ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Multiple LastPass Vulnerabilities Discovered Recently

<< < (5/5)

wraith808:
Not sure how service vs software distinction is relevant here.
-rgdot (March 29, 2017, 01:00 PM)
--- End quote ---

The vulnerabilities haven't really been in the service, but the software that surrounds it.  If that was open source, it would be able to be audited for vulnerabilities by third parties.  Even if the surrounding software was open source, it doesn't seem like they'd be giving things up- you'd still need to pay to sync and to use it in any online way, since you'd need the server on the other end to facilitate this.

IainB:
...Not sure how service vs software distinction is relevant here. All I meant is online is bigger risk and therefore online options are the poorer option unless your use case demands it...
...KeePass can have vulnerabilities but installed in a folder locally the chances of it being hacked is lower, not sure how that is debatable.
__________________________
-rgdot (March 29, 2017, 01:00 PM)
--- End quote ---

Thankyou for that. Yes, that (emboldened) all seems to follow. Yet, despite the truth of the third emboldened clause and my having known that, I am still a LastPass user, and accepted the risks, thinking them to be miniscule.

That's probably about to change though. I have to face up to the fact that the apparent flaw/weakness identified in the software (binary component) of some versions of LastPass would not be of such concern nor present such a risk and be so susceptible/vulnerable to attack if said software was not necessarily keyed/tied into the LastPass Service component.
Bother! LastPass was so convenient too.

mwb1100:
I have chosen to use a smaller password manager, SafeInCloud, that synchronizes the database by storing it on a configurable cloud storage provider such as Dropbox or Google Drive.  I figured this was safer than or preferable to LastPass for a couple reasons:

  - the manager allows you to select from one of several storage providers - if one got compromised, it would be easy enough to move the database to another
  - if the manager's vendor went away, I'd be stuck without updates, but the software would likely continue to work as long as the cloud storage provider didn't change their API  (that problem happened to me with an earlier password safe vendor - the database was synchronized using their servers, and when they stopped operating, the sync no longer worked. Who knows what happened to the databases?)

Someone has even posted a python script that will decrypt a SafeInCloud database (you have to provide the master password, of course): https://github.com/evilsocket/SafeInCloud.  This should make it so there at least some possibility of verifying that the database is in fact fully encrypted using the standard AES algorithm.  I imagine that you could also use it as a starting point for providing access to the password database on Linux (which the vendor does not support as far as I know).  If you have too much spare time on your hands.

SafeInCloud relatively recently started supporting using your own WebDAV server for database storage/sync.  However the instructions for setting it up were more complicated than I wanted to deal with.  So mine is still on Dropbox.

I don't use any kind of browser integration. It's supposed to be support it, but I have no idea how well it works.

Another password manager that allows similar choices in cloud storage is Enpass (https://www.enpass.io/).  I haven't tried Enpass - I'm happy enough with SafeInCloud.

Finally, if you're adventurous, SpiderOak has an open-source password manager that syncs via the cloud somehow, but I have no idea what makes it better (or worse) than other options - other than open source can give you some freedoms and possibility of someone being able to vet the code.  I haven't tried it.

  - https://github.com/SpiderOak/Encryptr

Deozaan:
Another password manager that allows similar choices in cloud storage is Enpass (https://www.enpass.io/).  I haven't tried Enpass - I'm happy enough with SafeInCloud.
-mwb1100 (March 30, 2017, 03:15 AM)
--- End quote ---

I've been using Enpass since it was recommended/suggested about 1.5 years ago by 40hz in this thread asking for LastPass Alternatives.

I started to write up a bit of a review of it here, but figured I didn't want to derail this topic, so I'll finish it up and post it into the thread linked above.

Navigation

[0] Message Index

[*] Previous page

Go to full version