This is why i said disable browser integration with keepass or any other desktop based password manager.
So what? Everything will be hacked eventually. This was disclosed and they fixed it quickly. Canāt ask for more than that.
This absolutely. Lastpass have historically done very well with security issues in their software. Them publicly addressing and fixing issues isnt a bad thing. If anything it has shown their commitment to the security of their software.
Well they donāt do it out of sheer benevolence, security incidents are existential threats to a password management program. Like with Kaspersky, when the US government said they were FSB tools. At that point they were dead men walking. You canāt recover from something like that.
If someone steals a password vault (like a kdbx file) itāll be a lifetime before they brute force the file if you used a high entropy master key.
Its a preference of personal responsibility. Or you can rely on someone else to make sure youāre safe.
Only a fool would rely on anyone. Both lastpass and 1password utilize end-to-end encryption. You hack lastpass, steal their DB, and all you get is an encrypted datastore.
Where does the decryption occur? Does last pass send you the encrypted string and its your browser that decrypts with your key?
Or is your key sent to lastpass and the decrypted passwords sent back to you?
Itās end to end encryption, so everything happens locally in your browser.
They also have features where you can share logins with your friends, and thatās done by decrypting the login, then encrypting it with your friendās public key. Then itās sent to your friend and they decrypt it with their private key. The public and private keys are both uploaded to the cloud, otherwise there would be no way to distribute it to all your various android devices and whatnot, but the private key is encrypted with your secret passphrase.
Note the above only applies to sharing logins with other users, all standard logins are just straight-up encrypted with your secret passphrase before theyāre sent to the cloud.
You could also just use a text file within an encrypted folder.
Thats kind of what pass
does.
Plasma Vault does this on KDE. GnomeDiscs ( or terminal ) can do this using LUKS. Im not sure if the GnomeDiscs LUKS setup is as secure as the method keepassXC is using, but you can make it so if you create it via the terminal and specify a higher AES level.
Nice, source:
https://lastpass.com/support.php?cmd=showfaq&id=6926
My only remaining concern would be verification of any received client side web app. I doubt Iād use it in a browser personally.
Well thatās how you would do it, right? You would hack Firefox or Chromeās addon site by spearphishing access to a Lastpass developerās account, then upload a compromised addon, which would be automatically updated to millions of users. Of course the same applies to a local vault with Keepass, once you compromise the client you own the data.
The browser does have a wider attack surface than a local application, so thereās an obvious tradeoff for convenience there.
I personally wouldnāt make the trade off.
Me neither.
air-gapped solutions are a minor inconvenience (basically amounts to typing passwords instead of copy/paste).
But thatās where i draw the line at the momentā¦
However if KeepassXC has some major issue (desktop side) id probably move to that way of doing things.
I use KeeWeb Desktop. Itās a bloated Electron app, but I like the interface which allows adding things like images and custom fields.
Uses standard .kbdx files, so is compatible with KeePass, but I enjoy the interface enough to cope with the bloat.
Thanks grandma
Am I the only one who still uses obsurdly long words and phrases together that would never go together that are easy for me to remember?
Iāve never had a single account online ever be breached or hacked. (that I know of)
I also change my passwords every 6 days.
I also never repeat a password.
Done it this way since the days of early internet.