generated, not all of which belong to you, do you think you could remember them all, along with other important information, like which email address was used? What about important (and often confidential) client info necessary to do your job(s)?

If all I had was a handful of simple passwords of my own to remember, it might be possible, but since I don't, I need somewhere to store them.

[TaoPhoenix]

Most of my passwords are pretty complex, I've just always made a point of remembering them (Although I've always been good with remembering things like this...but useless at remembering peoples names/birthdays haha)

-Stephen66515 (June 16, 2015, 02:48 PM)

(Overheard in Stephen's home)
"Honey! You forgot our anniversary again!"
"Sorry babe, you know how it is ..."
"Well, I got an idea. I signed you up for that KeepSake Reminder service. Your username is Stevie."
"What's the password?"
"Our anniversary!"

(Stephen Facepalms!)

 

[x16wda]

An online password manager provides a certain amount of convenience, and probably enough security for most casual use.  I just don't think I would trust one with anything really critical.

-xtabber (June 16, 2015, 11:19 AM)

That's what I use Lastpass for. It remembers the forum passwords and fills them for me, but it also allows me to create "secure notes" that contain hints - useful only to me - about passwords for more sensitive sites (like banking).

[Perry Mowbray]

I've been using mitro.co as it's free on the phone as well.

[tomos]

One alternative is to go premium with Lastpass ($12 per annum) and get a YubikeyOne problem is that they offer four different Yubikey versions - and the comparison page is all double-ductch to me:
https://www.yubico.c...ts/yubikey-hardware/

So, interested in thoughts on Lastpass *and* also other options that might be safer to use than the free Lastpass.

-tomos (June 16, 2015, 05:54 AM)

You can enable 2-factor even on Lastpass free.  Use Microsoft or Google's authenticator and you're good to go.  I have LP free while I'm evaluating it, and that's what I'm using.

-wraith808 (June 16, 2015, 10:12 AM)

I've been using the google Authenticator with Lastpass and I've noticed this flaw:

Say I'm trying to login to google: I click the little symbol in the name field and the Lastpass window pops up.
I fill in my Lastpass password and (in this browser at any rate) a new tab opens requesting the verification code.
But, meanwhile, in the google tab, the name/password fields have been filled:
I am able to login there, *without* having finished my Lastpass login, i.e. without having filled in the verification code.

That defeats the purpose. I'm wondering should I report to Lastpass, or is this a case of them really wanting us to go the paid route.


EDIT// that problem is in Iron browser (but not in PaleMoon) - can anyone confirm in Chrome?

[tomos]

EDIT// that problem is in Iron browser (but not in PaleMoon) - can anyone confirm in Chrome?

-tomos (July 20, 2015, 11:59 AM)

I'm unable to reproduce this in Chrome - it's very odd still, that it happens in *any* browser.
Makes me wary.

[tomos]

summary:
with google authenticator required for logging in to Lastpass, I'm often able to bypass using it, when logging into certain sites (Ebay, google).

Say I'm trying to login to google: I click the little symbol in the name field and the Lastpass window pops up.
I fill in my Lastpass password and (in this browser at any rate) a new tab opens requesting the verification code.

-tomos (July 20, 2015, 11:59 AM)

^ that was in Iron portable. I have been able though to reproduce this in Firefox and PaleMoon.
Basically, with google Authenticator required for Laspass:

• open your login page
• click on the little symbol in one of the fields - that will open Lastpass dialogue
• type in your Lastpass password
• google Authenticator dialogue opens - in the back, *sometimes* the login details including password will be filled in already
• close google Authenticator dialogue - Lastpass is not logged in, yet you have gotten logged into your site without filling in google Authenticator

The above flaw has worked for me with gmail and Ebay. Not with dc oddly ;-)

It's possible this is not a problem with Lastpass, but rather with the browser cookie settings. Or the site's cookies.
I was always amazed, that I could just type 'inbox' in the addressbar, select my gmail inbox link - and it would load without requiring a login, no matter what my login settings were for google. This was a problem with (default) cookie settings - but I would still hold google at fault for not changing things from their end.


I cant even find cookie settings in FF 39 :-/

[Deozaan]

So, recently I've been a bit unhappy with where LastPass is going. My subscription is due for renewal soon, so I figured I'd consider alternatives.

Things I'm not liking about LastPass:

• The mobile (Android) app is now asking for location permissions. I feel there's no need for a password manager to need my location. I wrote to LastPass support about this and they said it was for their stupid LastPass browser that is also built into the app. I told them the browser was superfluous and that they should separate it into another app if they wanted to include that functionality, because all I wanted from them was to be able to store and retrieve my passwords. They didn't really respond to that.
• The browser add-on is now nagging me to "try LastPass Enterprise!" I'm already paying for LastPass Premium, and I'm just one person. Stop nagging me to try something meant for large companies!
• Every so often, the browser extension's auto-form-fill functionality stops working on sites where it has worked for months (or years). The only way I've found to get it to start working again is to delete the "site" and create it again.

I pretty much only pay for LastPass Premium to access my passwords on Android. And I don't use any of the features of the LastPass app (on Android) other than simply retrieving my passwords. I don't use their stupid browser. I don't have it auto-fill passwords or prompt me with login info, nor generate passwords on Android. Is there anything out there that provides the convenience of LastPass (secure cloud storage/retrieval) for Android without any of the extra crap?

[40hz]

I'm currently using Enpass (www.enpass.io)

Syncs across virtually any platform (Linux too!), no user data stored on Enpass servers, one time purchase - no subscription, no sign-up required, sync through any cloud service, all encryption (AES256) handled by your own device. Full feature desktop client is free. Mobile platforms run around $10 for the "pro" (i.e. full) version. Trial versions available.

Lots to like here. I've been using it for about 6 months. Zero problems to date.