Author Topic: LastPass alternatives with two-factor authentication? (including premium LP) (Read 45238 times)

tomos · « **Reply #25 on:** August 25, 2015, 02:46 PM »

I'm currently using Enpass (www.enpass.io)
-40hz (August 25, 2015, 12:53 PM)

are you using that with any kind of two-factor authentication?

Edit// I took the liberty of changing the thread title to "LastPass alternatives with two-factor authentication? (including premium LP)"

rjbull · « **Reply #26 on:** August 25, 2015, 04:17 PM »

I wrote to LastPass support about this and they said it was for their stupid LastPass browser that is also built into the app. I told them the browser was superfluous and that they should separate it into another app if they wanted to include that functionality, because all I wanted from them was to be able to store and retrieve my passwords. They didn't really respond to that.
-Deozaan (August 25, 2015, 11:28 AM)

Isn't the problem that Google won't allow extensions to be added to any Android browser by a third party, so the only way to make logins seamless is for the password program's authors make their own browser with the functionality built in? At least, that's what I thought from reading Sticky Password's information.

Every so often, the browser extension's auto-form-fill functionality stops working on sites where it has worked for months (or years). The only way I've found to get it to start working again is to delete the "site" and create it again.
-Deozaan (August 25, 2015, 11:28 AM)

I have a vaguely similar problem. I usually use Sticky Password's floating window. Occasionally it won't work with Opera for Android. This appears to be Opera's problem, not SP's, as I also run Clipper+ and find that SP has sent the relevant information to the clipboard. In other words, Opera temporarily won't accept a paste. Rebooting doesn't always clear the problem. However, I also have UC Browser HD as well as Sticky Password's own Sticky Browser, so one or other should work (I hope).

Is there anything out there that provides the convenience of LastPass (secure cloud storage/retrieval) for Android without any of the extra crap?
-Deozaan (August 25, 2015, 11:28 AM)

You'd probably feel SP has too much fluff and horsefeathers as well

But you don't have to actually use all of it.

wraith808 · « **Reply #27 on:** August 25, 2015, 04:25 PM »

I wrote to LastPass support about this and they said it was for their stupid LastPass browser that is also built into the app. I told them the browser was superfluous and that they should separate it into another app if they wanted to include that functionality, because all I wanted from them was to be able to store and retrieve my passwords. They didn't really respond to that.
-Deozaan (August 25, 2015, 11:28 AM)
Isn't the problem that Google won't allow extensions to be added to any Android browser by a third party, so the only way to make logins seamless is for the password program's authors make their own browser with the functionality built in? At least, that's what I thought from reading Sticky Password's information.
-rjbull (August 25, 2015, 04:17 PM)

I'm on iOS, and that problem hasn't presented itself- it asked me once, and I said no. It still works fine.

40hz · « **Reply #28 on:** August 25, 2015, 04:29 PM »

I'm currently using Enpass (www.enpass.io)
-40hz (August 25, 2015, 12:53 PM)

are you using that with any kind of two-factor authentication?

Edit// I took the liberty of changing the thread title to "LastPass alternatives with two-factor authentication? (including premium LP)"
-tomos (August 25, 2015, 02:46 PM)

No. But as no user data is stored on their server (which is only used to sync between devices) would it be all that necessary? The data is encrypted by your device and remains on your device(s) so I don't see where some man-in-the-middle attempt would make any difference. All data is encrypyed and local. You wouldn't even need to decrypt in order to synchronize. It would be a little more work for the local clients - but EnPass wouldn't need to worry or know about any of the the actual data.

Am I missing something?

40hz · « **Reply #29 on:** August 25, 2015, 04:32 PM »

Am I the only person in the world who just remembers all of his passwords, instead of trusting any service (be it online or offline) to store it?
-Stephen66515 (June 16, 2015, 01:46 PM)

Yes.
-MilesAhead (June 16, 2015, 02:08 PM)

Yeah. I think so too.

(Although I do memorize ALL my banking access codes.)

