Are PASSWORD KEEPERS any good?

Barnaby44 · 05 Nov 2015

What with all the more frequent personal information online break ins am I worth using one of the PASSWORD KEEPERS as if I'm constantly going to have to change them I'm likely to forget them all.
I'm assuming a Password Keeper is more secure.

I'm looking at 2 of them 1] KEEPASS and 2] Dashlane PASSWORD MANAGER
1] Is a bit complex to set up.
2] is easier to set up and I like that everything is kept encrypted until it appears back on your machine.

I don't have either fully set up yet as I would like any input on them you might have before I do.
My book of hand written passwords is almost unmanageable now but I'm not totally convinced it's a good idea to trust all my passwords to a digital safe and I don't want to have to write them all out again.

Your comments much appreciated.

pparks1 · 05 Nov 2015

I use Keepass. It's a piece of cake. I actually keep mine on Dropbox, so that I have a copy in the cloud and on my PC. So, my dropbox would have to get hacked, and then my KeePass would have to get hacked to get my passwords. That's a safe enough risk to me.

Barnaby44 · 05 Nov 2015

Thanks for your comments, I use Dropbox too so I can adopt your extra "safe to crack" protection too, good idea.

pparks1 · 05 Nov 2015

If you want to go crazy, you could use dropbox, then something like BoxCryptor to create an encrypted folder in DropBox and then put KeePass into that.

Barnaby44 · 05 Nov 2015

That would be MAD PParks.
If I understand these recent break ins that have occurred it wouldn't matter how good I'm protected at my end as it is the other end that the black hats are compromising and stealing my details. If that is correct is there anything I can do.
I do run AVG Internet security and have Malwarebytes watching and so far touch wood I've not been violated since BB started.

simrick · 05 Nov 2015

I use LastPass. It's quite simple, and works across all browsers (well, not Edge, yet) and mobile devices.

1. All encryption and decryption happens on your computer.

2. The sensitive data that is harbored on our servers is always encrypted before it’s sent to us, so all we receive is gibberish.

3. We never receive the key to decrypt that data.

Security expert Steve Gibson switched to LastPass after extensive research. If he recommends it, that's the one I would use.

LastPass explained by Steve Gibson - Part 0 - Password Security Primer - YouTube

LastPass explained by Steve Gibson - Part 1 - Passwords and devices - YouTube

LastPass explained by Steve Gibson - Part 2 - The Cryptography - YouTube

LastPass explained by Steve Gibson - Part 3 - Its simple - YouTube

LastPass explained by Steve Gibson - Part 4 - Features and Galactic Math - YouTube

LastPass explained by Steve Gibson - Part 5 - One time password, Ubikey and importing data - YouTube

LastPass explained by Steve Gibson - Part 6 - Final thoughts : Not a single problem - YouTube

Here's the transcript of the entire show.
Security Now! Transcript of Episode #256
Use CTRL+F and search for LastPass - you'll find the explanation of how it works to protect you a little more than half way down the page. He goes into some detail of the encryption and hashing they do, to ensure they never get your information in any useful form, which is most important.

And here is some additional reading on it.

Is LastPass Secure? What Happens if It Gets Hacked?

LastPass Gets the Green Light from Security Now!s Steve Gibson | The LastPass Blog

Of course, 2-factor authentication is a must these days, and I don't recommend storing your passwords in the cloud.

Well, it is the case that we are now storing all of our eggs in one basket. So you want it to be a safe basket, and you want it to be a basket you can back up, and a basket that nobody else can get your eggs out of.
And they really have nailed it. I mean, I don't see a single problem with this. The crypto is clear and simple. And they've arranged so that they're never going to be in a position of anyone being able to, like, steal their stuff.
Notice that no subpoena that they're served can force them to divulge your information.
They don't have anything.
It's, well, it's correct. They did it right. I mean, from start to finish. And multiplatform. So they're not biased towards Windows and against Linux folks. Windows, Mac, and Linux, across the board, for all for this. It's done.

simrick · 06 Nov 2015

@Barnaby44
And, just in case you're concerned that the hack to LastPass servers this year may have changed his mind, well, it hasn't, and he's confirmed it recently:

