Do you guys trust password storage apps? Any particular reason why? For some, but not others? If so, where do you draw the line?
Can you edit the title and say that it is Lastpass that was hacked? I use Lastpass. I looked into how it works, before I signed up. My Master-Password is over 20 chars and I use 2-factor auth: I'll stay there unless anything substantially changes.
I used to use lastpass and currently use 1password. I find that it's the right trade off of security and convenience for me. Like madeingermany I use a long master password, though I don't think I have 2-auth for 1pass yet while I use it for everything else that does.
I've been in 1Password since version 3. It's expensive. It's kinda cumbersome. But it doesn't have any central storage. You can keep your database file on Dropbox, where it's encrypted, and sync across platforms. I would be scared to death of having my passwords on a central server where they could be hammered on. Dealing with bloody HeartBleed took me like two solid days.
On a related topic, how do you guys feel about using an unusual way of storing password only at client side as a prevention from keylogging etc? I've been thinking about this from a few days now. 1) Thinking of passwords as key:value pairs. 2) Values being the actual passwords 3) Assigning keys to these passwords that are memorable/derivable for you. For example, if my password is MatrixHasYou1984 I could map it to MHY84 or M@rix#u1984 4) Use text expander utility to map these key:value pairs 5) Enter the key as password instead of actual password. So unless someone knows what I'm doing I can save myself from keylogging or someone slyly looking over my shoulder "accidentally" knowing my password, they'll always get the wrong password. I very well know this isn't perfect at all, won't prevent from attacks on the servers or maybe from network. I also know this basically equals to writing down of the password and has exposure risk. But I think it's very unusual for others to figure it out so it may be a good preliminary level defense? I mean Lastpass got hacked because it's an app that stores passwords. It's not unexpected outcome to me. But I would be really surprised if textexpander app got hacked. What do you guys think?
I've thought about this before, making the text expander by hand (coding it up myself) to just essentially create secure passwords from something easily remembered by me. But I don't know enough about cryptography to do anything too secure beyond just a 1-1 key map which is pretty useless.
But that would mean storing all your password "values" on the computer – it's much more likely someone will get access to your computer and can read your file, than that they will have managed to install a keylogger but for some reason can't access the file.
I'm using KeePass and I trust it fairly well since it is completely open source and all of the files for it are stored locally, or at least managed by me. Security where you have to trust another party really can't be completely secure (Although, in some ways I'm a bit hypocritical there, I'm trusting thousands of other people to do the work of verifying that the crypto and implementation of KeePass is safe).
Same here! Never understood how people can be so super secure about their passwords that they want to use a password manager and then they trust an online service with them. Very content with KeePass and to me it feels much safer. Synced over dropbox with a local backup once in a while, more than fine with near to no effort!
So I've been using roughly the same three or four passwords everywhere for the past 10 years or so. I'm finally at the point where I've decided it's time to start using a password database, and let it keep different passwords for all the different sites I go to. The only problem for me will be the fact that that adds a step in between going to a site and logging in. I hate extra steps. That and the fact that it'll be a pain syncing it between my computers and phone (and using it at all on my phone). I'm thinking KeePass.
I run my own instance of OwnCloud that let's me handle my own file syncing across all my devices. Then I use PasswordSafe and use a synced password database via OwnCloud so I always have access to my passwords on all my devices. The encrypted database never leaves my control even though I'm using file syncing.
I could never get into Owncloud. I've messed around with Syncthing and liked it, but right now i just have a dedicated 4tb drive on a linux box at home and i'm just using sshfs to mount it (there's a client on windows for it too). I just have to figure out what i want to do about my phone. Maybe there's an sshfs client for android (haven't done any research yet). Since i doubt i'll be changing that database too often, i bet i could just manually sync it and have access to most of the stuff i need at all times.
What extra steps? On my laptop lastpass is always logged in, and it auto fills all login forms so it makes logging in much easier since you don't need to type it yourself.
Even if you log in to lastpass once a day it's less steps then logging into every service yourself. The only hassle is when you want to log in on a friends computer and you don't know the password since the're all random. Then you have to login to the app to check it.
But you can remember the password to your e-mail account, so it isn't that bad.