Jibz · « **Reply #30 on:** August 25, 2015, 05:02 PM »

I'm currently using Enpass (www.enpass.io)
-40hz (August 25, 2015, 12:53 PM)

I haven't tried it (was a bit surprised by having to enter an email and a captcha for a free download), but a quick google suggests it is a password database that does not offer auto-fill like LastPass and others, is this still the case?

Deozaan · « **Reply #31 on:** August 25, 2015, 07:36 PM »

I'm currently using Enpass (www.enpass.io)
-40hz (August 25, 2015, 12:53 PM)

I haven't tried it (was a bit surprised by having to enter an email and a captcha for a free download), but a quick google suggests it is a password database that does not offer auto-fill like LastPass and others, is this still the case?
-Jibz (August 25, 2015, 05:02 PM)

I took the liberty of using a mailinator address to get the download: http://mailinator.co.../inbox.jsp?to=enpass

It does offer auto-fill on mobile devices (at least Android) if you use the built-in Enpass browser, but I don't see any sort of browser extension that would do something similar on PCs/Laptops.

I'm liking Enpass thus far. Thanks 40hz!

wraith808 · « **Reply #32 on:** August 25, 2015, 09:58 PM »

Thanks Deo, for that information. Without a browser extension, I won't be trying it. I use mine a lot to have my passwords available to my wife, and she's not really technical.

Deozaan · « **Reply #33 on:** August 25, 2015, 10:08 PM »

Thanks Deo, for that information. Without a browser extension, I won't be trying it. I use mine a lot to have my passwords available to my wife, and she's not really technical.
-wraith808 (August 25, 2015, 09:58 PM)

It can import from LastPass. So you can continue to use LastPass in your browser on your desktop, and just use Enpass on your mobile device, if you'd like.

LastPass is $12/year on mobile. Enpass is a one-time $10 purchase.

wraith808 · « **Reply #34 on:** August 25, 2015, 10:20 PM »

Thanks Deo, for that information. Without a browser extension, I won't be trying it. I use mine a lot to have my passwords available to my wife, and she's not really technical.
-wraith808 (August 25, 2015, 09:58 PM)

It can import from LastPass. So you can continue to use LastPass in your browser on your desktop, and just use Enpass on your mobile device, if you'd like.

LastPass is $12/year on mobile. Enpass is a one-time $10 purchase.
-Deozaan (August 25, 2015, 10:08 PM)

Why would I do that? Seems like two vectors instead of just one. And two places to keep passwords updated, unless I continually import. And no way to go back from an update in Enpass to Lasspass. But thanks for the suggestion.

tomos · « **Reply #35 on:** August 26, 2015, 03:43 AM »

I'm currently using Enpass (www.enpass.io)
-40hz (August 25, 2015, 12:53 PM)

are you using that with any kind of two-factor authentication?

Edit// I took the liberty of changing the thread title to "LastPass alternatives with two-factor authentication? (including premium LP)"
-tomos (August 25, 2015, 02:46 PM)

No. But as no user data is stored on their server (which is only used to sync between devices) would it be all that necessary? The data is encrypted by your device and remains on your device(s) so I don't see where some man-in-the-middle attempt would make any difference. All data is encrypyed and local. You wouldn't even need to decrypt in order to synchronize. It would be a little more work for the local clients - but EnPass wouldn't need to worry or know about any of the the actual data.

Am I missing something?
-40hz (August 25, 2015, 04:29 PM)

well,
as you know, I'm no expert. But the idea that all anyone needs is one password and then they have access *all* my passwords, and more - I find that pretty scary.

MilesAhead · « **Reply #36 on:** August 26, 2015, 07:41 AM »

I'm currently using Enpass (www.enpass.io)
-40hz (August 25, 2015, 12:53 PM)

are you using that with any kind of two-factor authentication?

Edit// I took the liberty of changing the thread title to "LastPass alternatives with two-factor authentication? (including premium LP)"
-tomos (August 25, 2015, 02:46 PM)

No. But as no user data is stored on their server (which is only used to sync between devices) would it be all that necessary? The data is encrypted by your device and remains on your device(s) so I don't see where some man-in-the-middle attempt would make any difference. All data is encrypyed and local. You wouldn't even need to decrypt in order to synchronize. It would be a little more work for the local clients - but EnPass wouldn't need to worry or know about any of the the actual data.