Security Now! Transcript of Episode #512

...they're a model for the way you do this. And they said, we routinely survey our network because that's the way you do it these days is you look for anything that seems suspicious, and then you go figure out what it is. So something seemed suspicious, some traffic that they didn't expect should be there.
...So, for example, the password side stuff was where this anomalous traffic appeared, which were the email addresses, the password reminders, the per-user salts, and the authentication hashes. So let's remember the way this system works. The reason I like it so much is that the user's email address, after case is removed - so it's case-insensitive because email is case-insensitive, and they don't want to confuse their hashing because they combine the email address and the user's password, and then they hash it iteratively.
...And so the email address is half of the secret, which is not a secret. Obviously it's known. Then the passphrase is what's added to that. And then it goes through all this hashing. The point is bad guys could perform a targeted attack. The other thing that they've done right is they have what's called a "per-user salt."
... The only attack then would be for a bad guy to take the email address, which assuming that anything got out at all, to take the email address of the account - and notice that, I mean, there's some information there. That tells them probably who that account is. And there are no doubt many powerful and famous people who are using LastPass. So if this got out, the record is identifiable by that high-value person's email address. So that tells them who's worth attacking. So they would then have to take that email address and that user's salt, that user's account salt, and start making guesses of what their password may be. Now, here is why a strong password is important.
... now, LastPass has protected us such that you cannot log in from a new device or IP as of before the announcement, unless you do an email confirmation.
...for what it's worth, the only attack that is feasible is a targeted attack based on what your email address for LastPass is. So if that was anonymized or a separate Gmail account or something that doesn't look tasty, then you probably, you know, it'd be unlikely you'd be a target because there's no way to do a mass crack of this, thanks to the per-account salting.
...So my point is, to answer your question, I'm not leaving. I'm staying with them.

and also here:

Security Now! Transcript of Episode #513

...a security researcher, did some LastPass exploit math in the real world, which gives us some numbers and further should make everybody feel comfortable about the virtual unhackability of their password based on the leakage that may have occurred from LastPass's network that we discussed at length last week.
...BlackICE was Robert's company. And so he was curious. And so he ran the numbers to give us a sense for what it will take to crack LastPass, given their 100,000 iterations. And the upshot of his note is that that's so many iterations that, as I said last week, they're taking the brunt of the execution even by offering that kind of security.
... And thanks to the salt, which is per user, there is no way anyone can do this once for all people.
...Yes, Jenny said to me, "Is LastPass dead?" I said, "No, honey, it's fine."

TairikuOkami · 06 Nov 2015

LastPass has been hacked several times over the years, various seriousness.
First you have to ask yourself, if you want an online or offline password manager.
The difference is obvious, no one can gain access to an offline manager, not ever.
Keepass on top of everything has a partial anti-keylogger function, which helps a bit.

Barnaby44 · 06 Nov 2015

Wow it's quite a deep subject, thanks for all the the advice and information people.
I've just been playing with Dashlane and it is very easy to use. It also is not Edge set up yet but they give a work around for other web browsers of your choice initially I've gone for IE.

Slightly disconcerting was once I joined up it displayed all my sites with my usernames and or email addresses but no passwords instantly. If they can see all that without any apparent difficulty I am really worried.

I think I need to look a bit deeper but I'm not sure I know what I'm looking at.
I need someone who knows about these things I can trust which is why I am asking here, it seems to be a mine field.

Thanks so far

simrick · 06 Nov 2015

@Barnaby44 Steve Gibson is, and has been for a lot of years, well-respected in the security industry. He can be trusted. That's why I took the time to research and post everything from him, for you.

@TairikuOkami Of course LastPass will be a target of hackers - it's inherent to their business, and they know it. Which is why Steve Gibson continues to say things like "they know what they're doing" and "they do it right", and why Steve Gibson continues to use and recommend LastPass. If you take the time to read what he says, and really try to understand it, you will see that, even when hacked, there is nothing there for the hackers to get (unless, of course, you are a specific hacker's target, and you use a weak master password). Period. There's not even anything a government could subpoena. Having a strong master password, keeping it safe, and using multi-factor authentication with LastPass is perfectly safe.

Steve Gibson (computer programmer) - Wikipedia, the free encyclopedia

GRC