Am I missing something?
-40hz (August 25, 2015, 04:29 PM)
well,
as you know, I'm no expert. But the idea that all anyone needs is one password and then they have access *all* my passwords, and more - I find that pretty scary.
-tomos (August 26, 2015, 03:43 AM)

We are on our way to Gattaca

40hz · « **Reply #37 on:** August 26, 2015, 08:22 AM »

I'm currently using Enpass (www.enpass.io)
-40hz (August 25, 2015, 12:53 PM)

are you using that with any kind of two-factor authentication?

Edit// I took the liberty of changing the thread title to "LastPass alternatives with two-factor authentication? (including premium LP)"
-tomos (August 25, 2015, 02:46 PM)

No. But as no user data is stored on their server (which is only used to sync between devices) would it be all that necessary? The data is encrypted by your device and remains on your device(s) so I don't see where some man-in-the-middle attempt would make any difference. All data is encrypyed and local. You wouldn't even need to decrypt in order to synchronize. It would be a little more work for the local clients - but EnPass wouldn't need to worry or know about any of the the actual data.

Am I missing something?
-40hz (August 25, 2015, 04:29 PM)
well,
as you know, I'm no expert. But the idea that all anyone needs is one password and then they have access *all* my passwords, and more - I find that pretty scary.
-tomos (August 26, 2015, 03:43 AM)

Me too. (And I'm no expert either.

) Which is why I memorize passwords to critical things such as my bank accounts etc.

But even with that, the passwords in my password manager are not the actual passwords. They're merely memory joggers for the actual passwords. You'd need to know how my "system" (which is pretty idiosyncratic as I'll be the first to admit) works.

Not that it matters. Experts generally agree passwords are better than nothing but far from secure with today's computer resources and state of number theory. Passwords are risk mitigation rather than risk elimination tools.

Unfortunately, nobody is quite sure what to replace passwords with. So passwords it is for now.

40hz · « **Reply #38 on:** August 26, 2015, 08:29 AM »

I'm currently using Enpass (www.enpass.io)
-40hz (August 25, 2015, 12:53 PM)

I haven't tried it (was a bit surprised by having to enter an email and a captcha for a free download), but a quick google suggests it is a password database that does not offer auto-fill like LastPass and others, is this still the case?

-Jibz (August 25, 2015, 05:02 PM)

It's limited as far as autofill goes. They keep promising additional browser plug-ins RSN. But we're still waiting.

That however, isn't a showstopper for me because I never use autofill since it's a security weakspot. Besides, the "passwords" you'll find in my EnPass database aren't the actual passwords anyway.

wraith808 · « **Reply #39 on:** August 26, 2015, 09:52 AM »

Unfortunately, nobody is quite sure what to replace passwords with. So passwords it is for now.
-40hz (August 26, 2015, 08:22 AM)

I'm actually starting to use Enigmaze.

Enigmaze is a Premium Hardcover Notebook Specifically Designed to Quickly Create and Store Strong Passwords.

LastPass alternatives with two-factor authentication? (including premium LP)

I backed it in the Kickstarter. But that doesn't solve my problem with sharing with my wife, so I don't use it for all of them (of course, 2 factor has that problem too- but with lastpass, I authenticate once and am done). It's now on Amazon if you're interested.

cyberdiva · « **Reply #40 on:** August 26, 2015, 06:20 PM »

Isn't the problem that Google won't allow extensions to be added to any Android browser by a third party, so the only way to make logins seamless is for the password program's authors make their own browser with the functionality built in? At least, that's what I thought from reading Sticky Password's information.
-rjbull (August 25, 2015, 04:17 PM)

Perhaps I've misunderstood you, but I thought I should mention that I use LastPass on both the PaleMoon browser for Android and the Dolphin browser for Android. Dolphin has a LastPass for Dolphin extension. I'm not sure what PaleMoon does, but I know LP has worked on the Android version of the browser.

Deozaan · « **Reply #41 on:** August 26, 2015, 08:41 PM »

I'm actually starting to use Enigmaze.
-wraith808 (August 26, 2015, 09:52 AM)

So basically, it's time to go back to using PasswordCard?

4wd · « **Reply #42 on:** August 26, 2015, 10:52 PM »

I'm actually starting to use Enigmaze.
-wraith808 (August 26, 2015, 09:52 AM)

So basically, it's time to go back to using PasswordCard?
-Deozaan (August 26, 2015, 08:41 PM)

That's what I use, eight PasswordCards, same symbol/colour on each but different directions, and for longer passwords I just combine two cards.

After I've entered the passwords a few times I've generally memorised them.

wraith808 · « **Reply #43 on:** August 27, 2015, 08:04 AM »

I don't get how you use that for multiple sites? And you just have to remember where the password is? I like the Enigmaze idea better with a diary and UV light and you can trace any path, though that is an interesting idea I'd not seen.

40hz · « **Reply #44 on:** August 27, 2015, 10:02 AM »

I'm actually starting to use Enigmaze.
-wraith808 (August 26, 2015, 09:52 AM)

So basically, it's time to go back to using PasswordCard?
-Deozaan (August 26, 2015, 08:41 PM)

Why not? It's still a handy method to employ.

FWIW I use a variation on that methodology for access to my client's servers with their 20+ character admin passwords. Extremely secure - and it gets the job done.

@Wraith - nice find! That Enigmaze book is pretty cool.

rjbull · « **Reply #45 on:** August 30, 2015, 02:30 PM »

Isn't the problem that Google won't allow extensions to be added to any Android browser by a third party [...]
-rjbull (August 25, 2015, 04:17 PM)
Perhaps I've misunderstood you, but I thought I should mention that I use LastPass on both the PaleMoon browser for Android and the Dolphin browser for Android. Dolphin has a LastPass for Dolphin extension.
-cyberdiva (August 26, 2015, 06:20 PM)

Sorry - 'twas I that misunderstood. I thought Google's terms banned any third party from adding extensions to any browser. It turns out Google aren't quite so Draconian, only banning extensions for their own Chrome. Sticky Password's team tell me it has an extension giving automated logins to Android Firefox. Similar things are still in the works for Dolphin and UCWeb, so currently Lastpass is ahead.

As an aside, I still wonder which Android browser is "best." With Window Opera now based on Chrome, presumably Android Opera is too; who knows how much data it's sending to Google? UC Browser makes DC look strange (haven't tried it yet with the DC New Look). A year or so back, I saw a very favourable review in a UK magazine for Maxthon, but recent reviews in the App Store complain bitterly about a drastically changed UI that removes tabs. Reviews for Firefox in the App Store complain it's a resource hog. In fact, nearly everything in the App Store seems to garner incredibly mixed reviews.

4wd · « **Reply #46 on:** August 31, 2015, 04:54 AM »

I don't get how you use that for multiple sites? And you just have to remember where the password is? I like the Enigmaze idea better with a diary and UV light and you can trace any path, though that is an interesting idea I'd not seen.
-wraith808 (August 27, 2015, 08:04 AM)

Not sure whether you were referring to how I use them or not but as an example here's two cards, (like I said, I use eight):

LastPass alternatives with two-factor authentication? (including premium LP)

LastPass alternatives with two-factor authentication? (including premium LP)

Say I choose for my reference Yellow + Sun, without getting too fancy, that gives me six 8+ character passwords on the first, five on the second.

Generally, I'll use the same password, (and an unrelated username to 'normal' sites), across low-grade sites, ie. any site that it doesn't matter if someone logs in as me and screws it up because, quite honestly, I couldn't care less, (I use a throw away Gmail address for these anyway).

For more important sites, (that still don't have direct monetary links, eg. DC), I'll use an individual 8+ character password off one of the cards.

For my VPS' and banks, I use a combination of two of the 8+ character passwords off two of the cards, ie. a 16+ character password, plus TFA.

Shopping sites generally get a combination of two passwords.

For my Gmail addresses I mainly use the same password plus TFA except for two that are used for banking, they have a 28 character passphrases plus TFA.

Also, the number of sites I visit is probably depressingly low compared to other net denizens, so after I've used the various passwords a few times, they've generally stuck in my mind.

The normal way you'd use these cards is you'd only have one and for each site you'd choose a symbol/colour combination but I found that harder to memorise since I then have to associate the arbitrary symbol/colour with a website, then remember which direction to read the password.

So, someone has to choose which one, (or two), of the eight cards I'm using, which symbol/colour I might be starting from, which direction I might be going, and how far along that line I might be traveling.

The eight images are encrypted on my phone, stored online (so I can access from elsewhere), and also a printed out version, using PocketMod, that's the same size as a credit card.

ewemoa · « **Reply #47 on:** September 05, 2015, 06:36 PM »

Another reason for things along the lines of Enigmaze?

Security experts constantly tell users not to reuse passwords on multiple accounts, but the message often falls on deaf ears. Now, officials at Mozilla are finding that advanced users don’t always follow that advice either after discovering that an attacker was able to compromise a Bugzilla user’s account by using a password taken from a data breach on a separate site.

via https://threatpost.c...ability-data/114552/

wraith808 · « **Reply #48 on:** September 05, 2015, 09:34 PM »

I don't get how you use that for multiple sites? And you just have to remember where the password is? I like the Enigmaze idea better with a diary and UV light and you can trace any path, though that is an interesting idea I'd not seen.
-wraith808 (August 27, 2015, 08:04 AM)

Not sure whether you were referring to how I use them or not but as an example here's two cards, (like I said, I use eight):

[ Invalid Attachment ] [ Invalid Attachment ]

Say I choose for my reference Yellow + Sun, without getting too fancy, that gives me six 8+ character passwords on the first, five on the second.

Generally, I'll use the same password, (and an unrelated username to 'normal' sites), across low-grade sites, ie. any site that it doesn't matter if someone logs in as me and screws it up because, quite honestly, I couldn't care less, (I use a throw away Gmail address for these anyway).

For more important sites, (that still don't have direct monetary links, eg. DC), I'll use an individual 8+ character password off one of the cards.

For my VPS' and banks, I use a combination of two of the 8+ character passwords off two of the cards, ie. a 16+ character password, plus TFA.

Shopping sites generally get a combination of two passwords.

For my Gmail addresses I mainly use the same password plus TFA except for two that are used for banking, they have a 28 character passphrases plus TFA.

Also, the number of sites I visit is probably depressingly low compared to other net denizens, so after I've used the various passwords a few times, they've generally stuck in my mind.

The normal way you'd use these cards is you'd only have one and for each site you'd choose a symbol/colour combination but I found that harder to memorise since I then have to associate the arbitrary symbol/colour with a website, then remember which direction to read the password.

So, someone has to choose which one, (or two), of the eight cards I'm using, which symbol/colour I might be starting from, which direction I might be going, and how far along that line I might be traveling.

The eight images are encrypted on my phone, stored online (so I can access from elsewhere), and also a printed out version, using PocketMod, that's the same size as a credit card.
-4wd (August 31, 2015, 04:54 AM)

Pretty cool! Thanks for sharing!

4wd · « **Reply #49 on:** September 05, 2015, 10:06 PM »

Pretty cool! Thanks for sharing!
-wraith808 (September 05, 2015, 09:34 PM)

You're welcome.

I forgot to mention, any user/password for a site that does not have some form of monetary link, (eg. DC, etc), I have Pale Moon store the details and a master password set, (not taken from PasswordCards).

Details for banks, VPNs, online stores, etc (anything to do with CC details, finances, etc) are not saved anywhere - the password may be derived from the cards eventually but the login username/ID is not stored anywhere electronic or physical.

I keep meaning to transition all the Pale Moon stored logins to KeePass but ... procrastination and all that.